For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

anoop1's avatar
anoop1
Icon for Nimbostratus rankNimbostratus
Mar 08, 2017

BIGIP SSH Proxy Not working properly

Hi All,   Client system --------> BIGIP (SSH Proxy) ---------> Backend Server (key1) (Key2) (public key1 , Public Key2) (192.168.40.56) (Vip:192.168.42...
AFM
application delivery
LTM
security
Tikka_Nagi_1315's avatar
Tikka_Nagi_1315
Historic F5 Account
May 12, 2017

I believe one of the issues is that your keys are missing the header and footer information.

 

-----BEGIN RSA PRIVATE KEY----- <== (key text) <== -----END RSA PRIVATE KEY----- <==

 

In any case, the following steps produce a working system in my lab:

 

CLIENT: 1. Generate a new RSA key pair on the client (ssh-keygen)

 

BIGIP 1. Create a new RSA pair public/private key in BigIP using: ssh-keygen

 

  1. Create a new ssh proxy profile with default actions (allow). Under the key management: a. Add BigIP RSA keys in Proxy Client Auth. Note we delete comment in public key and we add header and footer in private key.

     

    Public Key: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAuv0xrDHO/Hk+oF5qIQyg/1qoUm2uSnZ7Wyca1IrpmXELEITmtCZevPfkX20Yebuubl7W4f5eisHa0mvy4Gb/WuUbXmTkt7TRaKgJPwARuYDphtoZM6GrIukkSrJRqbZlZ+tbHL5lrGdAfIxTlGLxzu+LKxhJo8Ldn+oBw8KZp1MqJjYiFiDocymSY/sHrEaLxUHZRCOANsVQfzo8yBWGl5V4jJB9ZeqOabApLNBd1wf0bGQoL+YI++44rYTm3gS7oNVVHDOYJYBBIpmUFk70TcedqAAXRXVKRFtYsd50iQazwck/pDn40iq7l1VPeHh3KD70d5VLpDTNF9hC9KH3kQ==

     

    Private key: -----BEGIN RSA PRIVATE KEY----- MIIEoQIBAAKCAQEAuv0xrDHO/Hk+oF5qIQyg/1qoUm2uSnZ7Wyca1IrpmXELEITm tCZevPfkX20Yebuubl7W4f5eisHa0mvy4Gb/WuUbXmTkt7TRaKgJPwARuYDphtoZ M6GrIukkSrJRqbZlZ+tbHL5lrGdAfIxTlGLxzu+LKxhJo8Ldn+oBw8KZp1MqJjYi FiDocymSY/sHrEaLxUHZRCOANsVQfzo8yBWGl5V4jJB9ZeqOabApLNBd1wf0bGQo L+YI++44rYTm3gS7oNVVHDOYJYBBIpmUFk70TcedqAAXRXVKRFtYsd50iQazwck/ pDn40iq7l1VPeHh3KD70d5VLpDTNF9hC9KH3kQIBIwKCAQACq9h7JUhxUjBwAVlJ nXADpd3VSrWwm0rns8I2PH+uE+aO3VPAvrg15ki/iN9vdA12mvRw8VkfPUicmyRi Sp0/eE0w5C8nMiA/qqEL3xYyMWJr+80o91aPIJZ2GH2CbKmtXspxyDSnCMoQaGeY EArEyOhjW8aJp1rv/6+RbNZPMLTb6zcKngiUk/Rs324QYDGqXiDkGRjahrMKF4sH ERPtLJzI6Qc5ybmKu/VEMlWIt+sOAoNnJOQ76+H/u6TuTFrKy3q0jR2wJ9A4oPXZ SgGjNCiMTV9ZYLn1FgURgcknQgzE5tmyRUPoPFoMczXS8VpFKLXgOmFNabUnWjRN qRfrAoGBAOTC8BECIso5+dul4layUHN1xcyVd1kU4Gs4HP8SeRV4VNSsjJWqccIJ vAyaSPmW1q80rUbWMQtXKGHrGyxld1Yu4uDreVednFqgLCCdvumDA+Bp4Z83hA+U 5Zwddm7x/5bsNdrWXW2oFnl1puEvT3K9NSgz84+DZLZlhXmQHU3JAoGBANFA9QQs x8WYuuD5AJh/qIO5vw5Pz1thD/CErTnG8P5FDcTwS+3uUBBwjwvsxADd5v9jBvMl npVCRgrVGqFPrJH+TubSJCJdAPcGajoOU5gqgKbg9mWdfmGrcFnK6wTa957+c94O 6/mpk6K6LbabKlWB6BDzqyD16I3vqHwoSB+JAoGBAN45tgHk0Va7+giShBm0iKqs 7AiRMhwFps6OSA26LHtBsX4j9kg/LK3dkhrfBQ+3GbGDoQL79SD1lPFoC8S6Vqt+ APfALLuDKiwmkURBd6EC7dKv/789PnWJVBP/XRtRe/GyQvHXjfV+tr8h1U/HjwG/ HbIGlNSORJPtl5qpQQm7AoGAa52/1kLqZZ8BBfxmtNPwQ76cxYghf3O/DfsXQkkO OZ/bMhUuXRt5og4AbIhkzT7r08yHOzfrKDC2Tra9PQRnYQZxuIlUaXGouY5FQm3E l2ZQytoYUYQyXh2nfqLfRFNaxswBEx2d7hyyU7A0xE/MoQD7AWdfUsecK70U0iNY SrsCgYBLJKEp7vxt1Xr4VgJm0EiqQc4fdbTuL6TNT6Cr86WjR6kJ63ixpYDJ7Qp+ RRUZugumO8/YyjB/csYSMcuw+/nVpwXBk6SHiL2MWG9bsW5MBc7DBomXr5S/UXKu H8PSW0AgehbQ0v4QtmpsEwiyk+6R5sHCQhSJGw1uU2pYd6YoFg== -----END RSA PRIVATE KEY-----

