Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
735
Views
1
Helpful
2
Replies

IOX-XR ASR 9902- Issue SSH access with Public key

Map23
Level 1
Level 1

‎11-05-2024 07:01 AM

Dear community,

 

I’m trying to configure SSH access with kay to device ASR 9902 with IOS-XR 7.11.21.

What I did is a simple configuration for user:

 

username testkey

 group root-lr

 group netadmin

 

and the Public key import for the user above:

 

crypto key import authentication rsa testkey

As you can see below, key has been imported correctly:

RP/0/RP0/CPU0:XXXXX#show crypto key authentication rsa all     

Tue Nov  5 14:11:31.105 UTC

Key label: testkey

Type     : RSA public key authentication

Size     : 4096

Imported : 14:07:18 UTC Tue Nov 05 2024

Data     :

 30820222 300D0609 2A864886 F70D0101 01050003 82020F00 3082020A 02820201

[….]

 18300FAD 58B2870C 23C93F2B 1F6CF21D 16D53C3B 85C43B38 6333A3EA 51521D24

 E7020301 0001




RP/0/RP0/CPU0:XXXXX#

The problem is that, when I try access with putty and my private key I receive this output:

 

End of banner message from server

Authenticating with public key "testkey"

Server refused public-key signature despite accepting key!

Keyboard-interactive authentication prompts from server:

| Password:

 

 

Consider that this key association (Private/public) is already correctly used on another ASR with IOS version 7.10.2

Can someone explain what means “signature refused” and why access is refused ?

 

Thanks,

Marcello

Labels:
0 Helpful
2 Replies 2

M02@rt37
VIP
VIP

‎11-05-2024 07:11 AM

Hello @Map23 

The error message indicates a problem with the public key authentication process on your ASR. While the router has accepted the public key associated with the username testkey, it is not successfully authenticating your connection using the corresponding private key. 

First, please ensure that the private key you are using with Putty matches the public key imported into the ASR device. If the private key has been altered or is different from the original one that generated the public key, authentication will fail. Double-check the key pair to confirm they correspond correctly.

Another common issue is related to the permissions and ownership of the private key file on your local machine. SSH clients like Putty often require that the private key file have restricted permissions. If the file is too accessible, authentication may be denied. Additionally, confirm that your private key is in a compatible format for Putty. If you generated the key using openSSH, you might need to convert it to Putty's `.ppk` format using `PuTTYgen`.

You should also review the SSH configuration on your ASR 9902. Ensure that public key authentication is enabled. This may involve confirming that the device allows the necessary key-exchange algorithms and authentication methods. For example, enabling the SSH server and specifying key-exchange groups can help facilitate proper authentication.

To gain deeper insights into the authentication process, you can enable debugging on the ASR device with the command debug ssh authentication. This command will provide additional context on why the key signature was refused, which can be invaluable for diagnosing the issue further.

Lastly, ensure that the user account for `testkey` is configured correctly with the necessary privileges. Verify that the user belongs to the appropriate groups, such as `netadmin`, to have access to the SSH session. If all else fails, consider regenerating the key pair and re-importing the public key into the router, as this can sometimes resolve underlying issues that might not be immediately evident.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

Map23
Level 1
Level 1
In response to M02@rt37

‎11-05-2024 08:26 AM

M02@rt37 thank you so much for your answer,
 
I already did these tests:
 
- Keys are correct (I did a lot of test for it)
- Priv Key is on Putty format because I created it with Keygen
-  Public key method permitted:
 
 Authentication Method Supported 
------------------------------------
PublicKey := Yes
Password := Yes
Keyboard-Interactive := Yes
Certificate Based := Yes
- Unfortunately "debug ssh authentication" isn't present, what I tried is "debug ssh server"
 
Anyway ... probably I understand which can be the problem.
On this device we have a TACACS auth .. Local users are available only when TACACS server isn't reachable.
But . I don't understand if this rule is in place also for users with Key or is valid only for users with password....
For your knowledge, do you know if it can be the problem that affect SSH key auth ?
 
thanks,
Marcello
 
0 Helpful
Customers Also Viewed These Support Documents