Monday, April 17, 2017

Generating Aruba SSH login keys and certificate

I came across the need for one of my scripts to connect to an Aruba controller the other day and although I could have used a username/password option I decided on certificate based authentication just to learn something new.
The process is quite straightforward, but it took me a while to figure out. I chose Aruba as that is the vendor of choice where I work, but I'd say that the process would be similar for other vendors' gear (at least the certificate generation part).

To an Aruba controller you can only upload certificates not RSA signatures, so you must make a cert from a public/private key pair that we generate with the ssh-keygen command and then use openssl to generate the certificate from this pair that can be upload. (If anyone has a foolproof solution for doing this with only one these, please share it.)

Creating the key pair and certificate

1. First we create the priv/pub keys with ssh-keygen, where we provide the name for the key (ex. ssh-id_rsa). When asked for a password for the key I left it empty as that would mean that it would need to be entered every time the script would be run, which I didn't want.

Generating public/private rsa key pair.
Enter file in which to save the key (/Users/primoz.marinsek/.ssh/id_rsa): ssh-id_rsa              >>>>>> PROVIDE A NAME FOR THE KEY HERE
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in ssh-id_rsa.
Your public key has been saved in
The key fingerprint is:
SHA256:v0ImnCOiUhFQhe8/DlE6jA8bPaJb+nZosjiJuRPHJu0 p.m@XXXYYYZZ.local
The key's randomart image is:
+---[RSA 2048]----+
|.o.o.            |
|  o              |
|   o  .          |
|  .+.o           |
| o=oB. .S        |
|o.B*o+= o.       |
|o@oooo =  .      |
|@+E ..o .  .     |
|BX.. ... ..      |

2. Next we need to create a certificate that we will upload to the controller. For this we use openssl to create a PEM public certificate from the private key "ssh-id_rsa. I gave it a life of 3650 days or 10 years in this example. When asked about the information to enter it's your choice whether you want to fill it in or not.
openssl req -x509 -new -key ssh-id_rsa -days 3650 -out ssh-id_rsa-cert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.

With these 2 steps you have now created the key pair and a certificate that you can upload to the controller.

Uploading and enabling the user for login

Next steps involve uploading of the certificate you just generated and creating a user to go with it. I'll continue with step 3 below, which starts with enabling using public key architecture for SSH-ing into the controller

Note that some steps involve using the WEB GUI to upload the certificate. I've gotten used to CLI in recent times and I use scp quite a bit, but I haven't found an elegant way of uploading things to a controller yet. I seem to be running into some cypher mismatches there.

3. This step involves enabling certificate option for SSH, which must be performed on a master controller ONLY. Enabling it on a local controller will not be allowed either from WEB GUI or CLI. 
You need to either ssh or browse to the controller via WEB GUI and under 
Management :: General :: SSH (Secure Shell) Authentication Method the 
Client Public Key 
needs to be enabled or alternatively do it much simpler over CLI as below

ssh mgmt-auth public-key

4. On controllers WEB GUI and go to Management :: Certificates and select tab Upload and fill in the fields as below. Note that this has to be done on every MASTER AND LOCAL controller in your topology.
  • "Name" of choice for the cert (ex. Aruba-mgmt-user-crt)
  • Select the file from your disk
  • Select PEM as "Certificate Format"
  • For "Certificate Type" select "Public Cert"
  • click "Upload"
5. Create a new user and use the SSH key for login (same as before MASTER AND LOCAL)
  • Go to Management :: Administration 
  • Add a new user under "Management Users"
    1. Under User Name input "ssh-global"
    2. Select the "Certificate Management" radio button
    3. Diselect "WebUI Certificate"
    4. Select "SSH Public Key"
      1. For Role select "root"
      2. For Client Certificate name select the previously uploaded certificate (Aruba-mgmt-user-crt then click Apply

Below is the CLI command that does this
mgmt-user ssh-pubkey client-cert "Aruba-mgmt-user-crt" "ssh-global" "root" 


6. I don't know why, but when my script logged into a controller it wasn't put directly into the "enable mode", but when logging in straight from the console I didn't have that issue. To not run into this issue run the below few commands to make sure you won't have problems there.
configure t
enable bypass
write mem

Authentication test

To test the connection follow the below procedure
  1. You must copy the "Aruba-ssh-id_rsa" key into your ".ssh" directory
  2. Run the below command and check you are logged in to the controller. Check the name of the controller
    ssh -i ~/.ssh/Aruba-ssh-id_rsa ssh-global@<the_controller>

If this doesn't work you might need to change the permission on the key with
chmod 400 Aruba-ssh-id_rsa

Hope this post helped in some way in your scripting endeavours and don't forget to share if it did, or if it didn't.