Robbie Cannings

SSH Key Exchange for Brocade FabricOS

Robbie Cannings -

The below is tested up to Fab OS 6.4, although I don't believe it changes much in later releases (feel free to provide feedback to the contrary)

In this example, I’m keeping things simple and using the admin account. You may wish to consider RBAC depending on your use for key based access.

Manual Command Line Configuration

In the worst case assumption, you may be using a serial terminal or otherwise be unable to upload the key using sshutil, so the below steps outline the manual method of achieving this

Firstly, log in via SSH or console using the root account

Secondly, we upload the publickey

SWITCH01:root> mkdir /fabos/users/admin/.ssh
SWITCH01:root> echo "ssh-rsa AAAAB2NyyD1ec3EBBBBBCwAAAwkduUUUUUUj+/bNt65NNNkfmmhUi8j7/d/NMdjmmuhdnnfylarnndnfyyeDjsRI3vgyy6fZI/tMx1aKtdm78V0SDTV4Gi6nNTfNNlZB6Dx5hpUBndkfDiut4F93jfFisjf883kfd9fdkmgFKdu4w44EW3mfmfidfNjBXZt0NsJWOmPPhPcrRTfTAt4dF6QH7Brfg8LDZDhqB0iUh40L/xY+bauflf83fnfDitnr/+fngGdjfmsFjfngfmfnnnfmmp81tcdsjnrjegbdfkkmmjjfmmfllOLXjlDGgvuRB/vB6Wy8g3gyuTWDvjDMpzAKzll6tcmgcZhdpzbN553RV+nIb2hfmNut0T4sTfn== remoteadmin@linuxmgthost.company.local" >> /fabos/users/admin/.ssh/authorized_keys
SWITCH01:root> chmod 700 /fabos/users/admin/.ssh
SWITCH01:root> chmod 600 /fabos/users/admin/.ssh/authorized_keys
SWITCH01:root> cat /fabos/users/admin/.ssh/authorized_keys
ssh-rsa AAAAB2NyyD1ec3EBBBBBCwAAAwkduUUUUUUj+/bNt65NNNkfmmhUi8j7/d/NMdjmmuhdnnfylarnndnfyyeDjsRI3vgyy6fZI/tMx1aKtdm78V0SDTV4Gi6nNTfNNlZB6Dx5hpUBndkfDiut4F93jfFisjf883kfd9fdkmgFKdu4w44EW3mfmfidfNjBXZt0NsJWOmPPhPcrRTfTAt4dF6QH7Brfg8LDZDhqB0iUh40L/xY+bauflf83fnfDitnr/+fngGdjfmsFjfngfmfnnnfmmp81tcdsjnrjegbdfkkmmjjfmmfllOLXjlDGgvuRB/vB6Wy8g3gyuTWDvjDMpzAKzll6tcmgcZhdpzbN553RV+nIb2hfmNut0T4sTfn== remoteadmin@linuxmgthost.company.local

At this point, you should be good to log in using SSH keys from linuxmgthost.company.local

LINUXMGTHOST:remoteadmin> ssh -l admin switch01
SWITCH01:admin>

Alternate keys file

I came across one pair of switches where the above didn't seem to work (same hardware version - IBM 2498-B40, same fabric OS - go figure...)
Turns out, after many hours of debugging I finally found that the SSH demon was looking for
~/.ssh/authorized_keys.

e.g.
/fabos/users/admin/.ssh/authorized_keys.admin

This should be the exception, not the rule, but keep it in mind if the first approach doesn't work.

Upload using sshutil

This is a much simpler method, however it requires reverse SSH access, which is sometimes disallowed depending on security policies.

Log into the switch as admin user.

SWITCH01:admin> sshutil importpubkey
Enter IP address: 192.168.220.50
Enter remote directory: ~remoteadmin/.ssh
Enter public key name(must have .pub suffix):id_dsa.pub
Enter login name:remoteadmin
Password:******
public key is imported successfully.