Forum Discussion

anoop1's avatar
anoop1
Icon for Nimbostratus rankNimbostratus
Mar 08, 2017

BIGIP SSH Proxy Not working properly

Hi All,

 

Client system --------> BIGIP (SSH Proxy) ---------> Backend Server (key1) (Key2) (public key1 , Public Key2) (192.168.40.56) (Vip:192.168.42.152, self:192.168.41.153) (ip:10.10.100.189)

 

In my case Key1 and key2 are same. My SSH connection is happening perfectly fine without ssh profile attached.

 

Please find the below screen shot for the configuration of ssh profile.

 

 

Now I verified the public key in authorized_keys and it is there. Direct client to backend i am able to do the password-less conection.

 

But when i try it from BIGIP VIP it is not connecting at all.

 

I see the logs like below: F5: logs err : SSHPLUGIN: sshplugin_0|SSHPlugin|ssh_setup_serverside|Core|the backend ssh server does not have a public key that matches the configuration! (0) Erroring out of this connection.

 

Backend Logs : puppetmaster sshd[2748]: Set /proc/self/oom_score_adj to 0 puppetmaster sshd[2748]: Connection from 192.168.41.253 port 51484 puppetmaster sshd[2749]: fatal: Read from socket failed: Connection reset by peer

 

I took the packet capture and i can see the Reset is initiated by BIGIP.

 

I followed the same process given in [URL] from F5 site .

 

Now i need to troubleshoot what is causing my connection reset. Please help me with the solution how i can get it up an running.

 

And just out of curiosity why are we running continuous port 22 scanning for the backend server.

 

Logs: Mar 8 16:51:41 puppetmaster sshd[2747]: Set /proc/self/oom_score_adj to 0 Mar 8 16:51:41 puppetmaster sshd[2747]: Connection from 192.168.41.253 port 48174 Mar 8 16:51:41 puppetmaster sshd[2747]: Did not receive identification string from 192.168.41.253

 

Any help would be appreciated.

 

AFM
application delivery
LTM
security

1 Reply

Sort By
  • Tikka_Nagi_1315's avatar
    Tikka_Nagi_1315
    Historic F5 Account
    May 12, 2017

    I believe one of the issues is that your keys are missing the header and footer information.

     

    -----BEGIN RSA PRIVATE KEY----- <== (key text) <== -----END RSA PRIVATE KEY----- <==

     

    In any case, the following steps produce a working system in my lab:

     

    CLIENT: 1. Generate a new RSA key pair on the client (ssh-keygen)

     

    BIGIP 1. Create a new RSA pair public/private key in BigIP using: ssh-keygen

     

    1. Create a new ssh proxy profile with default actions (allow). Under the key management: a. Add BigIP RSA keys in Proxy Client Auth. Note we delete comment in public key and we add header and footer in private key.

       

      Public Key: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAuv0xrDHO/Hk+oF5qIQyg/1qoUm2uSnZ7Wyca1IrpmXELEITmtCZevPfkX20Yebuubl7W4f5eisHa0mvy4Gb/WuUbXmTkt7TRaKgJPwARuYDphtoZM6GrIukkSrJRqbZlZ+tbHL5lrGdAfIxTlGLxzu+LKxhJo8Ldn+oBw8KZp1MqJjYiFiDocymSY/sHrEaLxUHZRCOANsVQfzo8yBWGl5V4jJB9ZeqOabApLNBd1wf0bGQoL+YI++44rYTm3gS7oNVVHDOYJYBBIpmUFk70TcedqAAXRXVKRFtYsd50iQazwck/pDn40iq7l1VPeHh3KD70d5VLpDTNF9hC9KH3kQ==

       

