ich haben einen (zugegebenrmaßen nicht alternativlosen) Anwendungsfall, wo ich aus der WAN/Action-Table heraus per SSH ein remote Kommando ausführen möchte. Auf dem Server (dynv6.com) muß ich den public-key hinterlegen. Es werden nur Keys vom Typ ssh-ed25519, ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521 akzeptiert. Laut Ref-Manual ist das kein Feature-Request, es sollte bereits möglich sein:
Code: Alles auswählen
sshkeygen -t ecdsa -b 256 -f ssh_ecdsakey
show ssh idkeys
Leider werden rsa/dsa-Schlüssel mit idkeys angezeigt, ecdsa aber nicht. Der Fingerprint des ecdsa wird angezeigt und er ändert sich nach sshkeygen, aber das nützt mir nichts.
Code: Alles auswählen
root@gwdus:/
> show ssh
Active SSH Sessions:
PID Peer User Role Method Encryption Peer-Identifier
---------------------------------------------------------------------------------------------------------------------------
3268 10.x.x.x:55838 root Server publickey aes256-ctr SSH-2.0-PuTTY_Release_0.72
Fingerprints Of Configured Server-Side SSH Host Keys:
ecdsa-sha2-nistp256 5c:57:44:cd:97:e8:6e:92:e0:15:43:8f:a9:ae:53:fd
ssh-rsa 6a:9e:40:ee:e5:2e:0d:4b:89:08:e6:81:65:61:a3:4a
ssh-dss ce:32:54:07:76:06:3e:39:f0:e2:52:87:87:3d:c3:88
Configured Client-Side SSH Host Keys For User 'root':
ssh-rsa AAAAB3NzaC1yc2EAAAABEQAAAQEAwhTfMb/rwfpQnKtJhgzLtWhMjEcPmlIGRrOwpGrra82Pi44PkbtgNt5EEcL7ZBktR4+Bd8KgbaBTMtrPojKEAV0vhxmKjV0HfFjQTodPRKpc31zUgNn8rEy5uXc4pyOCgcDL4So7CMhTpKnxx3Hs6mNQYmBeCI0csava3V3DZo0viAaIMC39qY1SwhIiG3DWbfybMGc847sGahQ+I4La2gnSzU4WU5/otEWFyhkrq7K/P6+3x/x8EozlC/njcPVfgsOEMeln/xst3IFq08o21XgvVgpf/csqqY4VveYyJPHCTqjgasMfkWz1YMsAgaTmKSdOQxqmnl64MFU0oKY/bw== root@gwdus
ssh-dss AAAAB3NzaC1kc3MAAACBAN02g1ImwHZHk1slyS8IxkjqXEVxt2VHKEQvqx/sfFgmkFN+Rncmwhdf9wnF9AEPKgJ46Jm2cF37SSzC8kVWVrQn/7Qw8CEMH5XKCm31mz58EOlGOOZjvIqZhY8iFFC3Z7/spVfzT2jjj8Vpv00eaniJMSKdqbr/9AEHCSCUUHurAAAAFQC1OK5FHWW8GQmjJWUeDMjOsAvkKwAAAIAuvJX3MfY0tOTuqwwjLR1mWi8S2qsBjF/R0+N6BT4Qnnf1wbqfscxxviMpoois/xwd9TFy5Q6H/Vh/qvnlM8EB67DHJJUQT2arN5NPOkIm9w0isqhenwOFNHKft4W9finfQGesDu8SKAz1pMq0wnFLIKja7hn3v9zjlKTdvMLDAQAAAIAkPSwykA5Qq626R9zKMRUmLnkgT5MxyxFpyJVAyr+txCrldbcd+JECQikkFg3D983tLBLmNno4FQzMfjrvEhGm/QAiKU13rpRA7+LiClQc9b6o2uJuHNZyErCOMrDysKnvB0YTHE0Tvd+RlfrFjmuSKt7R/yTLpMFGCe0p7idBCA== root@gwdus
root@gwdus:/
> ls st/hardware
Security-Unit MENU:
Adv.-Error-Reporting-Log TABINFO: 10 x [Index,Time,Severity,Multiple,..]
Nand-Statistic TABINFO: 1 x [Nand-Statistic,Manufacturer,ID-Bits,..]
PCI-Clocks TABINFO: 4 x [Host-Bridge,Bus,Clock-kHz]
PCI-Device-List TABINFO: 32 x [Host-Bridge,Bus,Device,Function,..]
