Configuration Guide Vol. 1

11.2.3 Settings for using public key authentication for user authentication

<Structure of this section>

(1) When transferring the user public key

This section explains how to register the user public key in SSH server of the Switch and perform public key authentication among the user key pairs created by the client.

Points to note

Create a user public key file on the client and transfer it to the Switch in advance. Although you can use ftp to transport user public keys, we recommend that you use a more secure SCP or SFTP.

This section describes the user public keys for SSHv2 DSA in SECSH format, but user public keys in SSHv2 RSA and ECDSA and user public keys in OpenSSH and SSHv1 formats can be registered in the same way.

Command examples

  1. (config)# ip ssh authentication publickey

    Allow only public key authentication as a user authentication method.

  2. (config)# ip ssh authkey staff client-v2 load-key-file /usr/home/staff/id_dsa_1024_a.pub

    Read the user public key of the user (staff) SSHv2 from the file (/ usr/home/staff/id_dsa_1024_a.pub) that has been transferred beforehand. In this case, the name of this key (index name) is used as client-v2. The contents of the user public key are set in the configuration.

Notes

Do not create a directory named ".ssh" under the user's home directory. In addition, do not transfer, copy, or generate files under.ssh directory.

.ssh directory is automatically created and used by SSH servers of the Switch. If the user places the file, it is deleted or overwritten.

(2) Directly entering SSHv2 user public key (SECSH format)

To perform public key authentication, the user public key is registered in SSH server of the Switch among the user key pairs created by the client.

On the client, create a user public key in SECSH format in advance. When using ip ssh authkey command to enter the content of the user public key in SECSH format, enter only the part of the key, excluding headers (Comment: comments, etc.), start markers, end markers, and line feed codes. The following figure shows the user public key (SECSH format) entry part.

Figure 11-11 SSHv2 user public key (SECSH format) input part

[Figure Data]
Points to note

In this case, the user public key is registered by directly entering the content of the user public key file with ip ssh authkey command.

The user public key of SSHv2 DSA in SECSH format is explained here, but the user public key of SSHv2 RSA and ECDSA can be registered in the same way.

Command examples

  1. (config)# ip ssh authkey staff client-v2 "AAAAB3NzaC..S+9zkdi7k="

    Enter the content of the user public key (SECSH format) of the user (staff) created in advance by SSHv2 client. Enclose it in double quotes ("), so that line breaks do not occur in the middle. In this case, the name (index name) of this user public key is used as client-v2.

Notes

The user public key in SECSH format contains a carriage return, so remove all newlines to make it a single line. Also, do not include spaces in the user public key portion after conversion. A blank space is considered a comment.

(3) Directly entering SSHv2 user public key (OpenSSH key)

To perform public key authentication, the user public key is registered in SSH server of the Switch among the user key pairs created by the client.

On the client, create a user public key in OpenSSH format in advance. When you use ip ssh authkey command to enter the content of the user public key in SECSH format, enter the line without including a line feed without removing the leading "ssh-rsa", "ecdsa-sha2-nistpXXX", or "ssh-dss". The figure below shows the part of the user public key (OpenSSH key) that is entered.

Figure 11-12 Input part of the SSHv2 user public key (OpenSSH key)

[Figure Data]
Points to note

In this case, the user public key is registered by directly entering the content of the user public key file with ip ssh authkey command.

This section describes SSHv2 RSA user public key of OpenSSH, but you can register SSHv2 DSA and ECDSA user public keys in the same way.

Command examples

  1. (config)# ip ssh authkey staff client-O "AAAAB..n5hE= staff@OpenSSH-Client"

    Enter the user public key (OpenSSH format) of the user (staff) SSHv2 that has been created in advance, enclosed in double quotation marks ("). In this case, the name (index name) of this user public key is used as client-O.

(4) Directly entering SSHv1 user public key

To perform public key authentication, the user public key is registered in SSH server of the Switch among the user key pairs created by the client.

Create a SSHv1 user public key in advance. The following figure shows the user public key input part.

Figure 11-13 Input portion of the SSHv1 user public key

[Figure Data]
Points to note

In this case, the user public key is registered by directly entering the content of the user public key file with ip ssh authkey command.

Command examples

  1. (config)# ip ssh authkey staff client-v1 "1024 37 14753..31397 staff@client"

    Enter the user public key of the user (staff) SSHv1 created beforehand, enclosed in double quotation marks ("), so that there is no line feed in the middle. In this case, the name (index name) of this user public key is used as client-v1.

[Product name label]

All Rights Reserved, Copyright(C), 2022, 2023, ALAXALA Networks, Corp.