Cisco 2960s & openssh public key login

portmannth · ‎09-25-2013

Hello,

I am in the process of exchanging c2950 with c2960s (15.2.1.E switches and want to take advantage of public key login with openssh for administrative tasks. Right now I can login using openssh and any user (for example "tom") that is known to the RADIUS server in place. I want to have a user "nms" on my solaris machine with its key pair that is able to login to the switches using the public key login. Now, I looked around and found stuff which, to me, should work, but it does not.

When my "nms" user tries to login with public key from the solaris machine, he only gets the motd banner and and "% Authorization failed." message and on the switch the debug show "AAA/AUTHOR/EXEC(00000070): Authorization FAILED". The login with a password however works just fine.

Bellow the details on the freeradius user config for "nms", how the key pair was generated, the cisco configuration I did to try to make public key auth work and the debugs (with password and with public key) on the switch. I think I am almost there but a little detail must be missing.

Thank you in advance for your help.

tom

## ----------------------------------------------------------------------

## FREERADIUS USER CONFIG

nms Cleartext-Password := "PASSWORD_FOR_NMS_USER"

Service-Type == NAS-Prompt-User,

Cisco-AVPair += "shell:priv-lvl=15"

## ----------------------------------------------------------------------

## GENERATING NEW OPENSSH KEY PAIR

solaris# ssh-keygen -t rsa -b 2048 -C nms -f id_rsa.nms

solaris# awk '{print $1}' id_rsa.nms.pub

ssh-rsa

solaris# ssh-keygen -l -f id_rsa.nms.pub | tr -d : | tr '[:lower:]' '[:upper:]' | awk '{print $2}'

9C4EB16E472F1B131817B894962FEDA8

## ----------------------------------------------------------------------

## CISCO CONFIGURATION

cisco# sh run | i aaa

aaa new-model

aaa authentication login default group radius local

aaa authorization console

aaa authorization exec default group radius local

aaa accounting exec default start-stop group radius

aaa accounting connection default start-stop group radius

aaa accounting system default start-stop group radius

aaa session-id common

cisco(config)# ip ssh pubkey-chain

cisco(conf-ssh-pubkey)#user

cisco(conf-ssh-pubkey)#username nms

cisco(conf-ssh-pubkey-user)#key-hash ssh-rsa 9C4EB16E472F1B131817B894962FEDA8

cisco(conf-ssh-pubkey-user)#exit

cisco(conf-ssh-pubkey)#exit

cisco(config)#exit

## ----------------------------------------------------------------------

## CISCO LOGS

cisco# debug ip ssh detail

cisco# debug aaa authorization

cisco# debug aaa authentication

## ......................................................................

## LOGGING IN WITH PASSWORD FROM SOLARIS (ssh nms@cisco) WORKS:

000932: Sep 25 10:39:06 MEST: SSH1: starting SSH control process

000933: Sep 25 10:39:06 MEST: SSH1: sent protocol version id SSH-2.0-Cisco-1.25

000934: Sep 25 10:39:06 MEST: SSH1: protocol version id is - SSH-2.0-OpenSSH_5.6

000935: Sep 25 10:39:06 MEST: SSH2 1: SSH2_MSG_KEXINIT sent

000936: Sep 25 10:39:06 MEST: SSH2 1: SSH2_MSG_KEXINIT received

000937: Sep 25 10:39:06 MEST: SSH2 1: kex: client->server enc:aes128-cbc mac:hmac-md5

000938: Sep 25 10:39:06 MEST: SSH2 1: kex: server->client enc:aes128-cbc mac:hmac-md5

000939: Sep 25 10:39:06 MEST: SSH2 1: Using kex_algo = diffie-hellman-group-exchange-sha1

000940: Sep 25 10:39:06 MEST: SSH2 1: SSH2_MSG_KEX_DH_GEX_REQUEST received

000941: Sep 25 10:39:06 MEST: SSH2 1: Range sent by client is - 1024 < 1024 < 8192

000942: Sep 25 10:39:06 MEST: SSH2 1: Modulus size established : 1024 bits

000943: Sep 25 10:39:06 MEST: SSH2 1: expecting SSH2_MSG_KEX_DH_GEX_INIT

000944: Sep 25 10:39:06 MEST: SSH2 1: SSH2_MSG_KEXDH_INIT received

000945: Sep 25 10:39:06 MEST: SSH2: kex_derive_keys complete

000946: Sep 25 10:39:06 MEST: SSH2 1: SSH2_MSG_NEWKEYS sent

000947: Sep 25 10:39:06 MEST: SSH2 1: waiting for SSH2_MSG_NEWKEYS

000948: Sep 25 10:39:06 MEST: SSH2 1: SSH2_MSG_NEWKEYS received

000949: Sep 25 10:39:06 MEST: SSH2 1: Using method = none

000950: Sep 25 10:39:06 MEST: SSH2 1: Using method = keyboard-interactive

000951: Sep 25 10:39:06 MEST: AAA/BIND(0000006F): Bind i/f

000952: Sep 25 10:39:06 MEST: AAA/AUTHEN/LOGIN (0000006F): Pick method list 'default'

