topic Re: 2848 key-authenticated ssh access to manager mode in Switches, Hubs, and Modems

2848 key-authenticated ssh access to manager mode

Marc Haber — Sat, 11 Oct 2008 08:44:51 GMT

Hi!

I have two (I think) identically configured switches, one in the lab and one productive box.

# show version
Image stamp: /sw/code/build/mako(mkfs)
Aug 15 2007 13:53:51
I.10.43
105
Boot Image: Primary
#

2848 scysw00503# show ip ssh

SSH Enabled : Yes
SSH Version : 2
TCP Port Number : 22
Timeout (sec) : 120
Server Key Size (bits) : 1024
Secure Copy Enabled : No

Ses Type | Protocol Source IP and Port
--- -------- + --------- ---------------------
1 console |
2 telnet |
3 inactive |
4 telnet |

# show authentication

Status and Counters - Authentication Information

Login Attempts : 3
Respect Privilege : Disabled

| Login Login Enable Enable
Access Task | Primary Secondary Primary Secondary
----------- + ---------- ---------- ---------- ----------
Console | Local None Local None
Telnet | Local None Local None
Port-Access | Local None
Webui | Local None Local None
SSH | PublicKey None PublicKey None
Web-Auth | ChapRadius None
MAC-Auth | ChapRadius None

# show crypto client-public-key

Manager keys:

0,mh@scyw00225 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA188zafsfW7wT7Vg/OGH/bNk5snqWK
zLfDLszlj+5RVbpQt9KxkWyGGnLvY4vgt9vNRyVcYu6FQrbM1tNvBdp+ZebNyyVMq/uK/bKz+KFj+I3+
eTGUvI8tUbtcHJp7DRqYxmLWg3hIPEg+UMUCm0K9kDlfi7X5yybnrU0uvBe8kCMCyzs0LSVGvX1RHukD
zy8ZgW4mCU25vAvgZu9nS8XYTo1xnqBPPQdH2wpFFR/p8Up00ZGfmcnzfo2lBh2+puGe8N6067la/6Jd
Lx9MPTkCxwphDFTjdC045N1veK5MxPgKpwsOK7nc9RNCAqFkECObQP03MVCX0eHq96SabbqDQ==

# show crypto host-public-key

SSH host public key file
Version 1 format:

896 35 3830371328877558150264723662879452352090459838062476281144136373461359260
99402738826414267181525559146224627944485827044920066816174950513516199838216615
33196644357337434658201223266115444895517842429782919785151577820155519074434236
7009253048249588729764165228881724729

Version 2 format:

ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAHEAuZyHANPWp59s2P47pfU4TTD61fB0+dQBpF50XcJ2eT0v
lggPBoo9dCbROJTKhWlzLVhloAhSF5fFuHFtusSZZldBgy3xSnyzTX6cb9XNZFJQNmuhr4EWqpthwbwB
6OzoQCDolWO5k4DHpe2ldXdFOQ==

#

Both switches have the IP address from where I am sshing in listed in their "ip authorized-managers" list with Access-Level Manager. Both switches have an operator and an manager password set.

When I ssh in to the lab switch with
ssh manager@, I get a "sw12#" prompt with manager access without being asked for the password. That is the desired behavior.

However, when I ssh in to the productive switch with ssh manager@, I only get an operator-level "switch>" prompt, and the enable command is replied with "Access denied".

Where can the both switches' configuration differ that doesn't allow me to get manager access on the productive switch when coming in via ssh?

Any hints will be appreciated.

Greetings
Marc

Re: 2848 key-authenticated ssh access to manager mode

Igoris_1 — Mon, 13 Oct 2008 06:02:11 GMT

I had similar problem, there are two things to check:
show authentication
SSH | PublicKey None PublicKey None
Was this output from lab switch or production?
This is correct config.
Second:
# show crypto client-public-key
there must be only manager keys, if you loaded same key to operator storage, you will get only 'login' level and it is not possible to switch to 'enable' level.

Re: 2848 key-authenticated ssh access to manager mode

Marc Haber — Mon, 13 Oct 2008 08:20:35 GMT

Hi,

you wrote:
> I had similar problem, there are two
> things to check:
> show authentication
> SSH | PublicKey None PublicKey None
> Was this output from lab switch or
> production?

Both Lab switches and Production switches give exactly the same output.

> This is correct config.
> Second:
> # show crypto client-public-key
> there must be only manager keys, if you
> loaded same key to operator storage, you
> will get only 'login' level and it is not
> possible to switch to 'enable' level.

Both Lab switches and Production switches only have manager keys, complete output of "show crypto client-public-key" on both Lab and Production is given above.

Any more ideas?

Re: 2848 key-authenticated ssh access to manager mode

Igoris_1 — Mon, 13 Oct 2008 09:09:55 GMT

firmware version the same?
Both switches 28 series?

Re: 2848 key-authenticated ssh access to manager mode

Marc Haber — Mon, 13 Oct 2008 09:18:07 GMT

Switches are identical, 2848 with firmware I.10.43

Re: 2848 key-authenticated ssh access to manager mode

Igoris_1 — Mon, 13 Oct 2008 09:23:53 GMT

what ssh client are you using, putty?
Can you show running config of production sw.

Re: 2848 key-authenticated ssh access to manager mode

Marc Haber — Mon, 13 Oct 2008 09:41:08 GMT

My ssh client is OpenSSH 5.1p1.

Running config of the productive switch:
hostname "2848 sw00512"
snmp-server contact "me@example.com"
snmp-server location "foo"
max-vlans 256
time daylight-time-rule Middle-Europe-and-Portugal
console inactivity-timer 30
no web-management
interface 39
qos priority 6
exit
interface 40
qos priority 6
exit
interface 41
qos priority 6
exit
interface 42
qos priority 6
exit
ip default-gateway 10.2.100.94
sntp server 10.2.100.62
timesync sntp
sntp unicast
logging facility local0
logging 172.16.248.33
snmp-server community "" Operator
vlan 1
name "default"
no ip address
no untagged 1-48
exit
vlan 100
name "100mgtA"
untagged 43-48
ip address 10.2.100.77 255.255.255.224
exit
vlan 101
name "101Test"
no ip address
tagged 43-48
exit
vlan 103
name "103extConn"
no ip address
tagged 43-48
exit
vlan 104
name "104mhMisc"
no ip address
tagged 43-48
exit
vlan 108
name "108OffCli"
untagged 1,5-6,10-11,14-16,20,22,26,28,32
no ip address
tagged 43-48
exit
vlan 110
name "110TKAnlage"
untagged 39-42
no ip address
tagged 43-48
exit
vlan 120
name "120OffSrv"
untagged 2-4,7-9,12-13,17-19,21,23-25,27,29-31,33-38
no ip address
tagged 43-48
exit
ip authorized-managers 10.1.2.0 255.255.255.0
ip authorized-managers 10.2.100.94
ip authorized-managers 172.16.248.33 access Operator
ip authorized-managers 10.1.108.0 255.255.254.0
aaa authentication ssh login public-key
aaa authentication ssh enable public-key
spanning-tree
spanning-tree protocol-version MSTP
spanning-tree config-name "dotqa-office"
spanning-tree config-revision 8101
spanning-tree instance 2 vlan 101 103 104 108 110 120
ip ssh
ip ssh key-size 1024
password manager
password operator

2848 scysw00512#

Re: 2848 key-authenticated ssh access to manager mode

Marc Haber — Mon, 13 Oct 2008 09:42:11 GMT

My client address is 10.1.108.92, so it falls into a range that is allowed for manager access.

Re: 2848 key-authenticated ssh access to manager mode

Igoris_1 — Mon, 13 Oct 2008 09:48:51 GMT

I am not sure if 'show crypto client-public-key' also displays operator keys, try:
sh crypto client-public-key operator
If you get response:
Client public key file corrupt or not found.
Then it's ok.
Your config looks good, no clues.

Re: 2848 key-authenticated ssh access to manager mode

Igoris_1 — Mon, 13 Oct 2008 11:08:47 GMT

you can test this way:
generate new ssh key and upload it to operator storage:
copy tftp pub-key-file operator append
Now test connection with old key and new one, should be different levels granted on access.

Re: 2848 key-authenticated ssh access to manager mode

Marc Haber — Tue, 14 Oct 2008 10:05:40 GMT

Hi,

you wrote:

>I am not sure if 'show crypto client-public-key' also displays operator keys,

It does:

|2848 sw00503# show crypto client-public-key
|Manager keys:
|0,mh ssh-rsa
|Operator keys:
|0,mhtest ssh-rsa
|2848 sw00503#

>you can test this way:
>generate new ssh key and upload it to operator storage:
>copy tftp pub-key-file operator append
>Now test connection with old key and new one, should be different levels granted on access.

Unfortunately, both keys only grant operator access.

Greetings
Marc