Fibre Channel (SAN)

Reply
Contributor
Posts: 53
Registered: ‎06-24-2009

Problem with ssh and publickey authentication

Hi all,

When I connect via ssh to a 4100 switch running FOS 5.2.0a or 5.3.2a using password authentication, everything works fine. When I use public key authentication, I get logged in but the environment is not correct.

Before the shell prompt there are three lines with "[: =: unary operator expected". Then, when I try to run a FOS command such as switchshow I get "RBAC permission denied.". Also, sometimes (but not always) the systems asks for passwords to be provided for the four standard users, when logging in as root or admin. Finally, the prompt is "{switchname}:ADSmiley Embarassed" instead of "{switchname}:{user}>".

I saw another message about the RBAC message but there was no answer provided.

I feel the problem is that the environment is not being set up correctly when pubkey authentication is used. This could be because of interaction with PAM. I think the shell errors (unary operator expected) are due to certain shell variables not been set when /etc/profile is being executed. The asking for password resets is from the inability to set shell variables correctly which causes chkdefaultpasswds to be called from .profile. The strange prompt comes from /etc/profile.

Has anyone else seen this and, even better, solved the problem?

The switch is using OpenSSH 3.8.1p1. Ssh client is from Solaris 10 with Sun SSH 1.1.

The same symptoms are found using root, admin and user accounts on the switch.

Thanks in advance,

Alastair

Contributor
Posts: 53
Registered: ‎06-24-2009

Re: Problem with ssh and publickey authentication

Hi,

I have had no reply to my original mail. This may be because nobody else has ever had the problem.

In that light, could someone who has successfully installed ssh on 5.2 or 5.3 please raise his/her hand?

I would be interested to know just what they did.

Thanks,

Alastair

External Moderator
Posts: 4,813
Registered: ‎02-23-2004

Re: Problem with ssh and publickey authentication

have you see this both threads here ?

http://community.brocade.com/home/message/2919#2919

http://community.brocade.com/home/message/1698#1698

This one member wrote here, the problem was caused on the client side, not sure but probable is this like you problem ?

TechHelp24
Contributor
Posts: 53
Registered: ‎06-24-2009

Re: Problem with ssh and publickey authentication

Hi TechHelp24,

Yes, I have read both these threads. The first concerns authentication failure. As I said in my first post, my problem is not with the authentication which passes OK. It is with the environment the switch provides after login.

The second thread is much more interesting and talks about several things. I make reference to that thread in my post.

Thanks,

Alastair

External Moderator
Posts: 4,813
Registered: ‎02-23-2004

Re: Problem with ssh and publickey authentication

Alaistar,

Can i assume that Password, pubkey, and RSA / SSH Authentication, are set to enable ?

TechHelp24
Contributor
Posts: 53
Registered: ‎06-24-2009

Re: Problem with ssh and publickey authentication

Hello again.

Yes, they are all set to "yes". All suggestions in the second link above have been tried.

May I repeat that the problem is not with authentication; that is successful.

Thanks,

Alastair

External Moderator
Posts: 4,813
Registered: ‎02-23-2004

Re: Problem with ssh and publickey authentication

I'm here a little confused. You open here this threads as....

"Problem with ssh and publickey authentication"

And you just wrote here

--->>> May I repeat that the problem is not with authentication; that is successful.

Ok, what is the Problem ?

TechHelp24
Contributor
Posts: 53
Registered: ‎06-24-2009

Re: Problem with ssh and publickey authentication

The problem is not with the authentication itself. The problem, as stated in the second sentence in my original post, is

"When I use public key authentication, I get logged in but the environment is not correct".

I can login using pubkey authentication but there are four problems:

- I cannot run any switch commands such as switchshow (RBAC permission denied),

- The are shell syntax errors reported, which I believe come from the execution of /etc/profile because the environment is already uncorrectly set up,

- The shell prompt is incorrect,

- It sometimes asks for the passwords for the four basic users to be reset.

None of these problems appear when using password authentication.

New Contributor
Posts: 2
Registered: ‎10-09-2009

Re: Problem with ssh and publickey authentication

What steps did you use to create and install publickey authentication?

I will see if I can replicate the problem here, in my test env.

A step by Step guide. Also how are you distributing the install accross all your switches?

Contributor
Posts: 53
Registered: ‎06-24-2009

Re: Problem with ssh and publickey authentication

The tests we did were only trying to connect from the Solaris server (the client) to the switch (the server). Since we did not get this to work (two different versions of FOS on two physically different switches), we did not go further and try the other direction. There was no distribution across switches. We tested on one switch at a time.

We tried setting up ssh to various accounts on the switch: root, admin, fred (created user with admin RBAC role) and from various Unix users: root and a normal user. The steps to set up were always the same, using RSA authentication.

1) go the directory containing the public key of the desired client user on Solaris and cat the id_rsa.pub file.

2) on the switch, go to the home of the role to be logged in as, eg admin: /fabos/users/admin. Check the directory .ssh is not group- or world-writable (700 or 755).

3) on the switch, go to the .ssh subdirectory

4) add the public key revealed in step 1 with the command

       echo "ssh-rsa AAA.......x= user@server" >> authorized_keys

   with the appropriate values for "user" and "server".

5) check the file authorized_keys is not group- or world-writable. (600 or 644)

6) set the permissions of authorized_keys to the same as other files in the directory .ssh (e.g. root:admin).

The file /etc/sshd_config was modified (after saving the original version) by adding the following lines to the end (though I don 't believe these are necessary since I believe these are the default values on the switch):

RSAAuthentication yes

PubkeyAuthentication yes

PasswordAuthentication yes

The ssh daemon was then invited to re-read the config file with the command

     kill -HUP xxx

where xxx is the PID of the ssh daemon. This was done from a telnet session. From a new ps after the kill, it can be seen the PID of the ssh daemon has changed.

The ssh config changes and daemon restart were only done once.

I hope this is clear.

Thanks,

Alastair

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.