000953: Sep 25 10:39:13 MEST: SSH2 1: authentication successful for nms

000954: Sep 25 10:39:13 MEST: SSH2 1: channel open request

000955: Sep 25 10:39:13 MEST: SSH2 1: pty-req request

000956: Sep 25 10:39:13 MEST: SSH2 1: setting TTY - requested: height 26, width 150; set: height 26, width 150

000957: Sep 25 10:39:13 MEST: SSH2 1: shell request

000958: Sep 25 10:39:13 MEST: SSH2 1: shell message received

000959: Sep 25 10:39:13 MEST: SSH2 1: starting shell for vty

000960: Sep 25 10:39:13 MEST: AAA/AUTHOR/EXEC(0000006F): processing AV priv-lvl=15

000961: Sep 25 10:39:13 MEST: AAA/AUTHOR/EXEC(0000006F): processing AV service-type=7

000962: Sep 25 10:39:13 MEST: AAA/AUTHOR/EXEC(0000006F): Authorization successful

## ......................................................................

## LOGGING IN WITH PUBLIC KEY FROM SOLARIS (ssh -i id_rsa.nms nms@cisco) DOES NOT WORK:

000965: Sep 25 10:39:36 MEST: SSH1: starting SSH control process

000966: Sep 25 10:39:36 MEST: SSH1: sent protocol version id SSH-2.0-Cisco-1.25

000967: Sep 25 10:39:36 MEST: SSH1: protocol version id is - SSH-2.0-OpenSSH_5.6

000968: Sep 25 10:39:36 MEST: SSH2 1: SSH2_MSG_KEXINIT sent

000969: Sep 25 10:39:36 MEST: SSH2 1: SSH2_MSG_KEXINIT received

000970: Sep 25 10:39:36 MEST: SSH2 1: kex: client->server enc:aes128-cbc mac:hmac-md5

000971: Sep 25 10:39:36 MEST: SSH2 1: kex: server->client enc:aes128-cbc mac:hmac-md5

000972: Sep 25 10:39:36 MEST: SSH2 1: Using kex_algo = diffie-hellman-group-exchange-sha1

000973: Sep 25 10:39:36 MEST: SSH2 1: SSH2_MSG_KEX_DH_GEX_REQUEST received

000974: Sep 25 10:39:36 MEST: SSH2 1: Range sent by client is - 1024 < 1024 < 8192

000975: Sep 25 10:39:36 MEST: SSH2 1: Modulus size established : 1024 bits

000976: Sep 25 10:39:36 MEST: SSH2 1: expecting SSH2_MSG_KEX_DH_GEX_INIT

000977: Sep 25 10:39:36 MEST: SSH2 1: SSH2_MSG_KEXDH_INIT received

000978: Sep 25 10:39:36 MEST: SSH2: kex_derive_keys complete

000979: Sep 25 10:39:36 MEST: SSH2 1: SSH2_MSG_NEWKEYS sent

000980: Sep 25 10:39:36 MEST: SSH2 1: waiting for SSH2_MSG_NEWKEYS

000981: Sep 25 10:39:36 MEST: SSH2 1: SSH2_MSG_NEWKEYS received

000982: Sep 25 10:39:36 MEST: SSH2 1: Using method = none

000983: Sep 25 10:39:36 MEST: SSH2 1: Using method = publickey

000984: Sep 25 10:39:36 MEST: AAA/BIND(00000070): Bind i/f

000985: Sep 25 10:39:36 MEST: SSH2 1: Authenticating 'nms' with method: publickey

000986: Sep 25 10:39:36 MEST: SSH2 1: Client Signature verification PASSED

000987: Sep 25 10:39:36 MEST: SSH2 1: authentication successful for nms

000988: Sep 25 10:39:36 MEST: SSH2 1: channel open request

000989: Sep 25 10:39:36 MEST: SSH2 1: pty-req request

000990: Sep 25 10:39:36 MEST: SSH2 1: setting TTY - requested: height 26, width 150; set: height 26, width 150

000991: Sep 25 10:39:36 MEST: SSH2 1: shell request

000992: Sep 25 10:39:36 MEST: SSH2 1: shell message received

000993: Sep 25 10:39:36 MEST: SSH2 1: starting shell for vty

000994: Sep 25 10:39:36 MEST: AAA/AUTHOR (0x70): Pick method list 'default'

000995: Sep 25 10:39:38 MEST: AAA/AUTHOR/EXEC(00000070): Authorization FAILED

000996: Sep 25 10:39:40 MEST: SSH1: Session terminated normally

portmannth · ‎10-02-2013

Success is mine!

After quite some searching I made it work and here is how:

All I had to do is make a small change to what I already described above. The FreeRADIUS user config file was modified in the following way:

nms Auth-Type := Accept, Service-Type == "Dialout-Framed-User"

Cisco-AVPair += "shell:priv-lvl=15"

However, I am not quite sure if this introduces a security risk or not. What do you think?

At least I tried to login without SSH key and the login was denied, so it shouldn't be too bad.

tom