Fibre Channel (SAN)

Reply
New Contributor
Posts: 3
Registered: ‎11-07-2017

Public key export problem from Brocade 5480 switch

Hi,

I am having difficulties exporting the public key from the Brocade switch to my SFTP server (Cerberos).

 

The Brocade switch is a 5480 with fw 7.3.1a (trying to upgrade it using SFTP..)

 

I follow the below procedure in the Brocade switch. I successfully create the key pair in the following procedure (step 4).

 

Configuring outgoing SSH authentication

After the allowed-user is configured, the remaining setup steps must be completed by the allowed-user. Use the following procedure to configure outgoing SSH authentication:

  1. Log in to the switch as the default admin.

  2. Change the allowed-user’s permissions to admin, if applicable.

    switch:admin> userconfig --change username -r admin
    where the username variable is the name of the user who can perform SSH public key

    authentication, and who can import, export, and delete keys.

  3. Set up the allowed-user by typing the following command:

    switch:admin> sshutil allowuser username
    where the username variable is the name of the user who can perform SSH public key

    authentication, and who can import, export, and delete keys.

  4. Generate a key pair for switch-to-host (outgoing) authentication by logging in to the switch as the

    allowed user and entering the sshUtil genkey command. You may enter a passphrase for additional security. Example of generating a key pair on the switch

                         switch:alloweduser> sshutil genkey
                         Enter passphrase (empty for no passphrase):
                         Enter same passphrase again:
                         Key pair generated successfully.
  5. Export the public key to the host by logging in to the switch as the allowed-user and entering the sshUtil exportpubkey command to export the key.

    Example of exporting a public key from the switch

                         switch:alloweduser> sshutil exportpubkey
                         Enter IP address:192.168.38.244
                         Enter remote directory:~auser/.ssh
                         Enter login name:auser
                         Password:
                         public key out_going.pub is exported successfully.
  6. Append the public key to a remote host by logging in to the remote host, locating the directory where authorized keys are stored, and appending the public key to the file.

    You may need to refer to the host’s documentation to locate where the authorized keys are stored.

  7. Test the setup by using a command that uses SCP and authentication, such as firmwareDownload

    or configUpload .

In step 5, I get the following response on the switch: "Failed to export public key"

 

I need to clarify a few things:

 

What should I enter for the remote directory ? The Cerberos SFTP server is on a Windows server. I enter the name of a empty folder inside the ftproot folder, called ssh. The admin user has full access to ftproot.

 

I also tried ~ssh  and ~admin/.ssh as names for the remote directory.

 

Attached below is the log in the Cerberos SFTP-server. As you can see, the Brocade switch closes the connection:

 

2017/11/07 16:10:18       [53]       Incoming connection request on SSH interface 10 at 0.0.0.0

2017/11/07 16:10:18       [53]       SSH SFTP connection request accepted from 0.0.0.1

2017/11/07 16:10:18       [53]       Client Identification: SSH-2.0-OpenSSH_6.2

2017/11/07 16:10:18       [53]       Algorithm negotiation complete: Proceeding with key exchange

2017/11/07 16:10:18       [53]       Kex: 'ecdh-sha2-nistp256' Host Key: 'ssh-rsa' C2S : 'aes128-ctr, hmac-md5, none' S2C : 'aes128-ctr, hmac-md5, none'

2017/11/07 16:10:18       [53]       SSH key bits: 2048

2017/11/07 16:10:18       [53]       ECDH Key size: 256

2017/11/07 16:10:18       [53]       CCipher::init: Set key length (16 -> 32)

2017/11/07 16:10:18       [53]       CCipher::init: Set key length failed (16 -> 32) : invalid key length

2017/11/07 16:10:18       [53]       CCipher::init: Set key length (16 -> 32)

2017/11/07 16:10:18       [53]       CCipher::init: Set key length failed (16 -> 32) : invalid key length

2017/11/07 16:10:18       [53]       All keys derived

2017/11/07 16:10:18       [53]       Using new keys for sending data to the client

2017/11/07 16:10:18       [53]       The client closed the connection

2017/11/07 16:10:18       [53]       Connection terminated

 

 

 Could it be that the Cerberos SFTP-server has too high encryption requirements? I have opened up for all possibilities there. Is there perhaps something I can do on the Brocade switch?

 

 

 

Brocade Moderator
Posts: 414
Registered: ‎03-29-2011

Re: Public key export problem from Brocade 5480 switch

Hi atledale2,

 

if the user in cerberos sftp server call admin, have for example home directory in cerberos c:\sftp\admin, and you have created an empty folder called ssh in there (c:\sftp\admin\ssh),  in  sshutil exportpubkey for directory, I would try "/ssh" or even "."  - sftp server should only make available for all setup user a home directory. 




If this provided you with a solution to this issue, please mark it with the button at the bottom "Accept as solution".


Any and all information provided by me is not reviewed, approved or endorsed by Brocade and is provided solely as a convenience for Brocade customers. All systems and all networks are different and unique. If you have a service affecting network problem, please open a TAC service request for service through Brocade, or through your OEM equipment provider. If this provided you with a solution to this issue, please mark it with the button at the bottom "Accept as solution"
New Contributor
Posts: 3
Registered: ‎11-07-2017

Re: Public key export problem from Brocade 5480 switch

hi, Thanks for answer. But it didn@t make a difference. Same error in Cerberus SFTP server (see log in first post). I also created a new FTP user with new home folder. Per default it wil place the file in the home folder if you  just specify specify file.txt .

 

If you want to specify a folder called ssh, you just write it like this: /ssh/filename.txt.

 

But in both cases, the Brocade client is terminating the connection after key negotiation has succeeded. Strange...

 

What I am testing is the upload function with configupload command.

Highlighted
Brocade Moderator
Posts: 414
Registered: ‎03-29-2011

Re: Public key export problem from Brocade 5480 switch

Hi @atledale2,

 

I just did a quick install on my laptop and cerberus sftp server support sftp, but not scp :-(

 

And the ssh exportkey uses scp to copy the public key over to server.

So you need to export the key via scp to another server.

Or login via root and get the public key from the file /root/.ssh/id_rsa.pub (if you generated a rsa private key).

 

Under FOS 7.4.1e, configupload/download/supportsave/firmwaredownload support sftp and you can user sftp with public keys.




If this provided you with a solution to this issue, please mark it with the button at the bottom "Accept as solution".


Any and all information provided by me is not reviewed, approved or endorsed by Brocade and is provided solely as a convenience for Brocade customers. All systems and all networks are different and unique. If you have a service affecting network problem, please open a TAC service request for service through Brocade, or through your OEM equipment provider. If this provided you with a solution to this issue, please mark it with the button at the bottom "Accept as solution"
New Contributor
Posts: 3
Registered: ‎11-07-2017

Re: Public key export problem from Brocade 5480 switch

hi,

 

Thanks for your efforts. I will instead do this with normal FTP.

 

But, for the future:

 

What you mean by "Or login via root and get the public key from the file /root/.ssh/id_rsa.pub (if you generated a rsa private key)."?

I believe I didn@t create a public key, just the public key created using the above procedure. I don@t need a private key either for my purpose.

 

and

 

Do you know if the fw I get after upgrade will support scp? (FOS 7.4.1d)

 

Best regards,

Atle

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.

vADC is now Pulse Secure
Download FREE NVMe eBook