ONTAP Discussions

ONTAP 9.4 SSH Public Key Access Broken ( key type ssh-rsa not in PubkeyAcceptedKeyTypes)

parkea2

One of my powers users as role based restricted access to the FAS using a ssh-rsa 2048 public key only.   This previously worked OK we started at ONTAP 9.1, then 9.2 and  until recently was  on 9.3P4 all working OK for about 2 years.

 

The Problem:

The user can nolonger access the FAS using the pubkey.  I suspect but I  cannot be certain this broke when we updated to

9.4.P3 in December 2018.  The error is:  key type ssh-rsa not in PubkeyAcceptedKeyTypes .   I also tried a new key ssh-ed25519 both have the same error.  See below:

--------------

00000018.001cc78e 0dcc3fa7 Sat Mar 02 2019 12:04:13 +00:00 [auth_sshd:info:8218] userauth_pubkey: key type ssh-rsa not in PubkeyAcceptedKeyTypes [preauth]
00000018.001cc78f 0dcc3fa7 Sat Mar 02 2019 12:04:13 +00:00 [auth_sshd:info:8218] userauth_pubkey: key type ssh-ed25519 not in PubkeyAcceptedKeyTypes

--------------

The ssh keys are good, I checked the fingerprint at both end and tested to other servers (Linux / AIX) both worked with the keys OK.   Also SSH password based access to the FAS works fine.  The MFA second authentication method is set to none. 

 

Question:

1) As anybody seen this before.  I am struggling to get any good hits googling using the error message for ONTAP.

    Linux hits indicate sshd_config can be updated to allow key types removed at later SSH 7.x levels. For example to

   allow ssh-dss which was removed from the defaults at openssh 7.x.

2) I cannot see any means of querying or modifying the ONTAP (FAS) settings for PubkeyAcceptedKeyTypes.

 

I am able to log a support ticket via the NETAPP Partner IBM who provide our L1/L2 support before it esculates to NETAPP directly via IBM if they cannot resolve it.  However I want to ask in the community first and potentially build a stronger testcase to demonstrate the problem. 

1 ACCEPTED SOLUTION

parkea2

Only got this fully resolved yesterday. It appears a change was made at 9.4 P3 that stops RSA and ED25519 keys

from working to the admin SVM.  Switching to ECDSA keys resolved the problem.

 

Message seen in log was:

00000018.0025399a 0f15eef9 Wed Mar 27 2019 12:14:42 +00:00 [auth_sshd:info:29433] userauth_pubkey: key type ssh-ed25519 not in PubkeyAcceptedKeyTypes [preauth]

 

View solution in original post

2 REPLIES 2

RajeshPanda

@parkea2  Let me know if you are still looking for the solution, i will help you find an expert who can answer to your query.

parkea2

Only got this fully resolved yesterday. It appears a change was made at 9.4 P3 that stops RSA and ED25519 keys

from working to the admin SVM.  Switching to ECDSA keys resolved the problem.

 

Message seen in log was:

00000018.0025399a 0f15eef9 Wed Mar 27 2019 12:14:42 +00:00 [auth_sshd:info:29433] userauth_pubkey: key type ssh-ed25519 not in PubkeyAcceptedKeyTypes [preauth]

 

View solution in original post

Announcements
NetApp on Discord Image

We're on Discord, are you?

Live Chat, Watch Parties, and More!

Explore Banner

Meet Explore, NetApp’s digital sales platform

Engage digitally throughout the sales process, from product discovery to configuration, and handle all your post-purchase needs.

NetApp Insights to Action
I2A Banner
Public