[f-nsp] Serveriron 4G: SSH PubKey & WEB-Management (10.2.0)

Gerald Krause gk at ax.tc
Fri Feb 8 13:09:02 EST 2008 

Hello Oliver, thx for your concern.

On Friday 08 February 2008 17:56:21 Oliver Adam wrote:
>  The new WebUI does not offer anything else than the real and virtual
> server management.

Hard to believe. At least some basic statistics should be viewable. Really. 
It's more as a little bit annoying in situations where you have to decide when 
a server could be disabled in a safe way without breaking lots of 
connections.
I'am sure the foundry engineers could easily implement some nice "show server 
conn-rate -> html-table" scripts for the WebUI. Such little but very helpful 
things makes the difference imho.

> What is 
> the debug output of your SSH client in case you try to connect to the SI?

The documentaion is ambiguous regarding the SSH configuration (RSA, DSA, v1, 
v2, import and saving pubkeys) so maybe I have missunderstood something. My 
last try looks like this:

ServerIron config excerpt:
!
---- BEGIN SSH2 PUBLIC KEY ----
Comment: RomSecureShell DSA Public key
AAAAB3NzaC1kc3MAAACBAKZf6qtRHGHjPfOP3drwO1m28l4fpN5X5c8ArkeKhV3a
...
smqQeY5EKhy8qlk23LfEO2jicIrWoIyO29WQjn2i18buyy2G5SN8OLFh3JLRyNDt
---- END SSH2 PUBLIC KEY ----
!
ip ssh  authentication-retries 5
ip ssh  password-authentication no
!
ip ssh pub-key-file flash-memory pub-key "ssh-dss AAAAB3NzaC1kc3MAAACBAO8..."
!

SSH Client Debug:
gerald at pc-gk:~$ ssh -vvv 192.168.0.1
OpenSSH_4.6p1 Debian-5ubuntu0.1, OpenSSL 0.9.8e 23 Feb 2007
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to 192.168.0.1 [192.168.0.1] port 22.
debug1: Connection established.
debug1: identity file /home/gerald/.ssh/identity type -1
debug1: identity file /home/gerald/.ssh/id_rsa type -1
debug3: Not a RSA1 key file /home/gerald/.ssh/id_dsa.
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug3: key_read: missing keytype
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug2: key_type_from_name: unknown key type '-----END'
debug3: key_read: missing keytype
debug1: identity file /home/gerald/.ssh/id_dsa type 2
debug1: Remote protocol version 2.0, remote software version RomSShell_4.31
debug1: no match: RomSShell_4.31
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.6p1 Debian-5ubuntu0.1
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: 
diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: 
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: 
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: 
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: 
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: kex_parse_kexinit: diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-dss
debug2: kex_parse_kexinit: 3des-cbc
debug2: kex_parse_kexinit: 3des-cbc
debug2: kex_parse_kexinit: hmac-sha1
debug2: kex_parse_kexinit: hmac-sha1
debug2: kex_parse_kexinit: none
debug2: kex_parse_kexinit: none
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: mac_init: found hmac-sha1
debug1: kex: server->client 3des-cbc hmac-sha1 none
debug2: mac_init: found hmac-sha1
debug1: kex: client->server 3des-cbc hmac-sha1 none
debug2: dh_gen_key: priv key bits set: 193/384
debug2: bits set: 499/1024
debug1: sending SSH2_MSG_KEXDH_INIT
debug1: expecting SSH2_MSG_KEXDH_REPLY
debug3: check_host_in_hostfile: filename /home/gerald/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 69
debug1: Host '192.168.0.1' is known and matches the DSA host key.
debug1: Found key in /home/gerald/.ssh/known_hosts:69
debug2: bits set: 509/1024
debug1: ssh_dss_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/gerald/.ssh/identity ((nil))
debug2: key: /home/gerald/.ssh/id_rsa ((nil))
debug2: key: /home/gerald/.ssh/id_dsa (0x80057670)
debug1: Authentications that can continue: publickey
debug3: start over, passed a different list publickey
debug3: preferred 
gssapi-keyex,gssapi-with-mic,gssapi,publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/gerald/.ssh/identity
debug3: no such identity: /home/gerald/.ssh/identity
debug1: Trying private key: /home/gerald/.ssh/id_rsa
debug3: no such identity: /home/gerald/.ssh/id_rsa
debug1: Offering public key: /home/gerald/.ssh/id_dsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Server accepts key: pkalg ssh-dss blen 433
debug2: input_userauth_pk_ok: fp 
fd:60:c2:46:24:74:7f:81:50:f2:de:8e:7f:85:95:c7
debug3: sign_and_send_pubkey
debug1: read PEM private key done: type DSA
debug1: Authentications that can continue: publickey
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
Permission denied (publickey).

>  BTW: What is a debian SSH client? What is the actual software you are
> using? OpenSSH?

Jep, OpenSSH 4.6 from Ubuntu 7.10.

>  At 12:52 08.02.2008, Gerald Krause wrote:
>
> Hi,
>
>  I'am in a struggle with getting SSH pubkey authentication to work with a
> SI4G under 10.2.0, someone can confirm that this even work? I have no luck
> so far with Debian Linux as client (only password authenticatioen is
> working).
>
>  Furthermore I'am missing a lot of useful information within the new
> programmed web management interface like some general statistics per v- &
> r-server, is it all gone? I hope not and that it could be activated/enabled
> in some way.

-- 
Gerald   (ax/tc)

More information about the foundry-nsp mailing list