Forum Discussion

Brian_Gibson_30's avatar
Brian_Gibson_30
Icon for Nimbostratus rankNimbostratus
Feb 12, 2019

Unable to use SSH keys with TACACS configured.

Hi,

 

I'm trying to set up remote SSH authorization using SSH keys. However it seems that I have some sort of conflict because we are using TACACS.

 

TACACS maps remote users to root. I'm guessing this is causing the problem but I don't know how to fix it.

 

I have tried doing this with a local user defined and without and it doesn't work either way.

 

Trying to get ansible set up. We never used ssh keys before to log into devices.

 

BIG-IP
devops
LTM

2 Replies

Sort By
  • jaikumar_f5's avatar
    jaikumar_f5
    Icon for MVP rankMVP
    Feb 12, 2019

    Hi Brian,

    TACACS does not provide direct shell access - bash mode. For a ssh keyless login to work, it require to land in shell mode - bash. Only local user accounts land in direct bash. Remote roles always land in tmsh shell. One has to run 'bash or run until bash' from tmsh to get into bash.

    With that being said, you can't configure a TACACS user to do keyless login. You would need to create a local user account, like root an admin accounts. They authenticate locally on the box.

    Let's say for ansible you have created an account - ansibleops.

    Do you see ansibleops in the auth user list and localuser file.

    tmsh list auth user ansibleops

    cat /config/bigip/auth/localusers

    If tmsh list shows ur ansibleops, and localuser doesn't. You have to add ur ansibleops in that file.

  • DennisJann's avatar
    DennisJann
    Icon for Nimbostratus rankNimbostratus
    Feb 13, 2019

    My company uses LDAP and Remote Role Groups for BIG-IP authentication, and more or less followed the following KB article to configure SSH key-based authentication for an automation account:

     

    https://support.f5.com/csp/article/K13454

     

    Do read the KB article for caveats about potentially losing the SSH public key during OS upgrades.

     

    Create a user on the BIG-IP for the automation account, either in the Configuration Utility or using tmsh. If you will only be using SSH key authentication for this user, the user doesn't have to be defined in your remote authentication provider (at least not for LDAP). For example, you can use "ansibleops" per jaikumar's answer. Set the user's shell to "Advanced shell" in the Configuration Utility, or "bash" if using tmsh to create the account.

     

    Create the /home/ansibleops/.ssh directory on the BIG-IP, and copy the SSH public key to the authorized_keys file in that directory.

     

    You should then be able to authenticate with:

     

    ssh -i /path/to/ssh_private_key ansibleops@bigip.mycompany.com

     

    I just ran these steps on my lab box, and it wasn't necessary to add the "ansibleops" user to /config/bigip/auth/localuser on BIG-IP 12.1.3.x. I can't speak to whether that's changed in newer versions.