Boundary Enterprise is unable to initiate an SSH Type connection with the F5 equipment

Hello everyone,

I’m attempting to establish an SSH connection to F5 equipment via Boundary, but encountering issues.

Using Generic TCP, directly typing the password successfully establishes the connection. However, attempts to connect via SSH result in an error. I’ve tried both Vault Credential Store and Static Credential Store

The direct connection from the VM where the worker is located to the F5 equipment was successful. Additionally, SSH connections to regular VMs (Ubuntu, CentOS, etc.) are successful, indicating that it’s not a simple issue with the Boundary setup.

Below is the log output when attempting to connect to F5 equipment via Boundary SSH:

Boundary Worker Log:

{"id":"SoK7e6jAhk","source":"https://hashicorp.com/boundary/tfe/worker","specversion":"1.0","type":"system","data":{"version":"v0.1","op":"worker.(Worker).handleProxy","data":{"msg":"session successfully activated","session_id":"s_38t5PTiZBf"}},"datacontentype":"application/cloudevents","time":"2024-05-02T13:42:48.171631464Z"}
{"id":"ewAwgpoiIM","source":"https://hashicorp.com/boundary/tfe/worker","specversion":"1.0","type":"system","data":{"version":"v0.1","op":"worker.(Worker).handleProxy","data":{"connection_id":"sc_Lga9GJQ4GD","msg":"connection successfully authorized","session_id":"s_38t5PTiZBf"}},"datacontentype":"application/cloudevents","time":"2024-05-02T13:42:48.201844973Z"}
{"id":"Tz7XISrWoT","source":"https://hashicorp.com/boundary/tfe/worker","specversion":"1.0","type":"error","data":{"error":"error creating ssh client: unable to authenticate, attempted 1 credential: 1 error occurred:\n\t* ssh: handshake failed: ssh: unable to authenticate, attempted methods [none], no supported methods remain\n\n","error_fields":{},"id":"e_IMg27ymxax","version":"v0.1","op":"worker.(Worker).handleProxy"},"datacontentype":"application/cloudevents","time":"2024-05-02T13:42:48.490366525Z"}
{"id":"w5UHRuPXUr","source":"https://hashicorp.com/boundary/tfe/worker","specversion":"1.0","type":"system","data":{"version":"v0.1","op":"worker.(Worker).handleProxy","data":{"connection_id":"sc_Lga9GJQ4GD","msg":"connection closed","session_id":"s_38t5PTiZBf"}},"datacontentype":"application/cloudevents","time":"2024-05-02T13:42:48.506078682Z"}

Output from Boundary Client when attempting SSH connection:

Connection closed by 127.0.0.1 port 51441

Output from Boundary CLI when attempting SSH connection:

ssh_exchange_identification: Connection closed by remote host

F5 equipment’s journalctl:

May 02 22:42:48 PoCL4-1_r4600.com sshd[30614]: OpenSSL is initialized in FIPS mode.
May 02 22:42:48 PoCL4-1_r4600.com sshd[30614]: Connection closed by xx.xx.xxx.x(Worker VM IP) port 34786 [preauth]

What could be the possible cause?

Please let me know if you need any additional information.

Thank you.

Hey @dw.won,

I assume you are using a username/password pair for the ssh target since you mentioned using the static credential store. Note that the password authentication method is different than the keyboard-interactive method that would be use with the manual test you described. A quick way to validate if the server accepts password would be to add -v to the ssh command you manual validated works and look for the debug line similar to

debug1: Authentications that can continue:

If password is not there you will need update the sshd_config to include PasswordAuthentication yes

Hello @louisruch,

When I include the PasswordAuthentication yes you suggested, the problem was solved. I confirmed that the keyboard interactive method works, so I didn’t check that part. But I known out that the two methods use different methods.

Thank you!

@dw.won - Where did you included " `PasswordAuthentication yes"
on the worker? or on the F5?

Hi @richard3,

I included the Password Authentication yes of the F5 equipment and restarted the sshd.

@dw.won - Thanks, hitting exactly the same issue but the network appliance we have doesn’t allow to make any changes to the SSH config.

@louisruch - Any other idea’s how we can fix this?

@richard3 the only alternative if you cannot update the sshd_config on the target machine would be use an available authenticate method such as a static private key or signed certificate.
See Inject SSH credentials with HCP Boundary | Boundary | HashiCorp Developer and SSH certificate injection with HCP Boundary | Boundary | HashiCorp Developer.