[f-nsp] Serveriron 4G: SSH PubKey & WEB-Management (10.2.0)
Oliver Adam
oadam at madao.de
Sat Feb 9 12:47:14 EST 2008
It is of course very simple to create some stats on the WebUI -
nevertheless you have to think about the fact that 100 simple things
together might be a lot of work and resources are normally limited.
This is phase 1 of the WebUI and the WebUI is going to grow now from
what I know. You have to start somewhere as usual in life.
Raise a ticket for the pub key authentication - I am not quite sure
if that is possible - go to raise a ticket with Foundry.
R, Oliver
At 19:09 08.02.2008, Gerald Krause wrote:
>Hello Oliver, thx for your concern.
>
>On Friday 08 February 2008 17:56:21 Oliver Adam wrote:
> > The new WebUI does not offer anything else than the real and virtual
> > server management.
>
>Hard to believe. At least some basic statistics should be viewable. Really.
>It's more as a little bit annoying in situations where you have to
>decide when
>a server could be disabled in a safe way without breaking lots of
>connections.
>I'am sure the foundry engineers could easily implement some nice "show server
>conn-rate -> html-table" scripts for the WebUI. Such little but very helpful
>things makes the difference imho.
>
> > What is
> > the debug output of your SSH client in case you try to connect to the SI?
>
>The documentaion is ambiguous regarding the SSH configuration (RSA, DSA, v1,
>v2, import and saving pubkeys) so maybe I have missunderstood something. My
>last try looks like this:
>
>ServerIron config excerpt:
>!
>---- BEGIN SSH2 PUBLIC KEY ----
>Comment: RomSecureShell DSA Public key
>AAAAB3NzaC1kc3MAAACBAKZf6qtRHGHjPfOP3drwO1m28l4fpN5X5c8ArkeKhV3a
>....
>smqQeY5EKhy8qlk23LfEO2jicIrWoIyO29WQjn2i18buyy2G5SN8OLFh3JLRyNDt
>---- END SSH2 PUBLIC KEY ----
>!
>ip ssh authentication-retries 5
>ip ssh password-authentication no
>!
>ip ssh pub-key-file flash-memory pub-key "ssh-dss AAAAB3NzaC1kc3MAAACBAO8..."
>!
>
>SSH Client Debug:
>gerald at pc-gk:~$ ssh -vvv 192.168.0.1
>OpenSSH_4.6p1 Debian-5ubuntu0.1, OpenSSL 0.9.8e 23 Feb 2007
>debug1: Reading configuration data /etc/ssh/ssh_config
>debug1: Applying options for *
>debug2: ssh_connect: needpriv 0
>debug1: Connecting to 192.168.0.1 [192.168.0.1] port 22.
>debug1: Connection established.
>debug1: identity file /home/gerald/.ssh/identity type -1
>debug1: identity file /home/gerald/.ssh/id_rsa type -1
>debug3: Not a RSA1 key file /home/gerald/.ssh/id_dsa.
>debug2: key_type_from_name: unknown key type '-----BEGIN'
>debug3: key_read: missing keytype
>debug3: key_read: missing whitespace
>debug3: key_read: missing whitespace
>debug3: key_read: missing whitespace
>debug3: key_read: missing whitespace
>debug3: key_read: missing whitespace
>debug3: key_read: missing whitespace
>debug3: key_read: missing whitespace
>debug3: key_read: missing whitespace
>debug3: key_read: missing whitespace
>debug3: key_read: missing whitespace
>debug2: key_type_from_name: unknown key type '-----END'
>debug3: key_read: missing keytype
>debug1: identity file /home/gerald/.ssh/id_dsa type 2
>debug1: Remote protocol version 2.0, remote software version RomSShell_4.31
>debug1: no match: RomSShell_4.31
>debug1: Enabling compatibility mode for protocol 2.0
>debug1: Local version string SSH-2.0-OpenSSH_4.6p1 Debian-5ubuntu0.1
>debug2: fd 3 setting O_NONBLOCK
>debug1: SSH2_MSG_KEXINIT sent
>debug1: SSH2_MSG_KEXINIT received
>debug2: kex_parse_kexinit:
>diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
>debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
>debug2: kex_parse_kexinit:
>aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
>debug2: kex_parse_kexinit:
>aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
>debug2: kex_parse_kexinit:
>hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
