07-27-2021 05:14 AM
Hi,
Is it possible to log to UCSM through ssh using a private keys and bypassing the login password?
I tried to configure a ssh public keys and I can enter the ssh passphrase, but UCSM is still asking for the admin password
Regards,
freD
Solved! Go to Solution.
05-06-2022 01:16 AM
08-02-2021 01:14 AM
No CIsco workers reading the community forum?
08-02-2021 06:34 AM
What have you tried? What have you configured? What does `ssh -vvv user@UCS.IP.Address` show?
I went into my lab Linux VM and ran:
cat .ssh/id_rsa.pub
From that file copied the ssh header and blob but NOT the user/IP:
ssh-rsa AAAA...asdf sttardy@192.0.2.15
Went into UCSM and created a new user (with admin role, unsure if that matters).
Edited the user and set
After that went back to Linux VM and was able to login to UCSM just fine:
[sttardy@sttardy ~]$ ssh sttardy@192.0.2.1
Cisco UCS 6200 Series Fabric Interconnect
..
Pod-01-UCS-A#
Please detail what you have done to compare to see what is different and causing your configuration to NOT work.
What Realm do you have configured under Native Authentication?
Maybe you have something different than the default (Local)?
08-03-2021 03:22 AM - edited 08-03-2021 03:29 AM
Hey Steven! Thanks for replying!
I did the same, minus the end of the public key in the GUI.
So I retry with only the 2 first fields of the ssh public key, but same problem.
Maybe my issue is that I use the "admin" user and that the openssh configuration for "admin" is matched in UCSM with some restriction?
[edited] => same issue after creating a dedicated user with administrator role
08-03-2021 05:25 AM
What Fabric Interconnect PID and what UCSM version are you using (I'm using UCS-FI-6296UP and 4.0(4e) UCSM)?
From what OS are you trying to SSH (I'm using CentOS 7)?
Do you have LDAP authentication enabled on UCSM?
What do you have configured under (I have Realm = Local):
Admin / User Management / Authentication / Native Authentication / Realm
08-03-2021 07:53 AM - edited 08-04-2021 03:26 AM
From CentOS Linux release 7.9.2009 (Core)
To UCS-FI-6248UP and System version: 4.1(2b) (it was not working with earlier version neither)
No LDAP.
Under Admin / User Management / Authentication / Native Authentication / Realm
I have "Realm" = Local.
and for "Role Policy For Remote Users" = No Login.
Is it possible to set opesshd server in debug mode?
Thanks Steven!
08-04-2021 06:13 AM
My CentOS was a bit out of date, but `yum update` did NOT break my passwordless SSH to my lab UCS 6200.
I tried to find another lab UCS 6200 with 4.1(2b) but haven't found one yet.
Not seeing an easy way to enable additional logging on the SSH server.
But you can enable verbose SSH client logging easily using:
ssh -vvv user@ip.ad.dre.ss
Can you use the same key for other passwordless SSH systems?
It is common to have the wrong permissions on the SSH id_rsa and the verbose client logging will uncover the incorrect permissions.
08-04-2021 06:22 AM - edited 08-04-2021 06:25 AM
Hi Steven,
ssh -vvv is not giving any clue.
opensshd -d is more powerfull
Yes the keys is woking for a lot of other equipment like nexus, mds, esxi, etc...
root acces is not possible for ucsm ?
I have the same issue with two ucsm (this is a 2 datacenters solution).
08-09-2021 12:48 AM
Steven, how can I run opensshd in debug mode in ucsm?
Or get a bash temporary root access to launch opensshd -d -p 4444 ?
Thanks!
08-09-2021 05:12 AM
You (end-user) can't get that kind of access.
You'll need TAC support to get that kind of access to the Fabric Interconnect appliance.
I ran through the process in my lab but since my passwordless SSH is working it didn't show much.
You will need an additional `iptables` command before to make it work and after to cleanup:
Linux(debug)# iptables -I INPUT -p tcp -m tcp --dport 4444 -j ACCEPT
Linux(debug)# /isan/sbin/sshd -d -p 4444
Linux(debug)# iptables -D INPUT -p tcp -m tcp --dport 4444 -j ACCEPT
Since it works for me and not for you it seems there is something else you have different on your client side.
What is the hostkey type of your key? ssh-rsa or something else?
08-11-2021 07:13 AM
Hi Steven,
This is the anonymized output:
SWANONYMISER02-A /security # show local-user detail
Local User admin:
First Name:
Last Name:
Email:
Phone:
Expiration: Never
Password: ****
Account status: Active
User Roles:
Name: admin
Name: read-only
User SSH public key: ssh-rsa AAAAB3NzaC1yc2EANONYMISERAAAgQClr7Jn7rc22HANONYMISERW5AJJO/ANONYMISERVhvo+Mqm3rFklHidHvy493ZW9/vXra83iU3+QANONYMISER5UALk0MtsJM1ADANONYMISER8zY1vqPKAqUuEANONYMISERH2KTggcUMLiy3wSANONYMISERwGxOKw==
08-11-2021 07:19 AM
Steven, I tried a new ssh key for testing purpose =
$ cat testing
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEA3rNUx+/6UtBrgIB0KVnsnsr7RJeQ9iRuepnesExSdN7GEkh+
SZyWryvLSzWmJ8HpsVKVi4UGCguc1r0Cr6NEb6dQfrDDgAGN44yeSpZm0ST+fNPa
uN0wyykEeqKQoDfmrnNRXkgd0C6IVUdZqpIclVnHKKHileLBaET+q1ezVD0U0Vzq
ws+0lCkS3rkgFtKy8RhCRsUlWw2K9ebXLdqoTnCxPtoOdPS+tVZfUe2iF4z9q3B2
bEphcsG5opo2kuW6lfffeS/mTlO0kosmw9eCuewmmcZ9OYJjcMeXDG59QchbwrZW
5OGFFW6Z1z8eQPrtLjT+19tDWyTaJMCDktjcOQIDAQABAoIBAF1bDdJWvjgTGM2g
i5F+GdwjORvy8ZjNguawNBLxm6tUa/HkI9SV6PD7ydf4YHPQLTfhZ8E5/WMepRu7
1jFsntaza+IAFaRGgoV+QCkCTY2lFW2cndbbGoY/5pnGJhyT8ob03opIbv8DUrF1
HJiNcaAGJ5/X5RVyHiOosJ2BQTKxNCUFU2LATAh7MIbdrPumeSMHbmkzdLoGH4FA
jsSZT4UI9wzQgE1LhIPZuGYfbcUub19IkN6o32jKBBeANGVUcdWhXcmsR69XWIMe
ZGtnfSXrBdpxWE9FM5FxHi5T8pC2iYxyll6DQ96IWpXf8Ab99MWh7FuJlBDV6YMT
PJW04WUCgYEA8C+FZAoknvzpOgpjSAXPbYAHRouzvKeJBuky2lhfqLzspexlaCqe
x8c24gr3u9TZtc02rOMxI+Ta6avh1ULFry4hOE6g12S3PhSZtxR7PkN80DapMe0a
LDC2oBZxyDjNWgbmxLVN3xlVM9/Dty4W5r0rX2PkrqhfuxzXnlEGc3MCgYEA7V0W
aUjJgqmyi42BaH8Cph9/nVvpUDL5Uwg9MtKEO0kqGpGcC8b4DDzQN36OBU2g8lRJ
1PLCsSZ0s8o2q9Ny2EtcLfHk23Xz8aDQFzELECo1ykYWFYkqpHQ7kjn/8Qw2hRox
qnV8T9uwNB8PoPf61D9+zyOyTOzlu1gwUE46vqMCgYBvt3rQ7FLaTILix0AkmOdB
ZGJ98q74WejHeSJ5Is/juXRNPOZyDBjsjYG+pCFUkY1uHXSH9+i8bE9Sjuss+bDf
aZJ0EUaIyUTeMFDLMlCcxmFAq5wJJ+KbmVDop2fnHFyPulQOPNJqqerShQsQofRv
AKAy71DH2HMmoiS8c62PdwKBgBhYje3qm1Cdm0SZFQbk0B696Fb5kGq7b7tGgxBt
a0axcHIdMUY7+EE5E5o9js+YcMOqRZBj/fgxm5K9UPI60/K/eAr2XqTr6kOEXROj
4iCcU7wViDpZQVhw25NaA5hzyjvIvgNf3YpLXD1cWjwGc2HFyXnxjV46hi27E+mI
vJnFAoGAUiFKjL3n1G76CfC8GAAAS8TdK/jSVNB/kzaxBOb1S3xzN3hCbp2FB3Yv
NiWj36vH5QXeDubW8Z0uz6ZE2+Q75P2Xu4ONa5htfkVQhi5TSrB801glisSx/XIu
P1D9blpiAWPd0+aH2GXJBqS/dyodVN4wzFtaDqcCqDaklJvv1uA=
-----END RSA PRIVATE KEY-----
$ cat testing.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDes1TH7/pS0GuAgHQpWeyeyvtEl5D2JG56md6wTFJ03sYSSH5JnJavK8tLNaYnwemxUpWLhQYKC5zWvQKvo0Rvp1B+sMOAAY3jjJ5KlmbRJP5809q43TDLKQR6opCgN+auc1FeSB3QLohVR1mqkhyVWccooeKV4sFoRP6rV7NUPRTRXOrCz7SUKRLeuSAW0rLxGEJGxSVbDYr15tct2qhOcLE+2g509L61Vl9R7aIXjP2rcHZsSmFywbmimjaS5bqV9995L+ZOU7SSiybD14K57CaZxn05gmNwx5cMbn1ByFvCtlbk4YUVbpnXPx5A+u0uNP7X20NbJNokwIOS2Nw5
No passphrase...
Not working too
08-20-2021 07:47 AM
I don't know what isn't working on your end.
Created a UCSM user "SSHUser" with your public key
Pod-01-UCS-A /security # show local-user SSHUser detail Local User SSHUser: First Name: Last Name: Email: Phone: admin Expiration: Never Password: **** Account status: Active User Roles: Name: read-only User SSH public key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDes1TH7/pS0GuAgHQpWeyeyvtEl5D2JG56md6wTFJ03sYSSH5JnJavK8tLNaYnwemxUpWLhQYKC5zWvQKvo0Rvp1B+sMOAAY3jjJ5KlmbRJP5809q43TDLKQR6opCgN+auc1FeSB3QLohVR1mqkhyVWccooeKV4sFoRP6rV7NUPRTRXOrCz7SUKRLeuSAW0rLxGEJGxSVbDYr15tct2qhOcLE+2g509L61Vl9R7aIXjP2rcHZsSmFywbmimjaS5bqV9995L+ZOU7SSiybD14K57CaZxn05gmNwx5cMbn1ByFvCtlbk4YUVbpnXPx5A+u0uNP7X20NbJNokwIOS2Nw5 Pod-01-UCS-A /security #
and put your keys in files
[sttardy@sttardy .ssh]$ ls -l SSH*
-rw-------. 1 sttardy sttardy 1675 Aug 20 10:34 SSHUser
-rw-r--r--. 1 sttardy sttardy 381 Aug 20 10:33 SSHUser.pub
and it "just worked".
[sttardy@sttardy .ssh]$ ssh -i SSHUser SSHUser@192.0.2.1 Cisco UCS 6200 Series Fabric Interconnect Cisco Nexus Operating System (NX-OS) Software TAC support: http://www.cisco.com/tac Copyright (c) 2009, Cisco Systems, Inc. All rights reserved. The copyrights to certain works contained in this software are owned by other third parties and used and distributed under license. Certain components of this software are licensed under the GNU General Public License (GPL) version 2.0 or the GNU Lesser General Public License (LGPL) Version 2.1. A copy of each such license is available at http://www.opensource.org/licenses/gpl-2.0.php and http://www.opensource.org/licenses/lgpl-2.1.php Pod-01-UCS-A#
¯\_(ツ)_/¯
The "admin" user in your `show local-user detail` output has a different key compared to what you posted later.
08-23-2021 03:21 AM
Seems I'm doomed.
SWXXXXXXXDCT02-A /security # show local-user operation detail
Local User operation:
First Name:
Last Name:
Email:
Phone:
Expiration: Never
Password:
Account status: Active
User Roles:
Name: admin
Name: read-only
User SSH public key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDes1TH7/pS0GuAgHQpWeyeyvtEl5D2JG56md6wTFJ03sYSSH5JnJavK8tLNaYnwemxUpWLhQYKC5zWvQKvo0Rvp1B+sMOAAY3jjJ5KlmbRJP5809q43TDLKQR6opCgN+auc1FeSB3QLohVR1mqkhyVWccooeKV4sFoRP6rV7NUPRTRXOrCz7SUKRLeuSAW0rLxGEJGxSVbDYr15tct2qhOcLE+2g509L61Vl9R7aIXjP2rcHZsSmFywbmimjaS5bqV9995L+ZOU7SSiybD14K57CaZxn05gmNwx5cMbn1ByFvCtlbk4YUVbpnXPx5A+u0uNP7X20NbJNokwIOS2Nw5
To compare --------> ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDes1TH7/pS0GuAgHQpWeyeyvtEl5D2JG56md6wTFJ03sYSSH5JnJavK8tLNaYnwemxUpWLhQYKC5zWvQKvo0Rvp1B+sMOAAY3jjJ5KlmbRJP5809q43TDLKQR6opCgN+auc1FeSB3QLohVR1mqkhyVWccooeKV4sFoRP6rV7NUPRTRXOrCz7SUKRLeuSAW0rLxGEJGxSVbDYr15tct2qhOcLE+2g509L61Vl9R7aIXjP2rcHZsSmFywbmimjaS5bqV9995L+ZOU7SSiybD14K57CaZxn05gmNwx5cMbn1ByFvCtlbk4YUVbpnXPx5A+u0uNP7X20NbJNokwIOS2Nw5
May I open a support case?
05-06-2022 01:16 AM
It is working now !!!
The solution was to use a longer ssh-keys !!!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: