03-21-2024 03:42 PM
Summary:
I have ssh enabled:
C220-WM........T# show version
Firmware Version
--------------------
4.3(2.240009)
C220-WM........T# scope ssh
C220-WM........T /ssh # show detail
SSH Settings:
SSH Port: 22
Timeout: 1800
Max Sessions: 4
Active Sessions: 1
Enabled: yes
I have 2 public keys loaded into the admin account's key store
C220-WM........T# scope user 2
C220-WM........T /user # show ssh-keys detail
SSH Key 1:
Key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDX4RHr+TwCpDGMKp/YUSJD2+R8j0zKLLFKefzFOzI7Ex7roL6NM1xm2XA4lRxOLqJWjt1+vzBfAxd2v1T3JYef5iHgyGRUepUt9L3Ysxw++MrOoJJ2R0x67h/rZzT+uXH8h9iAzyh/VTNWUANwDRTR6A8KOSyEl/JcxaLm4e9tkNgOUdQdshY3cCt/NwBhd0mwOF1hDNIDWN5rYw1SQ8Q0KE9VhW69Eu3TIznfwobdotnzvCDkbNrN8kwXa
ngY15r73RmipsIaejfawg7jRTPHd3GY8TaoSC+fn20XEKxEOqHFIe0rF7lGPS99bWUYkUqB/2y7nujDQ1+NLQirWHqn
SSH Key 2:
Key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC6N/xeMzXLuZWRf2hGgAreexvG+A4UkkKmIfA9mIeVKg3Ziz7gC7zCHHiWZQSpaiGN/44pu+wawJhSJi+tdO5PPM2TFNX0n8Jo6dQowF8tRVbaQmxI1xY+81gs6aUMHq+sAfrjfjY0tiulcCk+tcTKpjzYV6lP7DizE3yzC9GCKZfan+X6R74EQjEIUXH2/x5NGqxiR0FpCck42r+1ZGGIPieVVWmaXhcABihk1nkQTboz4wO0w0rgYIz+a
4XFPRtvyewMX2MxO+soNMvqK9tqADAmjTgRcXQoonyfjoiRvO2pV8fKRansorLFvyBj70Kd/s6/cAvmqxkokSx/unh3oKbnc6G55ZeBi8TXEsHdLr3NkUUbsvhDn8yKiiCP1ToevPy4cViTq3Vyc54g2l++Ug1FotQvOB0RH5EG5TrWjdR01RIe5dO6Qve/Oj34ocVzKoLIYzZ5lmgOq1tKIrjOq7CkMHyOa4ftqYHH7VGBBkatQHmhSyZegHt+pxYJ2fU= id_SNAT7771_rsa
I can 'ssh' into user-2's account using password authentication. but regardless of explicitly including the Identity file on the command line, or having the key loaded into my ssh-agent, i am always prompted for a password. (using ssh -o preferredauthentications=publickey causes an immediate login failure, so, it's not an ssh_config order issue.
I am absolutely positive the public keys stored on the CIMC are correct. (one odd thing is that attempting to add the key via the CIMC CLI using the 'paste' function claims it's too long, so i used the 'paste' function in the Web GUI -- which works fine.)
One RSA key is 2048 bit, the other 3072 if that is supposed to make a difference (though key formats are not documented in the User Guide AFAICT)
$ ssh-keygen -l -f id_root_rsa.pub
2048 SHA256:4+BKSrsh5nd4GQg9nA+MwFiok9aoIeM0+K3gWHHkkLE id_root_rsa / root / root / 2024-02-29 (RSA)
$ ssh-keygen -l -f - <<<"$(ssh-add -L)"
3072 SHA256:4AqrDnfRXYg4J2mI1Ayda6I9y2otZxA0URpdHn6HsAs id_SNAT7771_rsa (RSA)
The log from the connection attempt shows:
debug1: Next authentication method: publickey
debug1: Offering public key: id_SNAT7771_rsa RSA SHA256:4AqrDnfRXYg4J2mI1Ayda6I9y2otZxA0URpdHn6HsAs agent
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,password
debug1: Offering public key: id_root_rsa RSA SHA256:4+BKSrsh5nd4GQg9nA+MwFiok9aoIeM0+K3gWHHkkLE explicit
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,password
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
Unfortunately, "packet type: 51" is one of those generic "it didn't work" failure codes.
There seems to be nothing in the CIMC logs to indicate what my be failing.
Any tips or pointers to what i missed greatly appreciated.
Thanks,
--stephen
Solved! Go to Solution.
03-21-2024 04:54 PM
Can you try ECDSA keys instead and see if that helps “ssh-keygen -t ecdsa -b 256”? I had similar issues on the M5 a while back, wondering if it's the same issue.
03-21-2024 04:54 PM
Can you try ECDSA keys instead and see if that helps “ssh-keygen -t ecdsa -b 256”? I had similar issues on the M5 a while back, wondering if it's the same issue.
03-21-2024 05:35 PM
Brian,
Thanks, that appears to work. It would be nice if the User Guide were updated to indicate which types of keys were acceptable, though (i see it has been about the same for a good number of years) One might expect that an RSA key of 2048 bits would be in the least-common-denominator class of supported keytypes.
$ ssh-keygen -t ecdsa -b 256 -f id_cimc_ecdsa -N '' -C 'Cisco CIMC trust'
but trying to paste the full contents of the id_cimc_ecdsa.pub file into the CIMC WebUI add key paste widget results in a failure ( Invalid SSH Key format.) due to, i presume, spaces in the "comment" field not being properly parsed. So, i'm just stripping it. (it does work if it's a *single* word in the comment field)
thanks, again,
--stephen
03-22-2024 05:40 AM
Hi Stephen,
One of my colleagues opened the following https://bst.cisco.com/bugsearch/bug/CSCwi22517?rfs=qvred to get the documentation updated. Will followup on that and see if we can get it published to avoid any future confusion on key support.
03-24-2024 12:01 PM - edited 03-24-2024 12:02 PM
@stephen.dowdy wrote:$ ssh-keygen -t ecdsa -b 256 -f id_cimc_ecdsa -N '' -C 'Cisco CIMC trust'
but trying to paste the full contents of the id_cimc_ecdsa.pub file into the CIMC WebUI add key paste widget results in a failure ( Invalid SSH Key format.) due to, i presume, spaces in the "comment" field not being properly parsed. So, i'm just stripping it. (it does work if it's a *single* word in the comment field)
btw, using the CLI paste option (scope user N ; scope ssh-keys; add-key 1 paste) *does* allow the spaces in the comment, so it's just wierd that the CLI and the WebUI seem to have different rules about pasting a full key with comment
03-22-2024 10:00 AM
Brian,
Great - that's awesome!
Thanks,
--stephen
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide