Forum Discussion

newf5learner_13's avatar
newf5learner_13
Icon for Nimbostratus rankNimbostratus
Nov 16, 2016

SSH Error - Server sent public key

Hi,

I have created a virtual server with the service 'SSH' with SNAT automap and the backend server listening on TCP 7999 port. The virtual server configuration is very simple with no other settings.

When I access the VIP via putty, I'm seeing an error

'Disconnected: No supported authenication methods available (server sent: public key)'
But if I access the backend server on putty via port no.7999, I don't see any errors. Can someone let me know what is actually causing the issue here.

thanks.

8 Replies

  • Hi,

     

    what do you mean with "service 'SSH'" ?

     

    In general for those type of services I would use performance layer 4 profile, because I don't need to inspect the protocol.

     

  • ltm virtual test_git_ssh {
        destination 10.78.4.248:ssh
        ip-protocol tcp
        mask 255.255.255.255
        pool test_git_ssh
        profiles {
            fastL4 { }
        }
            source 0.0.0.0/0
            source-address-translation {
                type automap
            }
            vs-index 191
        }
    
    ltm pool test_git_ssh
     {
        members {
            gittest {
                address 192.168.20.100
                session monitor-enabled
                state up
            }
        }
        monitor gateway_icmp
    }
    
  • yes, I changed the node name while pasting and deleted the port details.

    ltm pool test_git_ssh
     {
        members {
            gittest:irdmi2 {
                address 192.168.20.100
                session monitor-enabled
                state up
            }
        }
        monitor gateway_icmp
    }
    
  • Here a configuration working in my environement:

     

    ltm virtual /Common/test_ssh_vs { destination /Common/10.128.159.16:22 ip-protocol tcp mask 255.255.255.255 pool /Common/test_ssh_pool profiles { /Common/fastL4 { } } source 0.0.0.0/0 source-address-translation { type automap } translate-address enabled translate-port enabled }

     

    I see the only difference in translate-address and translate-port enabled.

     

  • ltm pool /Common/test_ssh_pool { members { /Common/CACTI:22 { address 10.131.159.250 } } }

     

  • With the fastL4 profile assigned LTM shouldn't be doing anything at the application level, especially something that would limit the authentication methods available for ssh. Without knowing more here are some things I'd initially check:

     

    1) Is your server configured to only allow public key authentication? If so, is your putty instance configured to send this public key when connecting to the VIP (as opposed to directly to the server)?

     

    2) Are you sure the session is going to the server an not some other system? Verify with tcpdump on the BIGIP or 'show sys connection' when you perform a test to make sure the session is going to the server.

     

    3) Perhaps a configuration on the server limiting authentication methods based on source IP? The LTM is configured to SNAT client connections (automap). Verify on the server or test from the BIGIP by attempting an ssh connection to the server. Assuming no odd routing config it should source from the self-IP in the same network as the floating self-IP for automap, but just verify this when you test.