IBM FlashSystem

IBM FlashSystem

Find answers and share expertise on IBM FlashSystem


#Storage
 View Only

  • 1.  Accepted format for a users ssh key

    Posted Mon June 26, 2023 09:06 AM
    Edited by Alexander Reichle-Schmehl Mon June 26, 2023 10:18 AM

    Hi!

    Can someone point me to where I can find supported ssh key types / formats?    I didn't find it so far, only an example showing, that you should create ssh-keys for your users by using ssh-keygen -t rsa.

    I'm asking because I tried today to upload a key of type ssh-ed25519, and it is refused with the error: CMMVC6504E The task cannot be initiated because the SSH key file that you have specified does not contain a valid SSH key, which makes me think that type is not supported, as I could successfully upload an rsa key.

    Problem is that we are discouraged from using rsa keys, and encouraged to use newer eclyptic key type ssh keys, and most of our users already have use these key types.

    So before asking our users to create new keys, I'm wondering if we may find a key type which is accepted by both.

    Best regards,

      Alexander



    ------------------------------
    Alexander Reichle-Schmehl
    ------------------------------



  • 2.  RE: Accepted format for a users ssh key

    Posted Tue June 27, 2023 04:16 AM

    Hi Alexander,

    the supported ssh key types, say the supported ciphers can be policed by setting the ssh security level.

    This is done by CLI command chsecurity -sshprotocol <level>.

    Details on the levels can be found in IBM Docs article Security levels and supported security ciphers.



    ------------------------------
    Best regards, 

    Christian Schroeder
    IBM Storage Virtualize Support with Passion
    ------------------------------



  • 3.  RE: Accepted format for a users ssh key

    Posted Tue June 27, 2023 04:48 AM

    Thanks for the pointer!

    I can confirm that a key I created via ssh-keygen -t ecdsa works in our test environment.  Which should be good enough for us, also I'm curious why the key I created with ssh-keygen -t ed25519 is not accepted.

    Without deeper knowledge about that I would have guessed by the name I would have guessed that they belong to the listed curve25519-sha256 or curve25519-sha256@libssh.org.



    ------------------------------
    Alexander Reichle-Schmehl
    ------------------------------

    Original Message


  • 4.  RE: Accepted format for a users ssh key

    Posted Tue June 27, 2023 08:22 AM

    I have forwarded this topic to the appropriate development team, will keep you posted when I get a response.



    ------------------------------
    Best regards, 

    Christian Schroeder
    IBM Storage Virtualize Support with Passion
    ------------------------------

    Original Message


  • 5.  RE: Accepted format for a users ssh key

    Posted Tue June 27, 2023 09:08 AM

    Hello Alexander,
      I think what you are looking for is documented here:
    https://www.ibm.com/docs/en/sanvolumecontroller/8.5.x?topic=reference-security-levels-supported-security-ciphers



    ------------------------------
    GLEN ROUTLEY
    ------------------------------



  • 6.  RE: Accepted format for a users ssh key

    Posted Tue June 27, 2023 09:32 AM

    I got feedback from my security colleagues, which I yet have to digest.
    Essentially, key exchange algorithm curve25519-sha256 is not quite the same as an ssh key type of ssh-ed25519.

    Also, the IBM Docs link @GLEN ROUTLEY and I had shared, contains this statement:

    Security key algorithms
    Supported host key (and public key) algorithms include ssh-rsa and ssh-ecdsa

    That's to say, ssh-ed* is not supported as of now.



    ------------------------------
    Best regards, 

    Christian Schroeder
    IBM Storage Virtualize Support with Passion
    ------------------------------

    Original Message


Related Content