Welcome, Guest. Please login or register.

Author Topic: Public-key authentication with ssh  (Read 541 times)

Alimachina

  • Newbie
  • *
  • Posts: 5
    • View Profile
Public-key authentication with ssh
« on: June 06, 2018, 10:48:55 AM »
In the nedi.conf we can define users for telnet and ssh access, which is useful for CLI.

We have a radius server for users authentication on our switches, so there isn't any "generic user".
So I guess we have to use one of our users, that's ok.
But I want to hide the password.
I'm not sure how to do :
"Use public-key authentication with ssh, if you do not want to have pw here in cleartext."


If I connect to a switch with SSH on the NeDi server, I'll have the RSA key fingerprint for this device, but then how to tell to NeDi to use it ?

ascii

  • Jr. Member
  • **
  • Posts: 77
    • View Profile
Re: Public-key authentication with ssh
« Reply #1 on: June 07, 2018, 08:23:53 AM »
i'm not using key files.
but i looked in the inc/libcli.pm

i found these line arround 664 depending on your version of nedi
Code: [Select]
}elsif($po == 22){
                 my $known = "-o 'StrictHostKeyChecking no'";

i guess you can try to set the keyfile there.

maybe you need to set a dummy password in the nedi config.

rickli

  • Administrator
  • Hero Member
  • *****
  • Posts: 2633
    • View Profile
    • NeDi
Re: Public-key authentication with ssh
« Reply #2 on: June 08, 2018, 12:52:08 PM »
The StrictHostKeyChecking option can be turned off to ignore hostkeys on switches (update with -kK), but has nothing to do with public-key auth...

First off, you can "encrypt" the PW in nedi.conf (see context help in System-Files) or as ascii wrote add the public key of your machine to the authorised keys on the switch and use a dummy PW...
Please consider Other-Invoices on your NeDi installation for an annual contribution, tx!
-Remo

Alimachina

  • Newbie
  • *
  • Posts: 5
    • View Profile
Re: Public-key authentication with ssh
« Reply #3 on: June 11, 2018, 10:33:49 AM »
Can you give me more details about the encryption part plz ?
I looked in the help page and in "The NeDi Guide" but with no luck.

rickli

  • Administrator
  • Hero Member
  • *****
  • Posts: 2633
    • View Profile
    • NeDi
Re: Public-key authentication with ssh
« Reply #4 on: June 13, 2018, 12:10:02 AM »
Use System-Files to edit nedi.conf. Click the padlock to open the "encryption popup". Enter clear PW and copy result back in nedi.conf:
usrsec    admin 41326464

You can increase security by changing the secret in the function XORpass() in libmisc.pm, but don't forget it after the next update...
Please consider Other-Invoices on your NeDi installation for an annual contribution, tx!
-Remo

Alimachina

  • Newbie
  • *
  • Posts: 5
    • View Profile
Re: Public-key authentication with ssh
« Reply #5 on: June 13, 2018, 05:09:47 PM »
Thanks Rickli  ;)

Dunno why I never thought to click on this padlock before... :-[
I saw it's also available in the shell with "nedi.pl -Z my_password_here pw".
I had to "reset CLI  access" for my previous already discovered devices, and now it works like a charm !