Proper steps to Enable SSH on 21.1.3.7 or higher XOS


was trying to enable SSH on XOS device having 21.1.3.7 image
did the following steps

ena ssh <-- OK

generated a private key.. <-- OK

i want to have a SSH session via putty or teraterm <-- connection refused
i want to enable https <-- will not allow

what are the proper steps to generate the required keys and certificate and import them so that this freakin SSL/SSH related thing will start to work

can someone please guide to correct steps, like importing PEM or copy from PEM file and pasting it in the console, how can i get a SSL certificate,
is SSHD2 required also for putty SSH connection ?

11 replies

Userlevel 3
Refer to here

http://documentation.extremenetworks.com/exos/EXOS_21_1/Security/t_configure-pregenerated-certificat...
i have already used this step, but i don't know about that content/key which is to be copied from some certificate sitting somewhere in the switch which i couldn't locate... where is that certificate with PEM extension?
i can't find that key which will eventually be used to create the ssl cert.
Userlevel 3
Arjumand Qazi wrote:

i have already used this step, but i don't know about that content/key which is to be copied from some certificate sitting somewhere in the switch which i couldn't locate... where is that certificate with PEM extension?
i can't find that key which will eventually be used to create the ssl cert.

show ssh2 private-key

The private key is save in EEPROM. You cannot see it except the above.
Arjumand Qazi wrote:

i have already used this step, but i don't know about that content/key which is to be copied from some certificate sitting somewhere in the switch which i couldn't locate... where is that certificate with PEM extension?
i can't find that key which will eventually be used to create the ssl cert.

X460G2-24t-G4.7 # conf ssl privkey pregenerated ?
Execute the command
X460G2-24t-G4.7 # conf ssl privkey pregenerated
Paste private key in Privacy Enhanced Mail (PEM) format.
Enter blank line for end of private key.
2d:2d:2d:2d:2d:42:45:47:49:4e:20:52:53:41:20:50:52:49:56:41:54:45:20:4b:45:59:2

Error: Error validating private key
X460G2-24t-G4.8 #
Arjumand Qazi wrote:

i have already used this step, but i don't know about that content/key which is to be copied from some certificate sitting somewhere in the switch which i couldn't locate... where is that certificate with PEM extension?
i can't find that key which will eventually be used to create the ssl cert.

thats what happening from the morning. i dont know what content is to be pasted here..i copied from SSH2 private-key which is a long Hex string..
it will not accept and you can see the Error
Userlevel 3
Arjumand Qazi wrote:

i have already used this step, but i don't know about that content/key which is to be copied from some certificate sitting somewhere in the switch which i couldn't locate... where is that certificate with PEM extension?
i can't find that key which will eventually be used to create the ssl cert.

that is not a proper PEM format key.

Refer here for the correct format.

http://how2ssl.com/articles/working_with_pem_files/
Arjumand Qazi wrote:

i have already used this step, but i don't know about that content/key which is to be copied from some certificate sitting somewhere in the switch which i couldn't locate... where is that certificate with PEM extension?
i can't find that key which will eventually be used to create the ssl cert.

thanks Wong,
so its should be the client side to provide me with proper digital certificate in which is generally a PEM file ?
i see no command in XOS which are generate that certificate which will have that proper key.
or is there a way to generate a free certificate ?
Userlevel 3
Arjumand Qazi wrote:

i have already used this step, but i don't know about that content/key which is to be copied from some certificate sitting somewhere in the switch which i couldn't locate... where is that certificate with PEM extension?
i can't find that key which will eventually be used to create the ssl cert.

You can always self-generate your own keys.

https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-configure-user-key-based-authentica...
Userlevel 7
Can you get the output of 'show management' and paste it here?
sh man
CLI idle timeout : Enabled (20 minutes)
CLI max number of login attempts : 3
CLI max number of sessions : 8
CLI paging : Enabled (this session only)
CLI space-completion : Disabled (this session only)
CLI configuration logging : Disabled
CLI password prompting only : Disabled
CLI RADIUS cmd authorize tokens : 2
CLI scripting : Disabled (this session only)
CLI scripting error mode : Ignore-Error (this session only)
CLI persistent mode : Persistent (this session only)
CLI prompting : Enabled (this session only)
CLI screen size : 24 Lines 80 Columns (this session only)
CLI refresh : Enabled
Telnet access : Enabled (tcp port 23 vr all)
: Access Profile : not set
SSH access : Enabled (Key valid, tcp port 22 vr all)
: Secure-Mode : Off
: Access Profile : not set
SSH2 idle time : 60 minutes
Web access : Enabled (tcp port 80)
: Access Profile : not set
Total Read Only Communities : 1
Total Read Write Communities : 1
RMON : Disabled
SNMP access : Enabled
: Access Profile : not set
SNMP Compatibility Options :
GETBULK Reply Too Big Action : Too Big Error
IP Fragmentation : Disallow
SNMP Notifications : Enabled
SNMP Notification Receivers : None
SNMP stats: InPkts 0 OutPkts 0 Errors 0 AuthErrors 0
Gets 0 GetNexts 0 Sets 0 Drops 0
SNMP traps: Sent 0 AuthTraps Enabled
SNMP inform: Sent 0 Retries 0 Failed 0
X460G2-24t-G4.8 #
Userlevel 7
It looks like SSH is enabled and has a valid key. Does it let you try to log in and then reject you? Or reject before you can put in your password?

Reply