Tuesday, 6 November 2012

Brocade ADX1000, so you want to use ssh instead of Telnet, if not you should!.

Using ssh (Version 2) instead of Telnet is a given. Telnet is dead. 

Do not use Telnet. Bad bad bad. Hope we are clear on that.

After spending way too much time searching and trying to find the answer to make ssh work, I have decided to put it here in the hope it will help someone else.

When initially configuring your Brocade ADX1000 ServerIron getting ssh to work is a lot harder than you would expect. If you have done the right thing and are using the official Brocade manuals then you will be given examples of enabling ssh using RSA keys.

This is what is in the manual.
The SSH service is not enabled by default. The SSH server starts once you configure a host RSA public and
private key pair for SSH:
ServerIronADX(config)# crypto key generate rsa
ServerIronADX(config)# write mem

This will not work. The RSA keys were used for ssh v1, but are not used by v2, they are however used by the Brocades for GSLB (Global Server load balancing) so not redundant.

Instead do the following. (Assuming you are using a console and or Telnet for initial config)

Clear off any keys you might have created bashing away trying to make ssh work, this will also disable ssh should you want to do that.
ServerIronADX(config)# crypto key zeroize rsa
ServerIronADX(config)# crypto key zeroize dsa

Create a new random seed.
 ServerIronADX(config)# crypto random-number-seed generate

Create the DSA keys (not RSA).
ServerIronADX(config)# crypto key generate dsa

Wait for it to finish, it can take 20 seconds or so after which time you will get a certificate created message. If you look in your running config the certs will be down the bottom.

Something also not present and correct in the manuals, you need to tell the ADX to check the local user’s database. Else you will enter into a fail loop of never being able to login over ssh.
ServerIronADX(config)#  aaa authentication login default local

Now you should be able to enjoy secure ssh v2 cli remote access. If ssh works, disable telnet then save your config.
ServerIronADX(config)# no telnet server
ServerIronADX# wr m

Happy secure days.