Forum Discussion

Ian_Støttrup's avatar
Ian_Støttrup
Icon for Nimbostratus rankNimbostratus
Sep 19, 2017

SSH-proxy and keyboard interactive authentication not working

I am trying to test the SSH proxy funtionality of AFM, but I am not succeeding at all. I am aiming for keyboard interactive authentication (username/password), but all I get is "Authentication failed."

For my test-setup I have followed this to the letter: https://support.f5.com/kb/en-us/products/big-ip-afm/manuals/product/network-firewall-policies-implementations-12-1-0/13.print.html Section: Defining SSH proxy password or keyboard interactive authentication

My setup goes: 10.128.1.1 --> 10.128.10.100 (VS with SSH-proxy profile) --> 10.128.10.128 (backend server)

Directly SSH 10.128.1.1 ---> 10.128.10.128 work just fine If I goes through the virtuel Bigip on 10.128.10.100 I get:

debug1: Host '10.128.10.100' is known and matches the RSA host key.
debug1: Found key in /Users/testuser/.ssh/known_hosts:4
debug1: rekey after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 4294967296 blocks
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,keyboard-interactive,password
debug1: Next authentication method: publickey
debug1: Trying private key: /Users/testuser/.ssh/id_rsa
debug1: Trying private key: /Users/testuser/.ssh/id_dsa
debug1: Trying private key: /Users/testuser/.ssh/id_ecdsa
debug1: Trying private key: /Users/testuser/.ssh/id_ed25519
debug1: Next authentication method: keyboard-interactive
Authentication failed.

I have taken to public key from the backend server /etc/ssh/ssh_host_rsa_key.pub and placed a copy in "Real Server Auth Public Key" field.

I have taken a private key generated on the virtual Bigip, using ssh-keygen, and placed a copy in "Proxy Server Auth Private key" field.

I made sure that HostKey /etc/ssh/ssh_host_rsa_key is not commented out on the backend server.

According to the article linked to above, it should now work, but it does not. Can anyone help me?

  • I believe I got it working now. Instead of using the public key on the backend server placed in /etc/ssh/ssh_host_rsa_key.pub, I used the public key that was in my clients .ssh/known_hosts, after having connected directly to 10.128.10.128. This key I placed in the Real Server Auth Public Key field and now I can log in, through the Bigip, using username/password and SCP is not allowed through, which was my goal.