Switching

last person joined: yesterday 

Ask questions and share experiences about EX and QFX portfolios and all switching solutions across your data center, campus, and branch locations.

  • 1.  unable to ssh to ex switch

    Posted 08-05-2019 16:26

    Hello Experts,

     

    I cant ssh into the switch for users using ssh key

    I generated ssh rsa and linked it with my  test user 

     

    root@Juniper-lab:RE:0% ssh-keygen -t rsa

    Generating public/private rsa key pair.

    Enter file in which to save the key (/root/.ssh/id_rsa):

    /root/.ssh/id_rsa already exists.

    Overwrite (y/n)? y

    Enter passphrase (empty for no passphrase):

    Enter same passphrase again:

    Your identification has been saved in /root/.ssh/id_rsa.

    Your public key has been saved in /root/.ssh/id_rsa.pub.

     

    root@Juniper-lab# ...lass super-user authentication load-key-file /root/.ssh/id_rsa.pub  

     

    user rob {

        uid 2006;

        class super-user;

        authentication {

            ssh-rsa "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCwGT0LFV7PgVkagUJqyg0kIb8adcd1CZD3s1FEBebHir8f8SIzkEblZq2g3CGz2FtgjxwntC7IvoFX/++/LYMZ4u95mTIig/ZdBzkJNqCXEVc1vWcD8/8PxvT+Nhwi4Ou9YqdqzzJIw0S9As3Z767fZ5Ngy3qmYj5PbawWjbqWvD0T4DffoDMYl41DmeV5fjLCr1qoUqhjhgbCXh4sHsbSLTB3WmaVg/3w5yJsvD2zsgmZ1QlqcwSvC4hONUHbEpP02N2Qbb+Hhy+tOFUMTiy0N/QxF7Ghfoqsat511EDiZCL9AX48NcqjYoE6hfZC4pevHcQjLuu6OxuwXlmqO57J root@Juniper-lab"; ## SECRET-DATA

     

    When I try to ssh into the switch, I get the following error

     

    MacBook-Pro:~ deepansiddarthan$ ssh rob@192.168.2.10

    rob@192.168.2.10's password:

    Permission denied, please try again.

     

    I can't seem to find what I am missing . All suggestions are highly appreciated

       



  • 2.  RE: unable to ssh to ex switch

    Posted 08-06-2019 03:52

    Why are you generating the key on the router?  You should be generating it on the client side, and then copying ~/.ssh/id_rsa.pub from the client to the router configuration.



  • 3.  RE: unable to ssh to ex switch

    Posted 08-07-2019 15:05

    I understand. I generated ssh keys in the client machine and loaded the key file for the user red

     

    user red {

        uid 2007;

        class super-user;

        authentication {

            ssh-rsa "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC0QvXlBWgIA11OYm17hc2YLHUmChidzgIm0Qki+wrZxHpEtUrM6GGI8uzyJFSpNyn7pOnCqkG1gX2Gj1OoaMG+rHxDNsxwZgJRQI3fTDLwNlrUkxWZ8I1JebfzwJw7dkXEGzdq3rVKtaYpqsMoamLxmUYGxAhX8Otx+4B+s5nnLN1YwkSAy/6YfUX/jTNZgrqSuAM+brrdE4XGiRBnMgNgSex4uvP5E4Kkj5WhVnqQurqHh+u8ntJ4WGNLVmvMSj/At1hYVNQT+sSQxi8hbwkyXVAtdatKoyYgYi4U8mUKgMVpEd7aTDJWFk0osmywL8jwERc0EsO8EkMSGLcC3RQb deepansiddarthan@Deepans-MacBook-Pro.local"; ## SECRET-DATA

    I still keep getting permission denied for the user red and it prompts for password.

     

    MacBook-Pro:~ deepansiddarthan$ ssh red@192.168.2.10

    red@192.168.2.10's password:

    Permission denied, please try again.

     

    I am using the same machine to ssh as root user and login with user red where the keys generated again. Will that causes issues?.  Any suggestion will be highly appreciated. My objective is to ssh to the switch without password 

     



  • 4.  RE: unable to ssh to ex switch
    Best Answer

     
    Posted 08-07-2019 15:45

    Hi Sid,

    It's working for me. Please try following two things and let me know if its works for you.

     

    1) Please try to create a user on switch same as your linux user. 
    2) Remove any offending ssh-key already saved on your linux server for that router you are trying to login

    Please refer below:

     

    vlsingh@lnx01-user:~$ ssh-keygen -t rsa    < generate the public/private pair, my linux user is vlsingh
    Generating public/private rsa key pair.
    Enter file in which to save the key (/homes/vlsingh/.ssh/id_rsa):
    Enter passphrase (empty for no passphrase):
    Enter same passphrase again:
    Your identification has been saved in /homes/vlsingh/.ssh/id_rsa.
    Your public key has been saved in /homes/vlsingh/.ssh/id_rsa.pub.

    <snip>

     

    vlsingh@lnx01-user:~$ cat /homes/vlsingh/.ssh/id_rsa.pub   <<<< get your public key
    ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDn7CDcmbT6EXvCZlwCUub+0M2JSPgvAAHmPo6e8kQjHSZ+5suMQfE+NZUcf30ApqR7NPlhLgx4vEIIBniPa7hzt30+sqMvBc31g4RfZRtmXxqwWpiqmc0lmoifOzyqIrbjiWixi4GrmVLV+5x5rIJwjNF3hreDTNwCC7eILhmApBO9AYJWhs9XresK07lRIwPIQn86TW7+nx7uLVFne5ZlKXVRwCqpQj00mU75Oe4L62c454JgYtwU7GnSiWvhCNvf36cyZoQ64mZO7ETmirVdfGzHfSFjYMxgd6QqMYnTDN6XtDAg0a6fqISHB1wF8gjyEo1dZTW4rERD+hNIMPUL vlsingh@lnx01-user.example.net

     

     

    labroot@test-re0# show | compare  <<< add the public-key to a new user same as linux user
    [edit]
    + system {
    + login {
    + user vlsingh {                               <<<<<<<<<
    + class super-user;
    + authentication {
    + ssh-rsa "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDn7CDcmbT6EXvCZlwCUub+0M2JSPgvAAHmPo6e8kQjHSZ+5suMQfE+NZUcf30ApqR7NPlhLgx4vEIIBniPa7hzt30+sqMvBc31g4RfZRtmXxqwWpiqmc0lmoifOzyqIrbjiWixi4GrmVLV+5x5rIJwjNF3hreDTNwCC7eILhmApBO9AYJWhs9XresK07lRIwPIQn86TW7+nx7uLVFne5ZlKXVRwCqpQj00mU75Oe4L62c454JgYtwU7GnSiWvhCNvf36cyZoQ64mZO7ETmirVdfGzHfSFjYMxgd6QqMYnTDN6XtDAg0a6fqISHB1wF8gjyEo1dZTW4rERD+hNIMPUL vlsingh@lnx01-user.example.net"; ## SECRET-DATA
    + }
    + }
    + }
    + }


    vlsingh@lnx01-user:~$ ssh vlsingh@100.100.100.100
    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
    @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
    IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
    Someone could be eavesdropping on you right now (man-in-the-middle attack)!
    It is also possible that a host key has just been changed.
    The fingerprint for the RSA key sent by the remote host is
    de:f4:50:b6:10:0c:7d:78:ed:6f:39:e8:f0:0f:81:0e.
    Please contact your system administrator.
    Add correct host key in /homes/vlsingh/.ssh/known_hosts to get rid of this message.
    Offending RSA key in /homes/vlsingh/.ssh/known_hosts:70
    remove with: ssh-keygen -f "/homes/vlsingh/.ssh/known_hosts" -R 100.100.100.100    <<<<<<<<<<<
    RSA host key for 100.100.100.100 has changed and you have requested strict checking.
    Host key verification failed.

     

    vlsingh@lnx01-user:~$ ssh-keygen -f "/homes/vlsingh/.ssh/known_hosts" -R 100.100.100.100   <<<<< remove old key
    /homes/vlsingh/.ssh/known_hosts updated.
    Original contents retained as /homes/vlsingh/.ssh/known_hosts.old


    vlsingh@lnx01-user:~$ ssh vlsingh@100.100.100.100    <<<<<<<<<<< now i can login withoout password
    The authenticity of host '100.100.100.100 (100.100.100.100)' can't be established.
    ECDSA key fingerprint is 5f:8f:c2:54:60:de:b3:57:31:f1:a5:96:92:f5:64:19.
    Are you sure you want to continue connecting (yes/no)? yes
    Warning: Permanently added '100.100.100.100' (ECDSA) to the list of known hosts.
    --- JUNOS 17.3R3-S4.2 Kernel 64-bit JNPR-10.3-20190306.8b08cc0_buil


    vlsingh@test-re0>


    Alternatively you can follow this KB: https://kb.juniper.net/KB30588


    Please accept my response as solution if it solves your query, kudos are appreciated too!