Board-Revision INFO: C
CPU-Clock-MHz INFO: 796
CPU-Load-1s-Percent INFO: 3
CPU-Load-300s-Percent INFO: 2
CPU-Load-5s-Percent INFO: 4
CPU-Load-60s-Percent INFO: 2
CPU-Load-Percent INFO: 2
CPU-Type INFO: Freescale P1014E 2.01
Ethernet-Switch-Type INFO: AR8327N Rev. 2.0
Extended-Name INFO: LANCOM 1781EW+
Free-Memory-KBytes INFO: 77813
MOD-level INFO: C0
Model-Number INFO: LANCOM 1781EW+
Onboard-USB-Hub INFO: No
PCIe-corr.-errors INFO: 0
PCIe-link-resets INFO: 0
PCIe-uncorr.-errors INFO: 0
PLD-Version INFO: FE
Production-date INFO: 2016-11-25
Reset-Button-State INFO: inactive
SW-Version INFO: 10.42.0383RU2 / 02.03.2021
Security-Engine INFO: Yes
Serial-Number INFO: xxxxxxxxxxxxxxxx
Temperature-Degrees INFO: 42
Total-Memory-KBytes INFO: 262144
root@gwdus:/
Download per scp wird für die Datei ssh_ecdsakey nicht unterstützt. Ich habe auch versucht, extern einen ecdsa-sha2-nistp256 und ihn per importfile zu importieren.
Code: Alles auswählen
> importfile -a SSH-ECDSA
The input can be aborted by pressing CTRL+Z.
Please enter the PEM-encoded (Base64) device private key, the end the input will be detected automatically:
importfile>-----BEGIN OPENSSH PRIVATE KEY-----
importfile>b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAaAAAABNl
importfile>Y2RzYS1zaGEyLW5pc3RwMjU2AAAACG5pc3RwMjU2AAAAQQSQuur4EjTlV2ff1xjf
importfile>oe+oSGL8rjQfF9pBokviOsGeGIHPtZxs0oXleanmDFq4Xdk1lDJFSzOq3LnxUPWD
importfile>hprDAAAAsFfdxTpX3cU6AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAy
importfile>NTYAAABBBJC66vgSNOVXZ9/XGN+h76hIYvyuNB8X2kGiS+I6wZ4Ygc+1nGzSheV5
importfile>qeYMWrhd2TWUMkVLM6rcufFQ9YOGmsMAAAAhAJKckDbZQSppW6p4xGu77ODWHLgQ
importfile>AZmOiaYW5Nx00/euAAAAD2VjZHNhLWtleS1nd2R1cwECAwQFBgcI
importfile>-----END OPENSSH PRIVATE KEY-----
importfile>
importfile>
Not practicable
Code: Alles auswählen
---- BEGIN SSH2 PUBLIC KEY ----
...
---- END SSH2 PUBLIC KEY ----
-----BEGIN OPENSSH PRIVATE KEY-----
...
-----END OPENSSH PRIVATE KEY-----
Ich habe auch Verbindungen auf einen eigenen SSH-Server getestet, der nur ecdsa-sha2-nistp256 akzeptiert.
Code: Alles auswählen
root@hera:~ # /usr/sbin/sshd -De -o "PubkeyAcceptedKeyTypes ecdsa-sha2-nistp256" -o "AuthenticationMethods publickey" -o "LogLEvel DEBUG3" -o "Port 22606"
Mein Verdacht ist, daß Einstellungen unter /set/config/ssh mir da einen Streich spielen könnten, daher:root@gwdus:/
> trace # ssh
SSH ON
root@gwdus:/
> ssh -p 22606 root@hera
[escape sequence is '~.']
connecting to hera...
[SSH] 2021/06/01 16:30:08,600
Creating new SSH client-side connection:
...
[SSH] 2021/06/01 16:30:09,735
Received Message 51 on connection (PID 3272):
--> Message is USERAUTH_FAILURE:
---> algorithm list is 'publickey'
---> checking for available authentication methods
---> public key: yes, keyboard-interactive: no, password: no
---> server supports public key authentication, sending first key for testing
-----> invalid key length, bailing out
--> error handling record, closing connection & bailing out
connection closed
SSH session terminated
Code: Alles auswählen
SFTP-Server MENU:
Authentication-Methods TABLE: 3 x [Ifc.,Methods]
Cipher-Algorithms VALUE: aes256-cbc,aes256-ctr,aes256-gcm
Compression VALUE: Yes
DH-Groups VALUE: Group-14
Elliptic-Curves VALUE: nistp256,nistp384,nistp521
Hostkey-Algorithms VALUE: ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2,ssh-ed25519
Keepalive-Interval VALUE: 60
Key-Exchange-Algorithms VALUE: curve25519-sha256
MAC-Algorithms VALUE: hmac-sha2-256
Max-Hostkey-Length VALUE: 8192
Min-Hostkey-Length VALUE: 2047
Operating VALUE: Yes
Port VALUE: 22606
Andreas