1 min read

Brocade Ironware 5.4.0 and ssh keys

(Blogpost in English to help those who google for this bug ...)

It seems there is a serious ssh bug in version 5.4.0 of the Brocade Ironware software running on Foundry MLX and CER
routers etc.

The bug affects ssh public/private key encryption, the "more secure" way of logging into systems. The bug is quite stupid:
it just doesn't work!

After spending two hours debugging, I gave up and submitted a case to Brocade Support. A few hours later, they acknoledged the bug.

It appears that 05400b code has an authentication issue when using key pairs.
The issue is newly reported and will be addressed & fixed in 05400c and later releases which is expected to be released in two months.

Until then, please use one of the following workarounds:

  1. Set ssh client software to use only username and password and do not try a certificate even when available. Since you use OpenSSH, try ssh -o PubkeyAuthentication=no user@machine when SSH into the router.
  2. Instruct the router to inform the ssh clients to use password interactive only by running ip ssh key-authentication no
  3. Downgrade to 05200 branch

So I hope Google picks up this posts, and those that wonder why SSH key auth doesn't work on their Brocade Foundry box running software version
5.4.0, find this post.

Oh by the way: be very careful with the ip ssh permit-empty-passwd command, in case you would be tempted to use that! It allows anyone to log in
with ssh, and completely bypasses radius, tacacs or any other aaa method you mentioned. Don't ever ever do this, unless you are 100% sure you've acl'ed
it to dead!