Does anyone have any clue if it is possible to implement shared keys (RSA) on an M4100 instead of using a password login for ssh? The switch generates keys when starting up ssh but not sure if it also supports shared keys.
So to frame this whole discussion, my goal is to remotely and autonomously manage the Netgear M4100-50Gs that we have in house. So far 50 but possibly many more if I can work these issues out. Remotely accessing the switches requires the shared-key method which obviates the need for password login (and it more secure).
Here's what I have found. I am not quite sure what the process is for managing keys but I have several problems with the way I think that Netgear implements this. First of all, having to shut down the ssh server to update keys is problematic in that remote access to the machine is then lost unless I back off to telnet which is not secure (and which causes all sorts of other problems like turning on telnet then shutting down ssh and so on...remotely). So...being able to upload new keys to a location (in memory on the switch) that can then be pointed to for the next reboot would be a good thing. I think this whole process needs to be "re-thunk" (unless there is detailed documentation on this that I am missing). I would try to do the same thing as how you manage the firmware images or something similar. The other thing I am not sure about is the scope of the keys? Is the idea to generate the keys on a remote server and then push them down to the switch or to generate them on the switch and then push them out to the remote server? Keys have to be generated when the ssh process/server is established on the switch. How do I access these keys?
In my test the keys were generated on 10.0.0.171/unsc using:
ssh-keygen -t rsa -b 4096
Is there a maximum key length? Is there any particular format other than what is generated by ssh-keygen that the key files need to be in?
Secondly, when I try to pull the rsa and dsa certificates or keys down to the switch from a remote server (using tftp) the switch appears to receive the file but then I get a "Key file not valid!" message (please see below).
You can see that the tftp server works fine as I can download all of these files to a host called "kkkk-klmux" (verbose and trace are on for tftp so it shows the successful subsequent downloads).
"unsc" is the tftp server for both cases (downloading to the switch and to the host kkkk-klmux).
Way below you can see my attempts to download the same key files to the switch which from the immediate below under "ON THE TFTP SERVER" you can see that the files appear to be transferred successfully to the switch (labsw5 or 10.0.0.195). At this point I don't have any other recourse. Where to go from here?
Thanks,
Paul
------------------- ON THE TFTP SERVER: -------------------
[pdonner@unsc ~]$ uname -a Linux unsc.dtvamerica.com 3.10.0-514.6.1.el7.x86_64 #1 SMP Wed Jan 18 13:06:36 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux [pdonner@unsc ~]$
tail -f /var/log/messages Feb 3 17:27:45 unsc in.tftpd[5299]: RRQ from 10.0.0.195 filename id_rsa.pub Feb 3 17:27:45 unsc in.tftpd[5299]: Client 10.0.0.195 finished id_rsa.pub Feb 3 17:27:52 unsc in.tftpd[5300]: RRQ from 10.0.0.195 filename id_rsa Feb 3 17:27:52 unsc in.tftpd[5300]: Client 10.0.0.195 finished id_rsa Feb 3 17:27:57 unsc in.tftpd[5301]: RRQ from 10.0.0.195 filename id_dsa.pub Feb 3 17:27:57 unsc in.tftpd[5301]: Client 10.0.0.195 finished id_dsa.pub
------------------------- SSH IS DISABLED ON THE SWITCH: ------------------------------
(labsw5) #show ip ssh
SSH Configuration
Administrative Mode: .......................... Disabled Protocol Levels: .............................. Version 2 SSH Sessions Currently Active: ................ 0 Max SSH Sessions Allowed: ..................... 5 SSH Timeout: .................................. 160 Keys Present: ................................. Key Generation In Progress: ................... None
(labsw5) #
------------------------------------------- ON REMOTE HOST TRYING TO DOWNLOAD THE KEYS: -------------------------------------------
[admin@kkkk-klmux ~]$ uname -a Linux kkkk-klmux.dtvamerica.com 3.10.0-327.el7.x86_64 #1 SMP Thu Nov 19 22:10:57 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux [admin@kkkk-klmux ~]$