     

b. Add client RSA private key (/root/.ssh/id_rsa) in Proxy Server Auth > Private Key c. Add server RSA public key (/etc/ssh/ssh_host_rsa_key.pub) in Real Server Auth d. Generate a new RSA key pair in client (ssh-keygen)

 

  1. Create the pool member with SSH server
  2. Create virtual server and add this pool member and set the SSH proxy profile

SERVER: 1. Confirm configuration of Authorized keys in sshd_config: [...] AuthorizedKeysFile /etc/ssh/authorized_keys AuthorizedKeysFile /root/.ssh/authorized_keys [...]

 

  1. Add BigIP and client's RSA public keys in /etc/ssh/authorized_keys:

     

    • Copy Client created in step 1.d public key (/root/.ssh/id_rsa.pub) in /etc/ssh/authorized_keys
    • Copy BigIP public key (/root/.ssh/id_rsa.pub) in /etc/ssh/authorized_keys

    Authorized_keys file example: cat authorized_keys ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDfLCZVQpBwBJ1vlZphNBul+GPr5EVgD2PvMolcoCd6D0XVeZ37Y0G/pLVyIS9Qy9nfBL1m4sLHS1RaZJQhu4gxHhlyCypg3ZO7xSI/9L36ZEBSgB4915BZgkVAiVWBB0m5JzVS7apjwe51oxuQv9VSQgHCAX4QNjLkPYy9B6ihdi7tEJ+mAp0Cjo9RBVCziH2si034AW56KpGPHDAVammt9D2fJY8xFrOQWMJedLw+nCknLQQ6ecgHsf+LrQkxb4JMNVUyZY81dVCOITm6K4eIQYeOpIGuIbmGqaIfJUDNiPEE7toK3NT40ojPltCbWAtwYl1OJ5oJIVrrwVzdJdax root@client2 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAuv0xrDHO/Hk+oF5qIQyg/1qoUm2uSnZ7Wyca1IrpmXELEITmtCZevPfkX20Yebuubl7W4f5eisHa0mvy4Gb/WuUbXmTkt7TRaKgJPwARuYDphtoZM6GrIukkSrJRqbZlZ+tbHL5lrGdAfIxTlGLxzu+LKxhJo8Ldn+oBw8KZp1MqJjYiFiDocymSY/sHrEaLxUHZRCOANsVQfzo8yBWGl5V4jJB9ZeqOabApLNBd1wf0bGQoL+YI++44rYTm3gS7oNVVHDOYJYBBIpmUFk70TcedqAAXRXVKRFtYsd50iQazwck/pDn40iq7l1VPeHh3KD70d5VLpDTNF9hC9KH3kQ== root@bigip1.org