Solved: Can not get C220m6 ssh working with public keys

stephen.dowdy · ‎03-21-2024

Summary:

Can ssh into user-2 admin account using password ssh (or via the Web UI)
can not use publickey with ssh, always prompts for password
User Guide for C-Series doesn't specify any requirements for public key type/bits that i can find

I have ssh enabled:

C220-WM........T# show version 
Firmware Version      
--------------------  
4.3(2.240009)        

C220-WM........T# scope ssh  
C220-WM........T /ssh # show detail  
SSH Settings: 
   SSH Port: 22 
   Timeout: 1800 
   Max Sessions: 4 
   Active Sessions: 1 
   Enabled: yes

I have 2 public keys loaded into the admin account's key store

C220-WM........T# scope user 2
C220-WM........T /user # show ssh-keys detail  
SSH Key 1: 
   Key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDX4RHr+TwCpDGMKp/YUSJD2+R8j0zKLLFKefzFOzI7Ex7roL6NM1xm2XA4lRxOLqJWjt1+vzBfAxd2v1T3JYef5iHgyGRUepUt9L3Ysxw++MrOoJJ2R0x67h/rZzT+uXH8h9iAzyh/VTNWUANwDRTR6A8KOSyEl/JcxaLm4e9tkNgOUdQdshY3cCt/NwBhd0mwOF1hDNIDWN5rYw1SQ8Q0KE9VhW69Eu3TIznfwobdotnzvCDkbNrN8kwXa
ngY15r73RmipsIaejfawg7jRTPHd3GY8TaoSC+fn20XEKxEOqHFIe0rF7lGPS99bWUYkUqB/2y7nujDQ1+NLQirWHqn 
SSH Key 2: 
   Key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC6N/xeMzXLuZWRf2hGgAreexvG+A4UkkKmIfA9mIeVKg3Ziz7gC7zCHHiWZQSpaiGN/44pu+wawJhSJi+tdO5PPM2TFNX0n8Jo6dQowF8tRVbaQmxI1xY+81gs6aUMHq+sAfrjfjY0tiulcCk+tcTKpjzYV6lP7DizE3yzC9GCKZfan+X6R74EQjEIUXH2/x5NGqxiR0FpCck42r+1ZGGIPieVVWmaXhcABihk1nkQTboz4wO0w0rgYIz+a
4XFPRtvyewMX2MxO+soNMvqK9tqADAmjTgRcXQoonyfjoiRvO2pV8fKRansorLFvyBj70Kd/s6/cAvmqxkokSx/unh3oKbnc6G55ZeBi8TXEsHdLr3NkUUbsvhDn8yKiiCP1ToevPy4cViTq3Vyc54g2l++Ug1FotQvOB0RH5EG5TrWjdR01RIe5dO6Qve/Oj34ocVzKoLIYzZ5lmgOq1tKIrjOq7CkMHyOa4ftqYHH7VGBBkatQHmhSyZegHt+pxYJ2fU= id_SNAT7771_rsa

I can 'ssh' into user-2's account using password authentication. but regardless of explicitly including the Identity file on the command line, or having the key loaded into my ssh-agent, i am always prompted for a password. (using ssh -o preferredauthentications=publickey causes an immediate login failure, so, it's not an ssh_config order issue.

I am absolutely positive the public keys stored on the CIMC are correct. (one odd thing is that attempting to add the key via the CIMC CLI using the 'paste' function claims it's too long, so i used the 'paste' function in the Web GUI -- which works fine.)

One RSA key is 2048 bit, the other 3072 if that is supposed to make a difference (though key formats are not documented in the User Guide AFAICT)

$ ssh-keygen -l -f id_root_rsa.pub 
2048 SHA256:4+BKSrsh5nd4GQg9nA+MwFiok9aoIeM0+K3gWHHkkLE id_root_rsa / root / root / 2024-02-29 (RSA)
$ ssh-keygen -l -f - <<<"$(ssh-add -L)" 
3072 SHA256:4AqrDnfRXYg4J2mI1Ayda6I9y2otZxA0URpdHn6HsAs id_SNAT7771_rsa (RSA)

The log from the connection attempt shows:

debug1: Next authentication method: publickey 
debug1: Offering public key: id_SNAT7771_rsa RSA SHA256:4AqrDnfRXYg4J2mI1Ayda6I9y2otZxA0URpdHn6HsAs agent 
debug3: send packet: type 50 
debug2: we sent a publickey packet, wait for reply 
debug3: receive packet: type 51 
debug1: Authentications that can continue: publickey,password 
debug1: Offering public key: id_root_rsa RSA SHA256:4+BKSrsh5nd4GQg9nA+MwFiok9aoIeM0+K3gWHHkkLE explicit 
debug3: send packet: type 50 
debug2: we sent a publickey packet, wait for reply 
debug3: receive packet: type 51 
debug1: Authentications that can continue: publickey,password 
debug2: we did not send a packet, disable method 
debug1: No more authentication methods to try.

Unfortunately, "packet type: 51" is one of those generic "it didn't work" failure codes.

There seems to be nothing in the CIMC logs to indicate what my be failing.

Any tips or pointers to what i missed greatly appreciated.

Thanks,

--stephen

Brian Morrissey · ‎03-21-2024

Can you try ECDSA keys instead and see if that helps “ssh-keygen -t ecdsa -b 256”? I had similar issues on the M5 a while back, wondering if it's the same issue.

View solution in original post

Brian Morrissey · ‎03-21-2024

Can you try ECDSA keys instead and see if that helps “ssh-keygen -t ecdsa -b 256”? I had similar issues on the M5 a while back, wondering if it's the same issue.

stephen.dowdy · ‎03-21-2024

Brian,

Thanks, that appears to work. It would be nice if the User Guide were updated to indicate which types of keys were acceptable, though (i see it has been about the same for a good number of years) One might expect that an RSA key of 2048 bits would be in the least-common-denominator class of supported keytypes.

$ ssh-keygen -t ecdsa -b 256 -f id_cimc_ecdsa -N '' -C 'Cisco CIMC trust'

but trying to paste the full contents of the id_cimc_ecdsa.pub file into the CIMC WebUI add key paste widget results in a failure ( Invalid SSH Key format.) due to, i presume, spaces in the "comment" field not being properly parsed. So, i'm just stripping it. (it does work if it's a *single* word in the comment field)

thanks, again,

--stephen

Brian Morrissey · ‎03-22-2024

Hi Stephen,

One of my colleagues opened the following https://bst.cisco.com/bugsearch/bug/CSCwi22517?rfs=qvred to get the documentation updated. Will followup on that and see if we can get it published to avoid any future confusion on key support.

stephen.dowdy · ‎03-24-2024

@stephen.dowdy wrote:
$ ssh-keygen -t ecdsa -b 256 -f id_cimc_ecdsa -N '' -C 'Cisco CIMC trust'
but trying to paste the full contents of the id_cimc_ecdsa.pub file into the CIMC WebUI add key paste widget results in a failure ( Invalid SSH Key format.) due to, i presume, spaces in the "comment" field not being properly parsed. So, i'm just stripping it. (it does work if it's a *single* word in the comment field)

btw, using the CLI paste option (scope user N ; scope ssh-keys; add-key 1 paste) *does* allow the spaces in the comment, so it's just wierd that the CLI and the WebUI seem to have different rules about pasting a full key with comment

stephen.dowdy · ‎03-22-2024

Brian,

Great - that's awesome!

Thanks,
--stephen