Posted on July 20, 2018 6:34 pm
 |  Asked by Sinan Korkmaz
 |  2036 views
RESOLVED
0
0
Print Friendly, PDF & Email

Hi all,

I cannot make an ssh session to log on without password prompt – this is for bash scripting from a linux terminal to Arista switch.

The procedure here (https://eos.arista.com/ssh-login-without-password/), which defines simply copying the pub keyfile into flash and setting it into the username, does not work.

A user account with no password at all, together with (aaa authen policy local allow…) seems to work fine, which creates a big hole in aaa.

Any ideas? I want simply to have users with passwords, but to be able to ssh without password prompt for those whose keys are well-known and set via (ssh -i ) command. Sounds simple, but I could not get it working. My version is 4.20.5F.

Regards
Sinan

0
Posted by Tyler Conrad
Answered on July 20, 2018 6:50 pm

Hi Sinan,

There are two items needed for this to work –
First, create a regular user account with a secret (as you noted, you can use the nopassword option, but I wouldn’t recommend it)
username conrad privilege 15 secret MyPassword!

Then, assign your public key to the account. Note that this should be the entire contents of the id_rsa.pub file, including ‘ssh-rsa’ and the user.

username conrad sshkey ssh-rsa AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAetc conrad@mydomain.com

Hope this helps,
-Tyler

Marked as spam

Thank you very much for your answer.

This is exactly what I tried, unfortunately does not work. Hesitating on the terminal, I tried with copying the key file and assigning it with “file” option, still no good.

Maybe a bug on F release, will try with M releases…

(Sinan Korkmaz at July 21, 2018 4:27 am)

Hi Sinan,

Would you please put in a case with TAC? They can look at your specific configuration as well as file a bug report internally in the event you are seeing a bug.

Thanks,
Tyler

(Tyler Conrad at July 23, 2018 5:25 pm)
0
Answered on March 11, 2019 11:42 pm

Having just gone through this, thought I’d post in case it may help someone else. There are legacy “how-to” articles on using “DSA” as the key algorithm. EOS has been upgraded to SSH 6.6.1 and no longer supports DSA. Please use an RSA key instead.

example on macbook:
ssh-keygen -t rsa -b 4096 -f jasons_key

EOS 4.18.x started using SSH version 6.6.1.

Post your Answer

You must be logged in to post an answer.