Forum Discussion

Omar95's avatar
Omar95
Icon for Altostratus rankAltostratus
Feb 04, 2021

AWS - AFM SSH Proxy error SSH authentication

Hello all,

 

I follow the documentation of F5 to implement the SSH proxy :

https://techdocs.f5.com/kb/en-us/products/big-ip-afm/manuals/product/big-ip-network-firewall-policies-and-implementations-14-1-0/15.html

 

I am using an ec2 amazon linux to test with ssh password authentication.

I configure the F5 AFM SSH VS and generate all the ssh key as asked in the big ip and the server machine.

 

When I test, i am prompted to enter my username but directly after this I get an error: software caused connection abort

 

When I check the log in /var/log/sshplugin I have this error message : the backend ssh server does not have a public key that matches the configuration

 

I searched in the net and I found that it's could be related with the trailing comment but for my case I didn't add it in the key.

 

Did someone have an idea of how we can solve this issue or know the root cause ?

 

Thank you in advance,

Best regards

Omar

AFM
AWS
security
  • Omar95's avatar
    Omar95
    Icon for Altostratus rankAltostratus
    Feb 16, 2021

    Still have the issue. Anyone have already encounter the behavior?

  • Martin_Vlasko's avatar
    Martin_Vlasko
    Icon for Altocumulus rankAltocumulus
    Apr 08, 2021

    Hi Omar,

    I experienced the same error message.

    Assuming you have already generated the RSA key pair on your backend server...

    On your backend server, go to /etc/ssh/sshd_config and make sure that the following line is NOT commented. Don't forget to restart the SSH service afterwards!

    HostKey /etc/ssh/ssh_host_rsa_key

    On your backend server, copy the SSH public key from /etc/ssh/ssh_host_rsa_key.pub, and make sure you do NOT include the trailing description, so it should look something like:

    ssh-rsa AAAAB3Nza....oC/arKVST/r9

    And NOT like:

    ssh-rsa AAAAB3Nza....oC/arKVST/r9 root@ubuntu

    Copy this backend server's RSA public key to the Real Server Auth Public Key section of the SSH Proxy Key Management.

    Next, copy the F5's own RSA private key (to be found in /root/.ssh/id_rsa) to the Proxy Server Auth Private Key section of the SSH Proxy Key Management. If you do not yet have it, run the ssh-keygen as per SSH Proxy documentation.

    It does work for me, hope it helps you too.

    Cheers,

    Martin