[admin@kkkk-klmux ~]$ tftp 10.0.0.171 tftp> verb Verbose mode on. tftp> trac Packet tracing on. tftp> get id_rsa.pub getting from 10.0.0.171:id_rsa.pub to id_rsa.pub [netascii] sent RRQ <file=id_rsa.pub, mode=netascii> received DATA <block=1, 512 bytes> sent ACK <block=1> received DATA <block=2, 242 bytes> Received 754 bytes in 0.0 seconds [2666812 bit/s] tftp> get id_rsa getting from 10.0.0.171:id_rsa to id_rsa [netascii] sent RRQ <file=id_rsa, mode=netascii> received DATA <block=1, 512 bytes> sent ACK <block=1> received DATA <block=2, 512 bytes> sent ACK <block=2> received DATA <block=3, 512 bytes> sent ACK <block=3> received DATA <block=4, 512 bytes> sent ACK <block=4> received DATA <block=5, 512 bytes> sent ACK <block=5> received DATA <block=6, 512 bytes> sent ACK <block=6> received DATA <block=7, 308 bytes> Received 3380 bytes in 0.0 seconds [9814294 bit/s] tftp> get id_dsa.pub getting from 10.0.0.171:id_dsa.pub to id_dsa.pub [netascii] sent RRQ <file=id_dsa.pub, mode=netascii> received DATA <block=1, 512 bytes> sent ACK <block=1> received DATA <block=2, 106 bytes> Received 618 bytes in 0.0 seconds [2237928 bit/s] tftp> get id_dsa getting from 10.0.0.171:id_dsa to id_dsa [netascii] sent RRQ <file=id_dsa, mode=netascii> received DATA <block=1, 512 bytes> sent ACK <block=1> received DATA <block=2, 254 bytes> Received 766 bytes in 0.0 seconds [2846052 bit/s] tftp>
----------------------------------------------- ON THE SWITCH TRYING TO DOWNLOAD THE SAME KEYS: -----------------------------------------------
(labsw5) #show ver
Switch: 1
System Description............................. M4100-50G ProSafe 48-port Gigabit L2+ Intelligent Edge Managed Switch, 10.0.2.20, B1.0.1.1 Machine Model.................................. M4100-50G Serial Number.................................. n/a Burned In MAC Address.......................... A0:63:91:xx:xx:xx Software Version............................... 10.0.2.20 Bootcode Version............................... B1.0.1.1 Supported Java Plugin Version.................. 1.6 Current Time................................... Feb 3 18:30:19 2017 MST(UTC-7:00) Current SNTP Sync Status....................... Success
Mode........................................... TFTP Set Server IP.................................. 10.0.0.171 Path........................................... ./ Filename....................................... id_rsa.pub Data Type...................................... SSH RSA1 key
Management access will be blocked for the duration of the transfer Are you sure you want to start? (y/n) y
File transfer in progress. Management access will be blocked for the duration of the transfer. please wait...
Mode........................................... TFTP Set Server IP.................................. 10.0.0.171 Path........................................... ./ Filename....................................... id_rsa Data Type...................................... SSH RSA2 key
Management access will be blocked for the duration of the transfer Are you sure you want to start? (y/n) y
File transfer in progress. Management access will be blocked for the duration of the transfer. please wait...
Mode........................................... TFTP Set Server IP.................................. 10.0.0.171 Path........................................... ./ Filename....................................... id_dsa.pub Data Type...................................... SSH DSA key
Management access will be blocked for the duration of the transfer Are you sure you want to start? (y/n) y
File transfer in progress. Management access will be blocked for the duration of the transfer. please wait...
Mode........................................... TFTP Set Server IP.................................. 172.26.2.22 Path........................................... ./ Filename....................................... id_rsa_4096 Data Type...................................... SSH RSA2 key
Management access will be blocked for the duration of the transfer Are you sure you want to start? (y/n) y
File transfer in progress. Management access will be blocked for the duration of the transfer. please wait...
Host key file transfer operation completed successfully.
Mode........................................... TFTP Set Server IP.................................. 172.26.2.22 Path........................................... ./ Filename....................................... id_dsa_1024 Data Type...................................... SSH DSA key
Management access will be blocked for the duration of the transfer Are you sure you want to start? (y/n) y
File transfer in progress. Management access will be blocked for the duration of the transfer. please wait...
Host key file transfer operation completed successfully.
(M4100-50G-POE+) #show ip ssh
SSH Configuration
Administrative Mode: .......................... Disabled Protocol Levels: .............................. Versions 1 and 2 SSH Sessions Currently Active: ................ 0 Max SSH Sessions Allowed: ..................... 5 SSH Timeout: .................................. 5 Keys Present: ................................. DSA RSA Key Generation In Progress: ................... None
