ONTAP Discussions

ONTAP 9.4 SSH Public Key Access Broken ( key type ssh-rsa not in PubkeyAcceptedKeyTypes)

parkea2
4,036 Views

One of my powers users as role based restricted access to the FAS using a ssh-rsa 2048 public key only.   This previously worked OK we started at ONTAP 9.1, then 9.2 and  until recently was  on 9.3P4 all working OK for about 2 years.

 

The Problem:

The user can nolonger access the FAS using the pubkey.  I suspect but I  cannot be certain this broke when we updated to

9.4.P3 in December 2018.  The error is:  key type ssh-rsa not in PubkeyAcceptedKeyTypes .   I also tried a new key ssh-ed25519 both have the same error.  See below:

--------------

00000018.001cc78e 0dcc3fa7 Sat Mar 02 2019 12:04:13 +00:00 [auth_sshd:info:8218] userauth_pubkey: key type ssh-rsa not in PubkeyAcceptedKeyTypes [preauth]
00000018.001cc78f 0dcc3fa7 Sat Mar 02 2019 12:04:13 +00:00 [auth_sshd:info:8218] userauth_pubkey: key type ssh-ed25519 not in PubkeyAcceptedKeyTypes

--------------

The ssh keys are good, I checked the fingerprint at both end and tested to other servers (Linux / AIX) both worked with the keys OK.   Also SSH password based access to the FAS works fine.  The MFA second authentication method is set to none. 

 

Question:

1) As anybody seen this before.  I am struggling to get any good hits googling using the error message for ONTAP.

    Linux hits indicate sshd_config can be updated to allow key types removed at later SSH 7.x levels. For example to

   allow ssh-dss which was removed from the defaults at openssh 7.x.

2) I cannot see any means of querying or modifying the ONTAP (FAS) settings for PubkeyAcceptedKeyTypes.

 

I am able to log a support ticket via the NETAPP Partner IBM who provide our L1/L2 support before it esculates to NETAPP directly via IBM if they cannot resolve it.  However I want to ask in the community first and potentially build a stronger testcase to demonstrate the problem. 

1 ACCEPTED SOLUTION

parkea2
3,710 Views

Only got this fully resolved yesterday. It appears a change was made at 9.4 P3 that stops RSA and ED25519 keys

from working to the admin SVM.  Switching to ECDSA keys resolved the problem.

 

Message seen in log was:

00000018.0025399a 0f15eef9 Wed Mar 27 2019 12:14:42 +00:00 [auth_sshd:info:29433] userauth_pubkey: key type ssh-ed25519 not in PubkeyAcceptedKeyTypes [preauth]

 

View solution in original post

2 REPLIES 2

RajeshPanda
3,718 Views

@parkea2  Let me know if you are still looking for the solution, i will help you find an expert who can answer to your query.

parkea2
3,711 Views

Only got this fully resolved yesterday. It appears a change was made at 9.4 P3 that stops RSA and ED25519 keys

from working to the admin SVM.  Switching to ECDSA keys resolved the problem.

 

Message seen in log was:

00000018.0025399a 0f15eef9 Wed Mar 27 2019 12:14:42 +00:00 [auth_sshd:info:29433] userauth_pubkey: key type ssh-ed25519 not in PubkeyAcceptedKeyTypes [preauth]

 

Public