[GH-ISSUE #419] Arista - Add ssh key on a switch with "from" pattern #110

New issue

Closed

opened 2026-05-07 00:19:04 +02:00 by BreizhHardware · 1 comment

BreizhHardware commented

2026-05-07 00:19:04 +02:00

Owner

Originally created by @gotakasan on GitHub (Sep 21, 2023).
Original GitHub issue: https://github.com/ovh/the-bastion/issues/419

Hello,

I'm trying to add an ssh key on my Arista switch. But because of "from=IP" pattern (I guess it's because of that), it's impossible to add the server on my Bastion.

Do you ever experienced something similar (with Arista or maybe another network equipment) and find a solution ?

Here is my Arista output :

my-arista-switch(config)#show user-account
user: my-arista-user
       role: network-admin
       privilege level: 1
       ssh public key: from="MY.BASTION.IP.ADDRESS" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCzsRpNwz6ILKrrVzEHtk43qfpJYEHkHF/F73KxJdfU+pjIYLrwmgumEzvqCfFIQDoiYnRelQkRmi24+a/p3Uz9FNH5BpTuv+MXplIgyiO9dH/6o1vdMwwY+cSEAmZ4WGPApbQyuM9T343HFXFg5/rGTgL6MfMQVA0TZEq3UzDZKuYEqUDHNRLxK8sKZBu28mI79msQQ1CeErf/pv+0l9Kx5CKE1LSelpCPb2A68LxgXD32axl9SB0epmIzGvR8QXyqGPMqX7W3Pdl1M6qLXkihuqxvbUNzuNrWyB98zm4oij8IMUn/iWicgFXdY5TNf21NuAR+YcIlxPlBnKQ+44S7

Bastion output :

my-bastion-user@my-bastion-host(master)> groupAddServer --group network-rsa --host my-arista-switch --port 22 --user my-arista-user
╭──my-bastion-host────────────────────────────────────────the-bastion-3.11.00───
│ ▶ adding a server to a group
├───────────────────────────────────────────────────────────────────────────────
│ Testing connection to admin@MY.SWITCH.IP.ADDRESS, please wait...
Warning: Permanently added 'MY.SWITCH.IP.ADDRESS' (ED25519) to the list of known hosts.

my-arista-user@MY.SWITCH.IP.ADDRESS: Permission denied (publickey,keyboard-interactive).
│ Note: if you still want to add this access even if it doesn't work, use --force
│
│ ⛔ Couldn't connect to my-arista-user@MY.SWITCH.IP.ADDRESS (ssh returned error 255). Hint: did you add the proper public key to the remote's authorized_keys?
╰───────────────────────────────────────────────────────────</groupAddServer>───

Thanks !

Originally created by @gotakasan on GitHub (Sep 21, 2023). Original GitHub issue: https://github.com/ovh/the-bastion/issues/419 Hello, I'm trying to add an ssh key on my Arista switch. But because of "from=IP" pattern (I guess it's because of that), it's impossible to add the server on my Bastion. Do you ever experienced something similar (with Arista or maybe another network equipment) and find a solution ? Here is my Arista output : ``` my-arista-switch(config)#show user-account user: my-arista-user role: network-admin privilege level: 1 ssh public key: from="MY.BASTION.IP.ADDRESS" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCzsRpNwz6ILKrrVzEHtk43qfpJYEHkHF/F73KxJdfU+pjIYLrwmgumEzvqCfFIQDoiYnRelQkRmi24+a/p3Uz9FNH5BpTuv+MXplIgyiO9dH/6o1vdMwwY+cSEAmZ4WGPApbQyuM9T343HFXFg5/rGTgL6MfMQVA0TZEq3UzDZKuYEqUDHNRLxK8sKZBu28mI79msQQ1CeErf/pv+0l9Kx5CKE1LSelpCPb2A68LxgXD32axl9SB0epmIzGvR8QXyqGPMqX7W3Pdl1M6qLXkihuqxvbUNzuNrWyB98zm4oij8IMUn/iWicgFXdY5TNf21NuAR+YcIlxPlBnKQ+44S7 ``` Bastion output : ``` my-bastion-user@my-bastion-host(master)> groupAddServer --group network-rsa --host my-arista-switch --port 22 --user my-arista-user ╭──my-bastion-host────────────────────────────────────────the-bastion-3.11.00─── │ ▶ adding a server to a group ├─────────────────────────────────────────────────────────────────────────────── │ Testing connection to admin@MY.SWITCH.IP.ADDRESS, please wait... Warning: Permanently added 'MY.SWITCH.IP.ADDRESS' (ED25519) to the list of known hosts. my-arista-user@MY.SWITCH.IP.ADDRESS: Permission denied (publickey,keyboard-interactive). │ Note: if you still want to add this access even if it doesn't work, use --force │ │ ⛔ Couldn't connect to my-arista-user@MY.SWITCH.IP.ADDRESS (ssh returned error 255). Hint: did you add the proper public key to the remote's authorized_keys? ╰───────────────────────────────────────────────────────────</groupAddServer>─── ``` Thanks !

BreizhHardware closed this issue

2026-05-07 00:19:04 +02:00

BreizhHardware commented

2026-05-07 00:19:05 +02:00

Author

Owner

@speed47 commented on GitHub (Sep 25, 2023):

Hello @gotakasan ,

It's extremely probable that the network device doesn't parse the "from" header properly, as you suspect. I would expect it to have rejected your key if that was the case, but maybe the validity of the key is not checked on input. You might have to add it again but without the "from" prefix. As long as you have configured proper ACL on your Arista so that connections using SSH are only allowed from your bastion cluster, omitting the "from" is not a problem.

@speed47 commented on GitHub (Sep 25, 2023): Hello @gotakasan , It's extremely probable that the network device doesn't parse the "from" header properly, as you suspect. I would expect it to have rejected your key if that was the case, but maybe the validity of the key is not checked on input. You might have to add it again but without the "from" prefix. As long as you have configured proper ACL on your Arista so that connections using SSH are only allowed from your bastion cluster, omitting the "from" is not a problem.

BreizhHardware referenced this issue

2026-05-07 00:19:57 +02:00

[PR #110] [MERGED] enh: satellite scripts: better error handling #243