>debug2: kex_parse_kexinit:
>hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
>debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib
>debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib
>debug2: kex_parse_kexinit:
>debug2: kex_parse_kexinit:
>debug2: kex_parse_kexinit: first_kex_follows 0
>debug2: kex_parse_kexinit: reserved 0
>debug2: kex_parse_kexinit: diffie-hellman-group1-sha1
>debug2: kex_parse_kexinit: ssh-dss
>debug2: kex_parse_kexinit: 3des-cbc
>debug2: kex_parse_kexinit: 3des-cbc
>debug2: kex_parse_kexinit: hmac-sha1
>debug2: kex_parse_kexinit: hmac-sha1
>debug2: kex_parse_kexinit: none
>debug2: kex_parse_kexinit: none
>debug2: kex_parse_kexinit:
>debug2: kex_parse_kexinit:
>debug2: kex_parse_kexinit: first_kex_follows 0
>debug2: kex_parse_kexinit: reserved 0
>debug2: mac_init: found hmac-sha1
>debug1: kex: server->client 3des-cbc hmac-sha1 none
>debug2: mac_init: found hmac-sha1
>debug1: kex: client->server 3des-cbc hmac-sha1 none
>debug2: dh_gen_key: priv key bits set: 193/384
>debug2: bits set: 499/1024
>debug1: sending SSH2_MSG_KEXDH_INIT
>debug1: expecting SSH2_MSG_KEXDH_REPLY
>debug3: check_host_in_hostfile: filename /home/gerald/.ssh/known_hosts
>debug3: check_host_in_hostfile: match line 69
>debug1: Host '192.168.0.1' is known and matches the DSA host key.
>debug1: Found key in /home/gerald/.ssh/known_hosts:69
>debug2: bits set: 509/1024
>debug1: ssh_dss_verify: signature correct
>debug2: kex_derive_keys
>debug2: set_newkeys: mode 1
>debug1: SSH2_MSG_NEWKEYS sent
>debug1: expecting SSH2_MSG_NEWKEYS
>debug2: set_newkeys: mode 0
>debug1: SSH2_MSG_NEWKEYS received
>debug1: SSH2_MSG_SERVICE_REQUEST sent
>debug2: service_accept: ssh-userauth
>debug1: SSH2_MSG_SERVICE_ACCEPT received
>debug2: key: /home/gerald/.ssh/identity ((nil))
>debug2: key: /home/gerald/.ssh/id_rsa ((nil))
>debug2: key: /home/gerald/.ssh/id_dsa (0x80057670)
>debug1: Authentications that can continue: publickey
>debug3: start over, passed a different list publickey
>debug3: preferred
>gssapi-keyex,gssapi-with-mic,gssapi,publickey,keyboard-interactive,password
>debug3: authmethod_lookup publickey
>debug3: remaining preferred: keyboard-interactive,password
>debug3: authmethod_is_enabled publickey
>debug1: Next authentication method: publickey
>debug1: Trying private key: /home/gerald/.ssh/identity
>debug3: no such identity: /home/gerald/.ssh/identity
>debug1: Trying private key: /home/gerald/.ssh/id_rsa
>debug3: no such identity: /home/gerald/.ssh/id_rsa
>debug1: Offering public key: /home/gerald/.ssh/id_dsa
>debug3: send_pubkey_test
>debug2: we sent a publickey packet, wait for reply
>debug1: Server accepts key: pkalg ssh-dss blen 433
>debug2: input_userauth_pk_ok: fp
>fd:60:c2:46:24:74:7f:81:50:f2:de:8e:7f:85:95:c7
>debug3: sign_and_send_pubkey
>debug1: read PEM private key done: type DSA
>debug1: Authentications that can continue: publickey
>debug2: we did not send a packet, disable method
>debug1: No more authentication methods to try.
>Permission denied (publickey).
>
> > BTW: What is a debian SSH client? What is the actual software you are
> > using? OpenSSH?
>
>Jep, OpenSSH 4.6 from Ubuntu 7.10.
>
> > At 12:52 08.02.2008, Gerald Krause wrote:
> >
> > Hi,
> >
> > I'am in a struggle with getting SSH pubkey authentication to work with a
> > SI4G under 10.2.0, someone can confirm that this even work? I have no luck
> > so far with Debian Linux as client (only password authenticatioen is
> > working).
> >
> > Furthermore I'am missing a lot of useful information within the new
> > programmed web management interface like some general statistics per v- &
> > r-server, is it all gone? I hope not and that it could be activated/enabled
> > in some way.
>
>--
>Gerald (ax/tc)
More information about the foundry-nsp
mailing list