Switches, Hubs, and Modems
cancel
Showing results for 
Search instead for 
Did you mean: 

5406zl - can't choose local method for secondary login

DSV12
Frequent Advisor

5406zl - can't choose local method for secondary login

5406zl with K.14.47b software release. I tried to set secondary login method to 'local' but can't - after:

#aaa authentication ssh login public-key local

I get:

“Not legal combination of authentication methods” - but this is definitely a right combination, as indicated in the documentation. Password for operator is set, I can login with it by telnet but not by ssh (because secondary method is 'none' only accepted).

'None' method as secondary login is not unacceptable for us.

What I'm doing wrong?
3 REPLIES
Jeff Carrell
Honored Contributor

Re: 5406zl - can't choose local method for secondary login

According to the ProCurve manual:

Configure the primary and secondary authentication methods you
want the switch to use. In all cases, the switch will use its host-public-key
to authenticate itself when initiating an SSH session with a client.
â ¢ SSH Login (Operator) options:
â Option A:
Primary: Local, TACACS+, or RADIUS password
Secondary: Local password or none. If the primary option is local, the secondary option must be none.
â Option B:
Primary: Client public-key authentication (login public-key â page 8-22)
Secondary: none
Note that if you want the switch to perform client public-key
authentication, you must configure the switch with Option B.
â ¢ SSH Enable (Manager) options:
Primary: Local, TACACS+, or RADIUS
Secondary: Local password or none. If the primary option is
local, the secondary option must be none.

hth...Jeff
DSV12
Frequent Advisor

Re: 5406zl - can't choose local method for secondary login

My docs (3500-5400-6200-6600-8200-ASG-Sept09-K_14_34.pdf) additionaly contains several other information :-). Page 8-24:

"To provide the optional, opposite service - client public-key authentication to the switch - you can configure the switch to store up to ten public keys for authenticating clients.
...
That is, if you use this feature, only the clients whose public keys are in the client public-key file you store on the switch will have SSH access to the switch over the network. If you do not allow secondary SSH login (Operator) access via local password, then the switch will refuse other SSH clients."

The last phrase suggests that the secondary method may NOT be 'none'. Look like that will be enough "allow secondary SSH login (Operator) access via local password".

Another quote (p.8-30):

"To enable client public-key authentication to block SSH clients whose public keys are not in the client-public-key file copied into the switch, you must configure the Login Secondary as none. Otherwise, the switch allows such clients to attempt access using the switch's Operator password".

And again, the last sentence says that as the secondary method can be selected is NOT 'none'.

And at last (p.8-21):

"aaa authentication ssh login public-key
Configures the switch to authenticate a client public-key at the login level with an optional secondary password method (default: none)".

Explicitly stated that the possible "an optional secondary password method".

But your quote clearly indicates that the second method can only be 'none'. Where is the truth? Since I really can not choose as a secondary method is anything but 'none', your link is more consistent with reality :-).
DSV12
Frequent Advisor

Re: 5406zl - can't choose local method for secondary login

Very interesting: if I set primary login method as public-key and secondary as 'none':

#aaa authentication ssh login public-key none

that, however, I can still get access to the 5306zl through SSH by entering manager's name/password. Same here confirms: http://www.baynetwork.com/Forum/index.php?topic=441.0