      Private key: -----BEGIN RSA PRIVATE KEY----- MIIEoQIBAAKCAQEAuv0xrDHO/Hk+oF5qIQyg/1qoUm2uSnZ7Wyca1IrpmXELEITm tCZevPfkX20Yebuubl7W4f5eisHa0mvy4Gb/WuUbXmTkt7TRaKgJPwARuYDphtoZ M6GrIukkSrJRqbZlZ+tbHL5lrGdAfIxTlGLxzu+LKxhJo8Ldn+oBw8KZp1MqJjYi FiDocymSY/sHrEaLxUHZRCOANsVQfzo8yBWGl5V4jJB9ZeqOabApLNBd1wf0bGQo L+YI++44rYTm3gS7oNVVHDOYJYBBIpmUFk70TcedqAAXRXVKRFtYsd50iQazwck/ pDn40iq7l1VPeHh3KD70d5VLpDTNF9hC9KH3kQIBIwKCAQACq9h7JUhxUjBwAVlJ nXADpd3VSrWwm0rns8I2PH+uE+aO3VPAvrg15ki/iN9vdA12mvRw8VkfPUicmyRi Sp0/eE0w5C8nMiA/qqEL3xYyMWJr+80o91aPIJZ2GH2CbKmtXspxyDSnCMoQaGeY EArEyOhjW8aJp1rv/6+RbNZPMLTb6zcKngiUk/Rs324QYDGqXiDkGRjahrMKF4sH ERPtLJzI6Qc5ybmKu/VEMlWIt+sOAoNnJOQ76+H/u6TuTFrKy3q0jR2wJ9A4oPXZ SgGjNCiMTV9ZYLn1FgURgcknQgzE5tmyRUPoPFoMczXS8VpFKLXgOmFNabUnWjRN qRfrAoGBAOTC8BECIso5+dul4layUHN1xcyVd1kU4Gs4HP8SeRV4VNSsjJWqccIJ vAyaSPmW1q80rUbWMQtXKGHrGyxld1Yu4uDreVednFqgLCCdvumDA+Bp4Z83hA+U 5Zwddm7x/5bsNdrWXW2oFnl1puEvT3K9NSgz84+DZLZlhXmQHU3JAoGBANFA9QQs x8WYuuD5AJh/qIO5vw5Pz1thD/CErTnG8P5FDcTwS+3uUBBwjwvsxADd5v9jBvMl npVCRgrVGqFPrJH+TubSJCJdAPcGajoOU5gqgKbg9mWdfmGrcFnK6wTa957+c94O 6/mpk6K6LbabKlWB6BDzqyD16I3vqHwoSB+JAoGBAN45tgHk0Va7+giShBm0iKqs 7AiRMhwFps6OSA26LHtBsX4j9kg/LK3dkhrfBQ+3GbGDoQL79SD1lPFoC8S6Vqt+ APfALLuDKiwmkURBd6EC7dKv/789PnWJVBP/XRtRe/GyQvHXjfV+tr8h1U/HjwG/ HbIGlNSORJPtl5qpQQm7AoGAa52/1kLqZZ8BBfxmtNPwQ76cxYghf3O/DfsXQkkO OZ/bMhUuXRt5og4AbIhkzT7r08yHOzfrKDC2Tra9PQRnYQZxuIlUaXGouY5FQm3E l2ZQytoYUYQyXh2nfqLfRFNaxswBEx2d7hyyU7A0xE/MoQD7AWdfUsecK70U0iNY SrsCgYBLJKEp7vxt1Xr4VgJm0EiqQc4fdbTuL6TNT6Cr86WjR6kJ63ixpYDJ7Qp+ RRUZugumO8/YyjB/csYSMcuw+/nVpwXBk6SHiL2MWG9bsW5MBc7DBomXr5S/UXKu H8PSW0AgehbQ0v4QtmpsEwiyk+6R5sHCQhSJGw1uU2pYd6YoFg== -----END RSA PRIVATE KEY-----

       

    b. Add client RSA private key (/root/.ssh/id_rsa) in Proxy Server Auth > Private Key c. Add server RSA public key (/etc/ssh/ssh_host_rsa_key.pub) in Real Server Auth d. Generate a new RSA key pair in client (ssh-keygen)

     

    1. Create the pool member with SSH server
    2. Create virtual server and add this pool member and set the SSH proxy profile

    SERVER: 1. Confirm configuration of Authorized keys in sshd_config: [...] AuthorizedKeysFile /etc/ssh/authorized_keys AuthorizedKeysFile /root/.ssh/authorized_keys [...]

     

    1. Add BigIP and client's RSA public keys in /etc/ssh/authorized_keys:

       

      • Copy Client created in step 1.d public key (/root/.ssh/id_rsa.pub) in /etc/ssh/authorized_keys
      • Copy BigIP public key (/root/.ssh/id_rsa.pub) in /etc/ssh/authorized_keys

      Authorized_keys file example: cat authorized_keys ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDfLCZVQpBwBJ1vlZphNBul+GPr5EVgD2PvMolcoCd6D0XVeZ37Y0G/pLVyIS9Qy9nfBL1m4sLHS1RaZJQhu4gxHhlyCypg3ZO7xSI/9L36ZEBSgB4915BZgkVAiVWBB0m5JzVS7apjwe51oxuQv9VSQgHCAX4QNjLkPYy9B6ihdi7tEJ+mAp0Cjo9RBVCziH2si034AW56KpGPHDAVammt9D2fJY8xFrOQWMJedLw+nCknLQQ6ecgHsf+LrQkxb4JMNVUyZY81dVCOITm6K4eIQYeOpIGuIbmGqaIfJUDNiPEE7toK3NT40ojPltCbWAtwYl1OJ5oJIVrrwVzdJdax root@client2 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAuv0xrDHO/Hk+oF5qIQyg/1qoUm2uSnZ7Wyca1IrpmXELEITmtCZevPfkX20Yebuubl7W4f5eisHa0mvy4Gb/WuUbXmTkt7TRaKgJPwARuYDphtoZM6GrIukkSrJRqbZlZ+tbHL5lrGdAfIxTlGLxzu+LKxhJo8Ldn+oBw8KZp1MqJjYiFiDocymSY/sHrEaLxUHZRCOANsVQfzo8yBWGl5V4jJB9ZeqOabApLNBd1wf0bGQoL+YI++44rYTm3gS7oNVVHDOYJYBBIpmUFk70TcedqAAXRXVKRFtYsd50iQazwck/pDn40iq7l1VPeHh3KD70d5VLpDTNF9hC9KH3kQ== root@bigip1.org