- Community Home
- >
- Networking
- >
- Switching and Routing
- >
- Comware Based
- >
- Re: Local account access using public-key pair wit...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-11-2021 03:30 PM - edited 01-11-2021 04:40 PM
01-11-2021 03:30 PM - edited 01-11-2021 04:40 PM
Local account access using public-key pair with TACACS enabled
I've recently configured TACACS access for a switch and encountered an issue when trying to access using a local account. The TACACS access is working without issues, however the local backup account is experiencing login issues:.
When logging in as zbxbackup historically, the public key peer would allow the backup server to log in immediately. When attempting to login using zbxbackup@localadmin after the default domain was changed, it now prompts for a password incorrectly.
In the meantime I have reverted the default domain back to localadmin so the backup functions correctly. Is there a way around this, or is there something misconfigured?
EDIT: Just noticed that using zbxbackup@localadmin and entering passed the password allows access from anywhere ignoring the public key.. will probably need to switch to password based because of this.
HPE Comware Software, Version 7.1.070, Release 2612P02
HPE FF 5940
hwtacacs scheme tacacs
primary authentication xxx.xxx.xxx.xxx vpn-instance INTERNAL_ACCESS
primary authorization xxx.xxx.xxx.xxx vpn-instance INTERNAL_ACCESS
primary accounting xxx.xxx.xxx.xxx vpn-instance INTERNAL_ACCESS
secondary authentication xxx.xxx.xxx.xxx vpn-instance INTERNAL_ACCESS
secondary authorization xxx.xxx.xxx.xxx vpn-instance INTERNAL_ACCESS
secondary accounting xxx.xxx.xxx.xxx vpn-instance INTERNAL_ACCESS
key authentication cipher XXXXXXXX
key authorization cipher XXXXXXXX
key accounting cipher XXXXXXXX
user-name-format without-domain
nas-ip xxx.xxx.xxx.xxx
#
domain domain.com
authentication login hwtacacs-scheme tacacs local
authorization login hwtacacs-scheme tacacs local
accounting login hwtacacs-scheme tacacs
#
domain localadmin
authentication login local
authorization login local
accounting login local
#
domain default enable domain.com
#
local-user zbxbackup class manage
service-type ssh terminal
authorization-attribute user-role network-operator
#
public-key peer zbxbackup
public-key-code begin
XXXXXXXXXXXXXXXXXXXXXXX
public-key-code end
peer-public-key end
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-12-2021 03:37 AM
01-12-2021 03:37 AM
Re: Local account access using public-key pair with TACACS enabled
Hi @AdamT2 !
If I'm not mistaken, you need to specify authentication method as 'publickey' for your local user, like in this example:
[Switch] ssh user zbxbackup service-type stelnet authentication-type publickey assign publickey zbxbackup
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-12-2021 01:32 PM
01-12-2021 01:32 PM
Re: Local account access using public-key pair with TACACS enabled
Hi Ivan,
There are no configuration options for 'authentication-type' available within the local-user configuration:
[dou-dpl-swc-1]local-user zbxbackup class manage
[dou-dpl-swc-1-luser-manage-zbxbackup]?
Local-user protocol view commands:
access-limit Specify the maximum concurrent access number for the
local user
authorization-attribute Specify authorization attributes for the user group
bind-attribute Specify binding attributes of local user
cfd Connectivity Fault Detection (CFD) module
diagnostic-logfile Diagnostic log file configuration
display Display current system information
emulate-ping Emulate ping function
end Alias for 'return'
exit Alias for 'quit'
group Specify user group of local user
ip Specify IP configuration
lock Lock the current line
logfile Log file configuration
monitor System monitor
mtrace Configure the multicast traceroute
no Alias for 'undo'
password Specify password of local user
password-control Password control feature
ping Ping function
quit Exit from current command view
repeat Repeat executing history commands
reset Reset operation
return Exit to User View
save Save current configuration
security-logfile Security log file configuration
service-type Specify a service type for the local user
show Alias for 'display'
state Specify state of local user
tracert Tracert function
undo Cancel current setting
write Alias for 'save'
- Tags:
- Ivan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-12-2021 09:51 PM
01-12-2021 09:51 PM
Re: Local account access using public-key pair with TACACS enabled
Hi Adam!
I didn't mention local-user configuration context anywhere . Please, check the example I gave you carefully, this is global command, not a command under local-user configuration context.
I am sure this guide will be extremely helpful to you - https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=a00041206en_us , page 563.
P.S. Just to be sure I decided to check this command on one of my lab switches. Not like I don't believe guides, but you never know, lol:
<HPE>sys
System View: return to User View with Ctrl+Z.
[HPE]
[HPE]ssh user ?
STRING<1-80> SSH user name
[HPE]ssh user zxbackup ?
service-type Specify a service type
[HPE]ssh user zxbackup ser
[HPE]ssh user zxbackup service-type ?
all All service types
netconf NETCONF
scp SCP
sftp SFTP
stelnet Stelnet
[HPE]ssh user zxbackup service-type stel
[HPE]ssh user zxbackup service-type stelnet ?
authentication-type Specify an authentication method
[HPE]ssh user zxbackup service-type stelnet auth
[HPE]ssh user zxbackup service-type stelnet authentication-type ?
any Any authentication method
password Password authentication
password-publickey Password-publickey authentication
publickey Publickey authentication
[HPE]ssh user zxbackup service-type stelnet authentication-type publ
[HPE]ssh user zxbackup service-type stelnet authentication-type publickey ?
assign Specify the parameter for client verification
<cr>
[HPE]ssh user zxbackup service-type stelnet authentication-type publickey assi
[HPE]ssh user zxbackup service-type stelnet authentication-type publickey assign
?
pki-domain Use a PKI domain
publickey Use a public key of the client
[HPE]ssh user zxbackup service-type stelnet authentication-type publickey assign
pub
[HPE]ssh user zxbackup service-type stelnet authentication-type publickey assign
publickey zxbackup ?
STRING<1-64> Public key name
<cr>
[HPE]ssh user zxbackup service-type stelnet authentication-type publickey assign
publickey zxbackup
[HPE]
[HPE]dis curr | i ssh
ssh user zxbackup service-type stelnet authentication-type publickey assign publickey zxbackup
[HPE]
[HPE]
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-14-2021 02:52 PM
01-14-2021 02:52 PM
Re: Local account access using public-key pair with TACACS enabled
Hi Ivan,
I've reviewed the configuration and can confirm that the provided configuration is already present (existed further up in the configuration away from the other local user and public key commands).
#
ssh server enable
ssh user zbxbackup service-type stelnet authentication-type publickey assign publickey zbxbackup
ssh server acl 2500
#
Seems to be that public keys do not work if you point the username to a specific authentication domain using @domain. In the meantime I've configured the backup account with a password to protect against the unauthenticated access anyone can use when pointing to a domain configured with local access.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-21-2021 12:35 AM
01-21-2021 12:35 AM
Re: Local account access using public-key pair with TACACS enabled
Ok, since that line is in the config, I am afraid this requires deeper troubleshooting than we do on this forum. I suggest you to contact our Support and open a case for this issue.