Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1513
Views
0
Helpful
0
Replies

[WORKAROUND] Bug: keyed ssh login stops working after a reboot

elof
Level 1
Level 1

‎04-03-2018 12:14 PM - edited ‎03-08-2019 02:30 PM

Edit:

The problem I described below is even worse. The key-hash disappear after a reboot of the switch!

How to reproduce:

I add the key-string (see instructions below how it's done)

'wri mem'

'show startup-config'

I compare the fingerprint with the fingerprint of my file (ssh-keygen -l -f ~/.ssh/id_rsa.pub). They match.

I try to login to the switch using the foobar account. It works fine using keyed login.

'enable'

'reload'

<The switch reboot>

I try to login to the switch again, using the foobar account. Keyed login no longer works! Ordinary password-login works though.

'enable'

'show startup-config'

The key-hash line is present. Good.

'show running-config'

The key-hash line is missing!

 

So for some reason, this configuration is not loaded correctly at bootup.

 

(I just changed the system to boot on the original image, 15.2(2)E7 (C2960X-UNIVERSALK9-M), but the same thing happens. The key is present in startup-config but not in running-config.)

 

I tried loading a colleague's ssh-rsa key instead of mine, and it works!

My ssh-rsa key is pretty old. My hash (the base64) ends with two '==' before the comment:

ssh-rsa AAAAB3NzaC1<352 characters>77fdhxQ== Foo Bar

 

I generated new ssh-keys (ssh-keygen).

My new ssh-rsa key don't end with '==':

ssh-rsa AAAAB3NzaC1<354 characters>IRtcmqN foobar@gazonk

I configure it to the foobar account on the switch and reload.

It works. So a workaround for this issue is to generate new ssh-keys.

 

Now the question is if it is the equal characters ('=') that are not permitted (or not parsed correctly), or if too old ssh-rsa keys are not supported by Cisco IOS...

 

 

 

---- Original post ----

I just upgraded the firmware on my 2960

from:  15.2(6)E  - c2960x-universalk9-mz.152-6.E.bin
to:    15.2(6)E1 - c2960x-universalk9-mz.152-6.E1.bin

 

After doing this very minor upgrade, I can no longer login to the switch using keyed ssh login. :-(

 

It turns out that the upgrade has nuked my key-hash!

 

Config before the upgrade:

...
!
ip ssh version 2
ip ssh pubkey-chain
  username foobar
   key-hash ssh-rsa 6DF23356123456789012DB2EB1232D Foo Bar
ip scp server enable
!
...

Config after the upgrade:

...
!
ip ssh version 2
ip ssh pubkey-chain
  username foobar
ip scp server enable
!
...

The line "key-hash ssh-rsa 6DF23356123456789012DB2EB1232D Foo Bar" has disappeared!

When I manually add the key again, access using my key start working again.

 

Is this a bug in the firmware upgrade?

Or is there some problem with the odd manner in which the key is entered?

 

Here is how to add a ssh-key:

The IOS can't read input lines longer than 250 characters, so on your PC, run:

fold -w100 ~/.ssh/id_rsa.pub

In my case, my ssh-key generates 5 lines of output.

Copy the lines.

Now, on the switch, run:

conf t
username foobar privilege 1 password <password>
ip ssh pubkey-chain
  username foobar
    key-string
      <paste the lines from above>
      exit
    exit
  exit
exit
wri mem

/Elof

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents