cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
9267
Views
70
Helpful
14
Replies

SSH to UCMS without password

Defdefred
Level 1
Level 1

Hi,

 

Is it possible to log to UCSM through ssh using a private keys and bypassing the login password?

 

I tried to configure a ssh public keys and I can enter the ssh passphrase, but UCSM is still asking for the admin password

 

Regards,

freD

1 Accepted Solution

Accepted Solutions

It is working now !!!

 

The solution was to use a longer ssh-keys !!!

 

View solution in original post

14 Replies 14

Defdefred
Level 1
Level 1

No CIsco workers reading the community forum?

What have you tried? What have you configured? What does `ssh -vvv user@UCS.IP.Address` show?

 

I went into my lab Linux VM and ran:

cat .ssh/id_rsa.pub

From that file copied the ssh header and blob but NOT the user/IP:

ssh-rsa AAAA...asdf sttardy@192.0.2.15

Went into UCSM and created a new user (with admin role, unsure if that matters).

Edited the user and set

  1. SSH Type = Key
  2. SSH Date = ssh-rsa AAAA...asdf

After that went back to Linux VM and was able to login to UCSM just fine:

[sttardy@sttardy ~]$ ssh sttardy@192.0.2.1
Cisco UCS 6200 Series Fabric Interconnect
..
Pod-01-UCS-A#

 

Please detail what you have done to compare to see what is different and causing your configuration to NOT work.

What Realm do you have configured under Native Authentication?

Maybe you have something different than the default (Local)?

Defdefred
Level 1
Level 1

Hey Steven! Thanks for replying!

I did the same, minus the end of the public key in the GUI.

So I retry with only the 2 first fields of the ssh public key, but same problem.

Maybe my issue is that I use the "admin" user and that the openssh configuration for "admin" is matched in UCSM with some restriction?

 

[edited] => same issue after creating a dedicated user with administrator role

What Fabric Interconnect PID and what UCSM version are you using (I'm using UCS-FI-6296UP and 4.0(4e) UCSM)?
From what OS are you trying to SSH (I'm using CentOS 7)?

Do you have LDAP authentication enabled on UCSM?

What do you have configured under (I have Realm = Local):

  Admin / User Management / Authentication / Native Authentication / Realm

From CentOS Linux release 7.9.2009 (Core)

To UCS-FI-6248UP and System version: 4.1(2b) (it was not working with earlier version neither)

No LDAP.

Under   Admin / User Management / Authentication / Native Authentication / Realm

I have "Realm" = Local.

and for "Role Policy For Remote Users" =  No Login.

 

Is it possible to set opesshd server in debug mode?

Thanks Steven!

My CentOS was a bit out of date, but `yum update` did NOT break my passwordless SSH to my lab UCS 6200.

I tried to find another lab UCS 6200 with 4.1(2b) but haven't found one yet.

 

Not seeing an easy way to enable additional logging on the SSH server.

But you can enable verbose SSH client logging easily using:

ssh -vvv user@ip.ad.dre.ss

Can you use the same key for other passwordless SSH systems?

It is common to have the wrong permissions on the SSH id_rsa and the verbose client logging will uncover the incorrect permissions.

Hi Steven,

ssh -vvv is not giving any clue.

opensshd -d is more powerfull

Yes the keys is woking for a lot of other equipment like nexus, mds, esxi, etc...

root acces is not possible for ucsm ?

I have the same issue with two ucsm (this is a 2 datacenters solution).

Defdefred
Level 1
Level 1

Steven, how can I  run opensshd in debug mode in ucsm?

Or get a bash temporary  root access  to launch opensshd -d -p 4444 ?

Thanks!

You (end-user) can't get that kind of access.

You'll need TAC support to get that kind of access to the Fabric Interconnect appliance.

I ran through the process in my lab but since my passwordless SSH is working it didn't show much.

You will need an additional `iptables` command before to make it work and after to cleanup:

Linux(debug)# iptables -I INPUT -p tcp -m tcp --dport 4444 -j ACCEPT
Linux(debug)# /isan/sbin/sshd -d -p 4444
Linux(debug)# iptables -D INPUT -p tcp -m tcp --dport 4444 -j ACCEPT

Since it works for me and not for you it seems there is something else you have different on your client side.

What is the hostkey type of your key? ssh-rsa or something else?

Hi Steven,

 

 

This is the anonymized output:

 

SWANONYMISER02-A /security # show local-user detail
Local User admin:
First Name:
Last Name:
Email:
Phone:
Expiration: Never
Password: ****
Account status: Active
User Roles:
Name: admin
Name: read-only
User SSH public key: ssh-rsa AAAAB3NzaC1yc2EANONYMISERAAAgQClr7Jn7rc22HANONYMISERW5AJJO/ANONYMISERVhvo+Mqm3rFklHidHvy493ZW9/vXra83iU3+QANONYMISER5UALk0MtsJM1ADANONYMISER8zY1vqPKAqUuEANONYMISERH2KTggcUMLiy3wSANONYMISERwGxOKw==

 

 

 

Steven, I tried a new ssh key for testing purpose =

 

$ cat testing
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEA3rNUx+/6UtBrgIB0KVnsnsr7RJeQ9iRuepnesExSdN7GEkh+
SZyWryvLSzWmJ8HpsVKVi4UGCguc1r0Cr6NEb6dQfrDDgAGN44yeSpZm0ST+fNPa
uN0wyykEeqKQoDfmrnNRXkgd0C6IVUdZqpIclVnHKKHileLBaET+q1ezVD0U0Vzq
ws+0lCkS3rkgFtKy8RhCRsUlWw2K9ebXLdqoTnCxPtoOdPS+tVZfUe2iF4z9q3B2
bEphcsG5opo2kuW6lfffeS/mTlO0kosmw9eCuewmmcZ9OYJjcMeXDG59QchbwrZW
5OGFFW6Z1z8eQPrtLjT+19tDWyTaJMCDktjcOQIDAQABAoIBAF1bDdJWvjgTGM2g
i5F+GdwjORvy8ZjNguawNBLxm6tUa/HkI9SV6PD7ydf4YHPQLTfhZ8E5/WMepRu7
1jFsntaza+IAFaRGgoV+QCkCTY2lFW2cndbbGoY/5pnGJhyT8ob03opIbv8DUrF1
HJiNcaAGJ5/X5RVyHiOosJ2BQTKxNCUFU2LATAh7MIbdrPumeSMHbmkzdLoGH4FA
jsSZT4UI9wzQgE1LhIPZuGYfbcUub19IkN6o32jKBBeANGVUcdWhXcmsR69XWIMe
ZGtnfSXrBdpxWE9FM5FxHi5T8pC2iYxyll6DQ96IWpXf8Ab99MWh7FuJlBDV6YMT
PJW04WUCgYEA8C+FZAoknvzpOgpjSAXPbYAHRouzvKeJBuky2lhfqLzspexlaCqe
x8c24gr3u9TZtc02rOMxI+Ta6avh1ULFry4hOE6g12S3PhSZtxR7PkN80DapMe0a
LDC2oBZxyDjNWgbmxLVN3xlVM9/Dty4W5r0rX2PkrqhfuxzXnlEGc3MCgYEA7V0W
aUjJgqmyi42BaH8Cph9/nVvpUDL5Uwg9MtKEO0kqGpGcC8b4DDzQN36OBU2g8lRJ
1PLCsSZ0s8o2q9Ny2EtcLfHk23Xz8aDQFzELECo1ykYWFYkqpHQ7kjn/8Qw2hRox
qnV8T9uwNB8PoPf61D9+zyOyTOzlu1gwUE46vqMCgYBvt3rQ7FLaTILix0AkmOdB
ZGJ98q74WejHeSJ5Is/juXRNPOZyDBjsjYG+pCFUkY1uHXSH9+i8bE9Sjuss+bDf
aZJ0EUaIyUTeMFDLMlCcxmFAq5wJJ+KbmVDop2fnHFyPulQOPNJqqerShQsQofRv
AKAy71DH2HMmoiS8c62PdwKBgBhYje3qm1Cdm0SZFQbk0B696Fb5kGq7b7tGgxBt
a0axcHIdMUY7+EE5E5o9js+YcMOqRZBj/fgxm5K9UPI60/K/eAr2XqTr6kOEXROj
4iCcU7wViDpZQVhw25NaA5hzyjvIvgNf3YpLXD1cWjwGc2HFyXnxjV46hi27E+mI
vJnFAoGAUiFKjL3n1G76CfC8GAAAS8TdK/jSVNB/kzaxBOb1S3xzN3hCbp2FB3Yv
NiWj36vH5QXeDubW8Z0uz6ZE2+Q75P2Xu4ONa5htfkVQhi5TSrB801glisSx/XIu
P1D9blpiAWPd0+aH2GXJBqS/dyodVN4wzFtaDqcCqDaklJvv1uA=
-----END RSA PRIVATE KEY-----
$ cat testing.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDes1TH7/pS0GuAgHQpWeyeyvtEl5D2JG56md6wTFJ03sYSSH5JnJavK8tLNaYnwemxUpWLhQYKC5zWvQKvo0Rvp1B+sMOAAY3jjJ5KlmbRJP5809q43TDLKQR6opCgN+auc1FeSB3QLohVR1mqkhyVWccooeKV4sFoRP6rV7NUPRTRXOrCz7SUKRLeuSAW0rLxGEJGxSVbDYr15tct2qhOcLE+2g509L61Vl9R7aIXjP2rcHZsSmFywbmimjaS5bqV9995L+ZOU7SSiybD14K57CaZxn05gmNwx5cMbn1ByFvCtlbk4YUVbpnXPx5A+u0uNP7X20NbJNokwIOS2Nw5

No passphrase...

Not working too

I don't know what isn't working on your end.

Created a UCSM user "SSHUser" with your public key

Pod-01-UCS-A /security # show local-user SSHUser detail
Local User SSHUser:
    First Name:
    Last Name:
    Email:
    Phone: admin
    Expiration: Never
    Password: ****
    Account status: Active
    User Roles:
        Name: read-only
    User SSH public key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDes1TH7/pS0GuAgHQpWeyeyvtEl5D2JG56md6wTFJ03sYSSH5JnJavK8tLNaYnwemxUpWLhQYKC5zWvQKvo0Rvp1B+sMOAAY3jjJ5KlmbRJP5809q43TDLKQR6opCgN+auc1FeSB3QLohVR1mqkhyVWccooeKV4sFoRP6rV7NUPRTRXOrCz7SUKRLeuSAW0rLxGEJGxSVbDYr15tct2qhOcLE+2g509L61Vl9R7aIXjP2rcHZsSmFywbmimjaS5bqV9995L+ZOU7SSiybD14K57CaZxn05gmNwx5cMbn1ByFvCtlbk4YUVbpnXPx5A+u0uNP7X20NbJNokwIOS2Nw5
Pod-01-UCS-A /security #

and put your keys in files

[sttardy@sttardy .ssh]$ ls -l SSH*
-rw-------. 1 sttardy sttardy 1675 Aug 20 10:34 SSHUser
-rw-r--r--. 1 sttardy sttardy 381 Aug 20 10:33 SSHUser.pub

and it "just worked".

[sttardy@sttardy .ssh]$ ssh -i SSHUser SSHUser@192.0.2.1
Cisco UCS 6200 Series Fabric Interconnect
Cisco Nexus Operating System (NX-OS) Software
TAC support: http://www.cisco.com/tac
Copyright (c) 2009, Cisco Systems, Inc. All rights reserved.
The copyrights to certain works contained in this software are
owned by other third parties and used and distributed under
license. Certain components of this software are licensed under
the GNU General Public License (GPL) version 2.0 or the GNU
Lesser General Public License (LGPL) Version 2.1. A copy of each
such license is available at
http://www.opensource.org/licenses/gpl-2.0.php and
http://www.opensource.org/licenses/lgpl-2.1.php

Pod-01-UCS-A#

¯\_(ツ)_/¯

 

The "admin" user in your `show local-user detail` output has a different key compared to what you posted later.

Seems I'm doomed.

 

SWXXXXXXXDCT02-A /security # show local-user operation detail
Local User operation:
First Name:
Last Name:
Email:
Phone:
Expiration: Never
Password:
Account status: Active
User Roles:
Name: admin
Name: read-only
User SSH public key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDes1TH7/pS0GuAgHQpWeyeyvtEl5D2JG56md6wTFJ03sYSSH5JnJavK8tLNaYnwemxUpWLhQYKC5zWvQKvo0Rvp1B+sMOAAY3jjJ5KlmbRJP5809q43TDLKQR6opCgN+auc1FeSB3QLohVR1mqkhyVWccooeKV4sFoRP6rV7NUPRTRXOrCz7SUKRLeuSAW0rLxGEJGxSVbDYr15tct2qhOcLE+2g509L61Vl9R7aIXjP2rcHZsSmFywbmimjaS5bqV9995L+ZOU7SSiybD14K57CaZxn05gmNwx5cMbn1ByFvCtlbk4YUVbpnXPx5A+u0uNP7X20NbJNokwIOS2Nw5
To compare --------> ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDes1TH7/pS0GuAgHQpWeyeyvtEl5D2JG56md6wTFJ03sYSSH5JnJavK8tLNaYnwemxUpWLhQYKC5zWvQKvo0Rvp1B+sMOAAY3jjJ5KlmbRJP5809q43TDLKQR6opCgN+auc1FeSB3QLohVR1mqkhyVWccooeKV4sFoRP6rV7NUPRTRXOrCz7SUKRLeuSAW0rLxGEJGxSVbDYr15tct2qhOcLE+2g509L61Vl9R7aIXjP2rcHZsSmFywbmimjaS5bqV9995L+ZOU7SSiybD14K57CaZxn05gmNwx5cMbn1ByFvCtlbk4YUVbpnXPx5A+u0uNP7X20NbJNokwIOS2Nw5

 

May I open a support case?

It is working now !!!

 

The solution was to use a longer ssh-keys !!!

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: