[c-nsp] SSH problems on cisco generally
Phil Mayers
p.mayers at imperial.ac.uk
Thu Jul 24 03:41:50 EDT 2014
On 24 July 2014 06:10:21 BST, Mike <mike-cisconsplist at tiedyenetworks.com> wrote:
>Hi,
>
> In my environment I use ssh and on my workstation I usually have
>the ssh-agent running storing my keys for me so that I can more easilly
>
>do passwordless logins.
>
> On all of my cisco boxes however, I can't login unless I disable
>the ssh-agent as it seems to confuse the box. For example, with the
>agent running and the SSH_AUTH_SOCK environment variable which tells
>SSH
>how to talk to my agent, I get this:
>
>ssh -l mylogin some3560g.my.network.com
>Connection closed by x.x.x.x.
>
>Disabling the agent however, gets me this:
>
>
>SSH_AUTH_SOCK=0 ssh -l mylogin some3560g.my.network.com
>some3560g>
>
>
>
>Setting "SSH_AUTH_SOCK=0" just means the agent won't be found and thus
>ssh won't try rsa.
>
>My unix boxes all have no issues with this. Im suspecting it's a config
>
>issue, perhaps something with the keys or somesuch, I just don't
>understand.
>
>Anyone have any ideas?
>
>Mike-
>_______________________________________________
>cisco-nsp mailing list cisco-nsp at puck.nether.net
>https://puck.nether.net/mailman/listinfo/cisco-nsp
>archive at http://puck.nether.net/pipermail/cisco-nsp/
Each public key you try is an authentication attempt. IOS only gives you 3 attempts.
This can lead to random problems if you have several keys in your agent, as its order-dependent whether a login succeeds or not. To be fair this is just as true of normal Unix boxes.
If you have several keys in your agent, this is what your seeing. If so, IdentitiesOnly in .ssh/config for a given host/wildcard will help.
Tbh I've found SSH agents not useful in the >1 key case for this very reason. It's a shame you can't tell SSH to use a specific key from the agent against a given host.
--
Sent from my mobile device, please excuse brevity and typos
More information about the cisco-nsp
mailing list