How to enable SSH public-key authentication in switches and import the client key

We assume that SSH/SCP has been enabled. (See this link)

HP ProCurve Switches 

We first have to enable SSH public-key authentication on switch. For HP Procurve we use this command:

# aaa authenticatiin ssh login public-key none
# show authentication

Then we need to upload the clients public-key to the switch. Assuming that we are using Linux SSH client, we have to generate the key pair using the command “ssh-keygen”

This will generate a key pair and put them in /root/.ssh , the public-key id_rsa.pub must be uploaded to the switch.

Assuming that SCP has been enabled on the switch and usrname “admin” has privileged permission, this can be done from the Linux server:

# scp  -P xxxx  /root/.ssh/id_rsa.pub      admin@199.x.x.xx:/ssh/mgr_keys/authorized_keys    (This will ask for password)

# scp  -P xxxx   /root/.ssh/id_rsa.pub      admin@199.x.x.xx:/ssh/oper_keys/authorized_keys    (This should not ask for password)

————————————————————————–

Brocade Switches 

For Brocade FCX the public key can be uploaded only via TFTP. The file id_rsa.pub  must be copied to TFTP server and then uploaded to the switch.

# ip ssh key-authentication yes
# ip ssh interactive-authentication yes
# ip ssh pub-key-file tftp 208.x.x.xx  id_rsa.pub
# show ip ssh config

However after multiple attempts for uploading the client public key, it failed as shown here:

#show ip ssh config
SSH server                 : Enabled
SSH port                   : tcp\xxxx
Host Key                   :  RSA 1024
Encryption                 : AES-256, AES-192, AES-128, 3-DES
Permit empty password      : No
Authentication methods     : Password, Public-key, Interactive
Authentication retries     : 3
Login timeout (seconds)    : 120
Idle timeout (minutes)     : 20
Strict management VRF      : Disabled
SCP                        : Enabled
SSH IPv4 clients           : All
SSH IPv6 clients           : All
SSH IPv4 access-group      :
SSH IPv6 access-group      :
SSH Client Keys            :

# ip ssh pub-key-file remove

Removing public key , please wait… Public key file not found

Therefore we use the alternative method by creating a user with low privilege and pass the password in backup script using “expect”. This is explained in more detail in corresponding KB.

——————————————————————-

Dell PowerConnect 6224/6248

SSH authentication has to be changed to none. However if we use public key authentication it doesn’t enter privileged mode.

# crypto key pubkey-chain ssh
# user-key “admin” rsa
# key-string row  AAAAB3NzaC1yc2EAAAABIwAAAQEAx2Myr29TwwHhKLFQFxP …..USL1olNyhRw==
# exit
# exit
# ip ssh pubkey-auth
# line ssh
(config-ssh)#login authentication defaultList

switch18#show authentication methods

Login Authentication Method Lists
———————————
defaultList         :  none
networkList         :  local

Enable Authentication Method Lists
———————————-
enableList          :  none

Line     Login Method List    Enable Method List
——-  —————–    ——————
Console  defaultList          enableList
Telnet   networkList          enableList
SSH      networkList          enableList

HTTPS       :local HTTP        :local
DOT1X       :

Dell N4032

# crypto key pubkey-chain ssh user-key admin rsa
# key-string row  AAAAB3NzaC1yc2EAAAABIwAAAQEAx2Myr29TwwHhKL ….. xKW3UaQj6ll1rXj8ASY3+OUSL1olNyhRw== # exit
# ip ssh pubkey-auth
# line ssh (config-ssh)
#login authentication defaultList

# show authentication methods

Login Authentication Method Lists
———————————
defaultList         :  none
networkList         :  local

Enable Authentication Method Lists
———————————-
enableList          :  enable   none
enableNetList       :  enable

Line     Login Method List    Enable Method List
——-  —————–    ——————
Console  defaultList          enableList
Telnet   networkList          enableList
SSH      networkList          enableList

HTTPS       :local HTTP        :local
DOT1X       :

However after import the key, public key authentication still fails.Therefore we use the alternative method by creating a user with low privilege and pass the password in backup script using “expect”. This is explained in more detail in corresponding KB.

——————————————————————–

Vyatta Routers

First we define a user with privilege level of “operator” and then we upload the public ly from the Linux server.

vyatta# set system login user admin_ro authentication plaintext-password xxxxx

vyatta# set system login user admin_ro level ‘operator’

vyatta# loadkey admin_ro scp://root@208.x.x.x  /root/.ssh/id_rsa.pub

vyatta# commit

vyatta# save

vyatta# show system login

The Linux command for automation script will be as following:

scp  -P xxxx admin_ro@199.x.x.x:/config/config.boot    /root/Switch_Config_Backups/Router0_Config &> /dev/null

scp  -P xxxx  admin_ro@199.x.x.x:/config/config.boot    /root/Switch_Config_Backups/Router1_Config &> /dev/null