[c-nsp] SSH problems on cisco generally
SilverTip257
silvertip257 at gmail.com
Thu Jul 24 12:38:40 EDT 2014
> Date: Thu, 24 Jul 2014 08:41:50 +0100
> From: Phil Mayers <p.mayers at imperial.ac.uk>
> To: Mike <mike-cisconsplist at tiedyenetworks.com>,
> "cisco-nsp at puck.nether.net" <cisco-nsp at puck.nether.net>
> Subject: Re: [c-nsp] SSH problems on cisco generally
> Message-ID: <345151f0-558d-43fe-b0fa-ff8b8c263aa1 at email.android.com>
> Content-Type: text/plain; charset=UTF-8
>
> On 24 July 2014 06:10:21 BST, Mike <mike-cisconsplist at tiedyenetworks.com>
> wrote:
> >Hi,
> >
> > In my environment I use ssh and on my workstation I usually have
> >the ssh-agent running storing my keys for me so that I can more easilly
> >
> >do passwordless logins.
> >
> > On all of my cisco boxes however, I can't login unless I disable
> >the ssh-agent as it seems to confuse the box. For example, with the
> >agent running and the SSH_AUTH_SOCK environment variable which tells
> >SSH
> >how to talk to my agent, I get this:
> >
> >ssh -l mylogin some3560g.my.network.com
> >Connection closed by x.x.x.x.
> >
> >Disabling the agent however, gets me this:
> >
> >
> >SSH_AUTH_SOCK=0 ssh -l mylogin some3560g.my.network.com
> >some3560g>
> >
> >
> >
> >Setting "SSH_AUTH_SOCK=0" just means the agent won't be found and thus
> >ssh won't try rsa.
> >
> >My unix boxes all have no issues with this. Im suspecting it's a config
> >
> >issue, perhaps something with the keys or somesuch, I just don't
> >understand.
> >
> >Anyone have any ideas?
> >
> >Mike-
> >_______________________________________________
> >cisco-nsp mailing list cisco-nsp at puck.nether.net
> >https://puck.nether.net/mailman/listinfo/cisco-nsp
> >archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> Each public key you try is an authentication attempt. IOS only gives you 3
> attempts.
>
> This can lead to random problems if you have several keys in your agent,
> as its order-dependent whether a login succeeds or not. To be fair this is
> just as true of normal Unix boxes.
>
> If you have several keys in your agent, this is what your seeing. If so,
> IdentitiesOnly in .ssh/config for a given host/wildcard will help.
>
+1
You could set up a host entry in your ~/.ssh/config (examples: [0] [1]).
Combine this with wildcards in your config and you're set. [2] [3]
>
> Tbh I've found SSH agents not useful in the >1 key case for this very
> reason. It's a shame you can't tell SSH to use a specific key from the
> agent against a given host.
>
If it's a one time thing, you could always specify the key.
ssh -l mylogin some3560g.my.network.com -i /path/to/my-ssh-private-key
[0]
http://www.cyberciti.biz/faq/force-ssh-client-to-use-given-private-key-identity-file/
[1]
http://nerderati.com/2011/03/17/simplify-your-life-with-an-ssh-config-file/
[2] http://www.cmdln.org/2008/12/17/ssh-config-wildcards/
[3]
http://unix.stackexchange.com/questions/61655/multiple-similar-entries-in-ssh-config
--
---~~.~~---
Mike
// SilverTip257 //
More information about the cisco-nsp
mailing list