jump to navigation

Foundry SuperX SSH authentication 2009/03/02

Posted by dividead in Networking.
Tags: ,
1 comment so far

Today a new Foundry FastIron SuperX Premium switch was delivered at my work, so of course I took the opportunity to play around with it.

Setting up ssh public-key authentication to login to the management cli was one of my goals, as being a programmer I’m bored with repetitive tasks such as typing the same password over and over again.

Sadly, this process was far more messy than one could hope for — especially when comparing it to Juniper routers which allows you to copy paste an OpenBSD style public-key directly into the configuration, and which just works afterwards.

The firmware version I worked with was the following, in order to see wether your mileage may vary.
Compressed Pri Code size = 3811736, Version 04.0.01aT3e3 (SXR04001a.bin)
Compressed Sec Code size = 3156827, Version 04.0.01aT3e1 (SXL04001a.bin)
Compressed BootROM Code size = 524288, Version 04.0.00T3e5

First we need to create a user account, and allow it to be used for local authentication.
username foobar privilege 0 password fnord
aaa authentication login default local

Now we need to setup the SSH server itself, by generating a host keypair, and making sure that users need to specify a password when logging in.
ip ssh permit-empty-password no
crypto key generate

Please note that setting permit-empty-password to yes turns off password authentication entirely, instead of (what we would intuitively expect) allowing users without a password to login over ssh. This invites for some really messed up ‘secure’ configuration if people do not pay attention.

At this point it should be possible to login through ssh using a password. Ideally I would like to use pubkey based authentication, but sadly the interface allows us to upload public-keys only over TFTP (although scp
seems possible too as long as the management blade has additional PCMCIA flash modules installed).
An additional annoyance is the fact that the firmware only accepts RFC 4716 style keys, so we have to convert any OpenSSH style key by doing the following.
ssh-keygen -e -f id_dsa.pub > id_dsa.pub.ssh2

This file should be offered on a tftp server, so that on the foundry we can import it. According to the documentation these keys are stored on EEPROM immediatly.
ip ssh pub-key-file tftp id_dsa.pub.ssh2

Well, by no means trivial, but finally this should allow for public-key authentication, or not? It seems that as soon as public-key authentication is tried, we suffer from the following message.
Authenticated with partial success.

It seems that after a successful public-key authentication attempt, the Foundry still wants me to perform password authentication, which certainly seems absurd. Of course we can work around this by disallowing password
authentication altogether.
ip ssh password-authentication no

This is suboptimal when we have a combination of users with passwords and public keys, as well as not allowing me to login through ssh with just a password in case I do not have my pubkey at hand…

Well, this part of the Foundry interface seems more braindead than the average Resident Evil denizen…