No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

An Vendor SR6608 Fails to Log in to an NE40E as an SSH Client

Publication Date:  2019-07-24 Views:  111 Downloads:  0

Issue Description

An NE40E and an Vendor SR6608 can be directly connected. The SR6608 fails to function as an SSH client to log in to the NE40E. An RSA public key is configured on the SR6608, and the NE40E is also configured with RSA.

Alarm Information

The obtained packet header information shows that the type of the public key sent by the NE40E is ssh-dss or ssh-rsa during private key negotiation. The following figure shows the negotiation. The SR6608 also supports RSA and DSA for packet sending. For the NE40E, DSA is preferred to RSA. Therefore, the DSA public key is used for negotiation between the two ends. However, DSA is not configured on the SR6608 and therefore the authentication fails when RSA is configured.

Handling Process

The obtained packet header information shows that the type of the public key sent by the NE40E is ssh-dss or ssh-rsa during private key negotiation. The following figure shows the negotiation. The SR6608 also supports RSA and DSA for packet sending. For the NE40E, DSA is preferred to RSA. Therefore, the DSA public key is used for negotiation between the two ends. However, DSA is not configured on the SR6608 and therefore the authentication fails when RSA is configured.

Solution

1. Configure a DS public key on the SR6608.

2. Run the <SR6608>ssh2 18.x.x.2 identity-key rsacommand on the SR6608 to perform login.

Suggestions

The device that functions as a client does not need to determine whether a public key exists on the local when sending the supported public key algorithm. Only the device that functions as a server needs such determination. Therefore, packets are sent to the SSH server even if the client is not configured with DSA. The client supports both DSA and RSA. If the server has different priorities on DSA and RSA, the server uses DSA for authentication because DSA is preferred to RSA.

The public key authentication algorithm has a low priority. The public key needs to be specified during device login. You can run the ssh2 18.x.x.2 identity-key rsa command or specify the public key algorithm as RSA on the server if permitted.

END