× NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Orbi WiFi 7 RBE973
Reply

ssh and shared keys

tacoman
Aspirant

ssh and shared keys

Does anyone have any clue if it is possible to implement shared keys (RSA) on an M4100 instead of using a password login for ssh?  The switch generates keys when starting up ssh but not sure if it also supports shared keys.

Model: M4100-50G (GSM7248v2h2)|ProSAFE 50-port Gigabit Fully Managed L2 Switch
Message 1 of 4
LaurentMa
NETGEAR Expert

Re: ssh and shared keys

Hi tacoman

 

Welcome to the Community!.

 

I am not very familiar with Ansible but I hope we document SSH correctly in our technical documentation. Please refer to: https://www.netgear.com/support/product/M4100-50G+$28GSM7248v2h2$29?cid=wmt_netgear_organic#docs

 

Web user manual starting page 287 to configure SSH using GUI and page 290 to download host SSH keys.

 

CLI admin guide starting page 459 for general SSH command and the copy command explained page 371 to download SSH key file into the switch.

 

Regards,

Message 2 of 4
tacoman
Aspirant

Re: ssh and shared keys

Laurent,

So to frame this whole discussion, my goal is to remotely and autonomously manage the Netgear M4100-50Gs that we have in house.  So far 50 but possibly many more if I can work these issues out.  Remotely accessing the switches requires the shared-key method which obviates the need for password login (and it more secure).

Here's what I have found.  I am not quite sure what the process is for managing keys but I have several problems with the way I think that Netgear implements this.  First of all, having to shut down the ssh server to update keys is problematic in that remote access to the machine is then lost unless I back off to telnet which is not secure (and which causes all sorts of other problems like turning on telnet then shutting down ssh and so on...remotely).  So...being able to upload new keys to a location (in memory on the switch) that can then be pointed to for the next reboot would be a good thing.  I think this whole process needs to be "re-thunk" (unless there is detailed documentation on this that I am missing).  I would try to do the same thing as how you manage the firmware images or something similar.  The other thing I am not sure about is the scope of the keys?  Is the idea to generate the keys on a remote server and then push them down to the switch or to generate them on the switch and then push them out to the remote server?  Keys have to be generated when the ssh process/server is established on the switch.  How do I access these keys?

In my test the keys were generated on 10.0.0.171/unsc using:

ssh-keygen -t rsa -b 4096

Is there a maximum key length?  Is there any particular format other than what is generated by ssh-keygen that the key files need to be in?

Secondly, when I try to pull the rsa and dsa certificates or keys down to the switch from a remote server (using tftp) the switch appears to receive the file but then I get a "Key file not valid!" message (please see below). 

You can see that the tftp server works fine as I can download all of these files to a host called "kkkk-klmux" (verbose and trace are on for tftp so it shows the successful subsequent downloads).

"unsc" is the tftp server for both cases (downloading to the switch and to the host kkkk-klmux).

Way below you can see my attempts to download the same key files to the switch which from the immediate below under "ON THE TFTP SERVER" you can see that the files appear to be transferred successfully to the switch (labsw5 or 10.0.0.195).
At this point I don't have any other recourse.  Where to go from here? 

Thanks,

Paul


-------------------
ON THE TFTP SERVER:
-------------------

[pdonner@unsc ~]$ uname -a
Linux unsc.dtvamerica.com 3.10.0-514.6.1.el7.x86_64 #1 SMP Wed Jan 18 13:06:36 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
[pdonner@unsc ~]$

tail -f /var/log/messages
Feb  3 17:27:45 unsc in.tftpd[5299]: RRQ from 10.0.0.195 filename id_rsa.pub
Feb  3 17:27:45 unsc in.tftpd[5299]: Client 10.0.0.195 finished id_rsa.pub
Feb  3 17:27:52 unsc in.tftpd[5300]: RRQ from 10.0.0.195 filename id_rsa
Feb  3 17:27:52 unsc in.tftpd[5300]: Client 10.0.0.195 finished id_rsa
Feb  3 17:27:57 unsc in.tftpd[5301]: RRQ from 10.0.0.195 filename id_dsa.pub
Feb  3 17:27:57 unsc in.tftpd[5301]: Client 10.0.0.195 finished id_dsa.pub


-------------------------
SSH IS DISABLED ON THE SWITCH:
------------------------------

(labsw5) #show ip ssh

SSH Configuration

Administrative Mode: .......................... Disabled
Protocol Levels: .............................. Version 2
SSH Sessions Currently Active: ................ 0
Max SSH Sessions Allowed: ..................... 5
SSH Timeout: .................................. 160
Keys Present: .................................
Key Generation In Progress: ................... None

(labsw5) #

-------------------------------------------
ON REMOTE HOST TRYING TO DOWNLOAD THE KEYS:
-------------------------------------------

[admin@kkkk-klmux ~]$ uname -a
Linux kkkk-klmux.dtvamerica.com 3.10.0-327.el7.x86_64 #1 SMP Thu Nov 19 22:10:57 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
[admin@kkkk-klmux ~]$

[admin@kkkk-klmux ~]$ tftp 10.0.0.171
tftp> verb
Verbose mode on.
tftp> trac
Packet tracing on.
tftp> get id_rsa.pub
getting from 10.0.0.171:id_rsa.pub to id_rsa.pub [netascii]
sent RRQ <file=id_rsa.pub, mode=netascii>
received DATA <block=1, 512 bytes>
sent ACK <block=1>
received DATA <block=2, 242 bytes>
Received 754 bytes in 0.0 seconds [2666812 bit/s]
tftp> get id_rsa
getting from 10.0.0.171:id_rsa to id_rsa [netascii]
sent RRQ <file=id_rsa, mode=netascii>
received DATA <block=1, 512 bytes>
sent ACK <block=1>
received DATA <block=2, 512 bytes>
sent ACK <block=2>
received DATA <block=3, 512 bytes>
sent ACK <block=3>
received DATA <block=4, 512 bytes>
sent ACK <block=4>
received DATA <block=5, 512 bytes>
sent ACK <block=5>
received DATA <block=6, 512 bytes>
sent ACK <block=6>
received DATA <block=7, 308 bytes>
Received 3380 bytes in 0.0 seconds [9814294 bit/s]
tftp> get id_dsa.pub
getting from 10.0.0.171:id_dsa.pub to id_dsa.pub [netascii]
sent RRQ <file=id_dsa.pub, mode=netascii>
received DATA <block=1, 512 bytes>
sent ACK <block=1>
received DATA <block=2, 106 bytes>
Received 618 bytes in 0.0 seconds [2237928 bit/s]
tftp> get id_dsa
getting from 10.0.0.171:id_dsa to id_dsa [netascii]
sent RRQ <file=id_dsa, mode=netascii>
received DATA <block=1, 512 bytes>
sent ACK <block=1>
received DATA <block=2, 254 bytes>
Received 766 bytes in 0.0 seconds [2846052 bit/s]
tftp>

-----------------------------------------------
ON THE SWITCH TRYING TO DOWNLOAD THE SAME KEYS:
-----------------------------------------------

(labsw5) #show ver

Switch: 1

System Description............................. M4100-50G ProSafe 48-port Gigabit L2+ Intelligent Edge Managed Switch, 10.0.2.20, B1.0.1.1
Machine Model.................................. M4100-50G
Serial Number.................................. n/a
Burned In MAC Address.......................... A0:63:91:xx:xx:xx
Software Version............................... 10.0.2.20
Bootcode Version............................... B1.0.1.1
Supported Java Plugin Version.................. 1.6
Current Time................................... Feb  3 18:30:19 2017 MST(UTC-7:00)
Current SNTP Sync Status....................... Success

(labsw5) #

(labsw5) #copy tftp://10.0.0.171/id_rsa.pub nvram:sshkey-rsa1

Mode........................................... TFTP 
Set Server IP.................................. 10.0.0.171
Path........................................... ./
Filename....................................... id_rsa.pub
Data Type...................................... SSH RSA1 key   

Management access will be blocked for the duration of the transfer
Are you sure you want to start? (y/n) y

File transfer in progress. Management access will be blocked for the duration of the transfer. please wait...


Key file not valid!

(labsw5) #copy tftp://10.0.0.171/id_rsa nvram:sshkey-rsa2   

Mode........................................... TFTP 
Set Server IP.................................. 10.0.0.171
Path........................................... ./
Filename....................................... id_rsa
Data Type...................................... SSH RSA2 key   

Management access will be blocked for the duration of the transfer
Are you sure you want to start? (y/n) y

File transfer in progress. Management access will be blocked for the duration of the transfer. please wait...


Key file not valid!

(labsw5) #copy tftp://10.0.0.171/id_dsa.pub nvram:sshkey-dsa

Mode........................................... TFTP 
Set Server IP.................................. 10.0.0.171
Path........................................... ./
Filename....................................... id_dsa.pub
Data Type...................................... SSH DSA key    

Management access will be blocked for the duration of the transfer
Are you sure you want to start? (y/n) y

File transfer in progress. Management access will be blocked for the duration of the transfer. please wait...


Key file not valid!

(labsw5) #

Model: M4100-50G (GSM7248v2h2)|ProSAFE 50-port Gigabit Fully Managed L2 Switch
Message 3 of 4
atian
Aspirant

Re: ssh and shared keys

you should download the private key to the switch. Please see the log below.

and I created the SSH key with ' ssh-keygen -t rsa -b 4096' and 'ssh-keygen -t dsa -b 1024'.

 

the download log is as below. my FW version is 10.0.2.21

(M4100-50G-POE+) #copy tftp://172.26.2.22/id_rsa_4096 nvram:sshkey-rsa2

Mode........................................... TFTP
Set Server IP.................................. 172.26.2.22
Path........................................... ./
Filename....................................... id_rsa_4096
Data Type...................................... SSH RSA2 key

Management access will be blocked for the duration of the transfer
Are you sure you want to start? (y/n) y

File transfer in progress. Management access will be blocked for the duration of the transfer. please wait...


Host key file transfer operation completed successfully.

(M4100-50G-POE+) #copy tftp://172.26.2.22/id_dsa_1024 nvram:sshkey-dsa

Mode........................................... TFTP
Set Server IP.................................. 172.26.2.22
Path........................................... ./
Filename....................................... id_dsa_1024
Data Type...................................... SSH DSA key

Management access will be blocked for the duration of the transfer
Are you sure you want to start? (y/n) y

File transfer in progress. Management access will be blocked for the duration of the transfer. please wait...


Host key file transfer operation completed successfully.

(M4100-50G-POE+) #show ip ssh

SSH Configuration

Administrative Mode: .......................... Disabled
Protocol Levels: .............................. Versions 1 and 2
SSH Sessions Currently Active: ................ 0
Max SSH Sessions Allowed: ..................... 5
SSH Timeout: .................................. 5
Keys Present: ................................. DSA RSA
Key Generation In Progress: ................... None

Message 4 of 4
Top Contributors
Discussion stats
  • 3 replies
  • 5581 views
  • 0 kudos
  • 3 in conversation
Announcements