SSH Error - Server sent public key

newf5learner_13 · ‎16-Nov-2016

Hi,

I have created a virtual server with the service 'SSH' with SNAT automap and the backend server listening on TCP 7999 port. The virtual server configuration is very simple with no other settings.

When I access the VIP via putty, I'm seeing an error

'Disconnected: No supported authenication methods available (server sent: public key)'

But if I access the backend server on putty via port no.7999, I don't see any errors. Can someone let me know what is actually causing the issue here.

thanks.

Leonardo_Accors · ‎16-Nov-2016

Hi,

what do you mean with "service 'SSH'" ?

In general for those type of services I would use performance layer 4 profile, because I don't need to inspect the protocol.

Lee_Sutcliffe · ‎16-Nov-2016

Are you able to show your VS config?

tmsh list ltm virtual

newf5learner · ‎16-Nov-2016

ltm virtual test_git_ssh {
    destination 10.78.4.248:ssh
    ip-protocol tcp
    mask 255.255.255.255
    pool test_git_ssh
    profiles {
        fastL4 { }
    }
        source 0.0.0.0/0
        source-address-translation {
            type automap
        }
        vs-index 191
    }

ltm pool test_git_ssh
 {
    members {
        gittest {
            address 192.168.20.100
            session monitor-enabled
            state up
        }
    }
    monitor gateway_icmp
}

Leonardo_Accor1 · ‎16-Nov-2016

Hi, It seem it's missing the 7999 port indication in the pool ?

newf5learner · ‎16-Nov-2016

yes, I changed the node name while pasting and deleted the port details.

ltm pool test_git_ssh
 {
    members {
        gittest:irdmi2 {
            address 192.168.20.100
            session monitor-enabled
            state up
        }
    }
    monitor gateway_icmp
}

Leonardo_Accor1 · ‎16-Nov-2016

Here a configuration working in my environement:

ltm virtual /Common/test_ssh_vs { destination /Common/10.128.159.16:22 ip-protocol tcp mask 255.255.255.255 pool /Common/test_ssh_pool profiles { /Common/fastL4 { } } source 0.0.0.0/0 source-address-translation { type automap } translate-address enabled translate-port enabled }

I see the only difference in translate-address and translate-port enabled.

Leonardo_Accor1 · ‎16-Nov-2016

ltm pool /Common/test_ssh_pool { members { /Common/CACTI:22 { address 10.131.159.250 } } }

Ed_Summers · ‎16-Nov-2016

With the fastL4 profile assigned LTM shouldn't be doing anything at the application level, especially something that would limit the authentication methods available for ssh. Without knowing more here are some things I'd initially check:

1) Is your server configured to only allow public key authentication? If so, is your putty instance configured to send this public key when connecting to the VIP (as opposed to directly to the server)?

2) Are you sure the session is going to the server an not some other system? Verify with tcpdump on the BIGIP or 'show sys connection' when you perform a test to make sure the session is going to the server.

3) Perhaps a configuration on the server limiting authentication methods based on source IP? The LTM is configured to SNAT client connections (automap). Verify on the server or test from the BIGIP by attempting an ssh connection to the server. Assuming no odd routing config it should source from the self-IP in the same network as the floating self-IP for automap, but just verify this when you test.

DevCentral

SSH Error - Server sent public key

MFA required on DevCentral