Forum Discussion

f5beginner's avatar
f5beginner
Icon for Cirrostratus rankCirrostratus
Aug 09, 2019

SSH proxy not working

Hi All,

 

I used this instructions: https://techdocs.f5.com/kb/en-us/products/big-ip-afm/manuals/product/network-firewall-policies-implementations-12-1-0/13.html to configure ssh proxy, but without success.

 

How it works:

 

Putty show me login, but after I write there some login, it give me error message: Network error: Software caused connection abort.

Logs on F5 show me this: ssh_serverside_auth_fail Real server public key" in the configuration does not match the private key of the backend server",

 

I have already checked public key from backend server.

 

I want only authentication via username and password via ssh proxy.

 

Thank you

BIG-IP
LTM
security
  • Dmitry's avatar
    Dmitry
    Aug 12, 2019

    Your public key have to look like:

    ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCziS6yavPpFuRjLP9hzRiEBcVgLDynoWqNMuwCrOREkSiDqWqFRrydFCGy6Z1WwwJuDMIw5h3sIuqtOo78zd6pBabXpj0QLUyLtGx80Oe3vInpwxvG2/YX9KaGjofkasZJ+tOqoOe5QscnUYr7Iw6CEuo2dBVIZyL/o1IyTvDfL8+yXO4vPzadmL0gvV1F56feRVsCF0HUrhWwdrQ6CpIpX6acsY0HayrhOGPmVF4qRz7fLySHJ5XQz5IKXJRNHJEbXx2tiV1TuQlhz8gOMqMp2IiSqyKDcUTk2Oy0fPYkNAWPlifq7GplYkit85EL5UCgtHf595rqibOQJWFAAzHF 

     

    It have to be one long string, without any newlines. And without "email" at the end of the string.

     

    If all correct you can try to find HostKey directives on your backend ssh server config and comment out all except the rsa, like this:

    HostKey /etc/ssh/ssh_host_rsa_key

    #HostKey /etc/ssh/ssh_host_ed25519_key

     

  • Dmitry's avatar
    Dmitry
    Icon for Altocumulus rankAltocumulus
    Aug 12, 2019

    Your public key have to look like:

    ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCziS6yavPpFuRjLP9hzRiEBcVgLDynoWqNMuwCrOREkSiDqWqFRrydFCGy6Z1WwwJuDMIw5h3sIuqtOo78zd6pBabXpj0QLUyLtGx80Oe3vInpwxvG2/YX9KaGjofkasZJ+tOqoOe5QscnUYr7Iw6CEuo2dBVIZyL/o1IyTvDfL8+yXO4vPzadmL0gvV1F56feRVsCF0HUrhWwdrQ6CpIpX6acsY0HayrhOGPmVF4qRz7fLySHJ5XQz5IKXJRNHJEbXx2tiV1TuQlhz8gOMqMp2IiSqyKDcUTk2Oy0fPYkNAWPlifq7GplYkit85EL5UCgtHf595rqibOQJWFAAzHF 

     

    It have to be one long string, without any newlines. And without "email" at the end of the string.

     

    If all correct you can try to find HostKey directives on your backend ssh server config and comment out all except the rsa, like this:

    HostKey /etc/ssh/ssh_host_rsa_key

    #HostKey /etc/ssh/ssh_host_ed25519_key

     

  • boneyard's avatar
    boneyard
    Icon for MVP rankMVP
    Aug 10, 2019

    i assume access works without the F5 SSH proxy?

     

    which part of that manual did you follow, the part at: "Defining SSH proxy password or keyboard interactive authentication"?

     

    you follow all the information mentioned there?

  • f5beginner's avatar
    f5beginner
    Icon for Cirrostratus rankCirrostratus
    Aug 12, 2019

    Hi boneyard,

     

    I guess yes.

    I started with this:

     

    Proxying SSH traffic with an SSH Proxy profile - finished with 11 step.

    Creating an SSH virtual server with SSH proxy security- finished with 8. step

    Attaching an SSH proxy security profile to an existing virtual server- finsihed with 4. step.

    Defining SSH proxy password or keyboard interactive authentication - finished with 9. step.

     

    From backend server I use public key from root/.ssh/id_rsa.pub and copy it without email addres, which was on the end of text, to F5 Real Server Auth Public key.

     

    Thank you

     

     

  • Dmitry's avatar
    Dmitry
    Icon for Altocumulus rankAltocumulus
    Aug 12, 2019

    You have to use /etc/ssh/ssh_host_rsa_key.pub instead of root/.ssh/id_rsa.pub.

    And as it written in docs to v.15 - Make sure not to include the trailing comment.

     

    I did it and now I not receiving this error message in log but I'm still cant connect - after I'm entered the password it hangs up and then closed -_-

  • f5beginner's avatar
    f5beginner
    Icon for Cirrostratus rankCirrostratus
    Aug 12, 2019

    Hi Dimitry,

     

    I have already tried to change public key with this: /etc/ssh/ssh_host_rsa_key.pub but still same, should I restart some process maybe ?

     

    Thank you

  • Dmitry's avatar
    Dmitry
    Icon for Altocumulus rankAltocumulus
    Aug 12, 2019

    Generally not, you only need to commit.

    Do you still get the same error in log ?

     

    After I inserted the correct public key I got nothing in log so my troubles seems to be related with PAM.

  • f5beginner's avatar
    f5beginner
    Icon for Cirrostratus rankCirrostratus
    Aug 12, 2019

    I have still same logs on F5. I still receiving login prompt: "login as:", I can also write there, but when I push enter I´m receiving Network error.

     

    Thank you

  • Dmitry's avatar
    Dmitry
    Icon for Altocumulus rankAltocumulus
    Aug 12, 2019

    Of course you have to restart ssh server after you make changes.

  • f5beginner's avatar
    f5beginner
    Icon for Cirrostratus rankCirrostratus
    Aug 12, 2019

    Hi Dmitry,

     

    Thank you fro answer, problem was, that I did not commented another HostKeys. Do you have any idea, why it didn't work with uncomennted another HostKeys ? because on F5 there was specified ssh-rsa.

     

    Thank you

  • Dmitry's avatar
    Dmitry
    Icon for Altocumulus rankAltocumulus
    Aug 12, 2019

    I think this is because F5 doesnt support ECDHE ssh keys (look at "Current limits of SSH Proxy" at the beginning of chapter about SSH Proxy ).