NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
M4350-8X8F on 14.0.6.13 : import p-384 ECDSA ssh pubkey for user failing
Hello fellow users, I am presently working on trying to get ssh pub keys installed for switch users. Using an RSA 2k based ssh key, and getting the pub key portion , I am able to import and ssh using the RSA 2k key using: (M4350-8X8F)> enable (M4350-8X8F)# config (M4350-8X8F)(Config)#crypto key pubkey-chain ssh user-key $USERNAME rsa (M4350-8X8F)(config-pubkey-key)#Key-String row $ENCODED_DER_FORMAT_KEY_STRING (M4350-8X8F)(config-pubkey-key)#exit (M4350-8X8F)(config)#exit (M4350-8X8F)#ip ssh pubkey-auth (M4350-8X8F)#save I can then: (M4350-8X8F)#config (M4350-8X8F)(Config)#show crypto key pubkey-chain ssh username $USERNAME The printed ssh pubkey matches what I pasted, and the fingerprint matches what "ssh-add -l" reports. Then I can ssh to the switch as the give user $USERNAME using a smartcard stored private key to auth against the uploaded publish sshk on the switch. Good deal, but that is just an RSA 2K ssh pub/priv keypair on a smartcard in a PIV slot. Where stuff is broken: So, now I repeat the process with a P-384 ssh pub/priv keypair stored on a different smartcard (YubiKey PIV slot.) The p-384 ssh key is identified as "ecdsa-sha2-nistp384" As before, the $ENCODED_DER_FORMAT_KEY_STRING is the encoded pub-key without the key type or comment, and no extra spaces embedded within it or trailing it. The same process as used with the working rsa 2k import. (M4350-8X8F)> enable (M4350-8X8F)# config (M4350-8X8F)(Config)#no crypto key pubkey-chain ssh user-key $USERNAME (M4350-8X8F)(Config)#exit (M4350-8X8F)#save (M4350-8X8F)#config (M4350-8X8F)(Config)#crypto key pubkey-chain ssh user-key $USERNAME ecdsa (M4350-8X8F)(config-pubkey-key)#Key-String row $ENCODED_DER_FORMAT_KEY_STRING (M4350-8X8F)(config-pubkey-key)#exit This is a comment: an error is then reported here: "Invalid Key-String." (M4350-8X8F)(config)#exit (M4350-8X8F)#ip ssh pubkey-auth (M4350-8X8F)#save This is a comment: then a check for the ssh key/fingerprint shows none installed, confirming the "Invalid Key-String" error: (M4350-8X8F)#config (M4350-8X8F)(Config)#show crypto key pubkey-chain ssh username $USERNAME This is a comment: an error is reported: Error: User does not exist. I've tried to work-around with with several different methods to try to get a P-384 public key loaded, but none have yet worked for P-384 ssh pubkey import. One work-around included taking the public key, and re-formatting it, just in case its storage didn't match the RSA 2k public key: ssh-keygen -e -m PKCS8 -f /tmp/ssh-single-pubkey-on-one-line | openssl pkey -pubin -outform DER | base64 -w 100000 > /tmp/ssh-pubkey-der-format-b64 I also tried an scp of an ssh pubkey file (single line, P384, ssh pubkey) to the switch and then: (M4350-8X8F)>enable (M4350-8X8F)#config (M4350-8X8F)(Config)#username $USERNAME sshkey file USERNAME_p384.pub (M4350-8X8F)(Config)#exit (M4350-8X8F)#save And it provided no errors, but didn't work, and using this claimed "no such user" (M4350-8X8F)(Config)#show crypto key pubkey-chain ssh username $USERNAME resulted in: Error: User does not exist. I then disable use of that file with: (M4350-8X8F)>enable (M4350-8X8F)#config (M4350-8X8F)(Config)#no username $USERNAME sshkey file (M4350-8X8F)(Config)#exit (M4350-8X8F)#save I can see that this switch appears to support ecdsa ssh keypairs: (M4350-8X8F)(config)#crypto key pubkey-chain ssh user-key $USERNAME ? dsa DSA key ecdsa ECDSA key rsa RSA key And the RSA import worked, but the P384 ecdsa didn't. Likely unrelated to ssh client pub/priv keypairs, "crypto key generate ecdsa" appears to support p-256, p-384 and p-521: (this is probably for the sshd server keys, not for ssh clients pub/priv keypair) (M4350-8X8F)(config)#crypto key generate ecdsa 384 How can I get my YubiKey smarcard PIV slot P-384 SSH key to authenticate like another RSA 2K smarcard with a single PIV slot? The P384 ssh public key string is shorter than the RSA 2K public key string, so it isn't like the P-384 string is too long for a buffer, or malloc. I'm assuming, once the p-384 ssh public keys are imported, they will work like the RSA 2k key did. How to import P384 ssh pubkeys to the switch like RSA 2k ssh public keys? I've tried searching the manual / docs in M4350_CLI_Manual_EN.pdf for details on limits to ECDSA ssh public keys for import, but in a search in the doc for "ECDSA" , I didn't see any limits mentioned. (Maybe I missed it or there is a newer document?) Thanks!