SSH client public-key authentication
Secure Shell version 2 (SSHv2) is used by switches to provide remote access to SSH-enabled management stations. Although SSH provides Telnet-like functions, unlike Telnet, SSH provides encrypted, two-way authenticated transactions. SSH client public-key authentication is one of the types of authentication used.
Client public-key authentication uses one or more public keys (from clients) that must be stored on the switch. Only a client with a private key that matches a public key stored on the switch can gain access at the manager or operator level. For more information about how to configure and use SSH public keys to authenticate SSH clients that try to connect to the switch, see Configuring Secure Shell (SSH).
The SSH security credential that is stored in the running configuration file is configured with the
ip ssh public-key
command used to authenticate SSH clients for manager or operator access, along with the hashed content of each SSH client public key.
Syntax:
ip ssh public-key <manager|operator> keystring
Set a key for public-key authentication.
keystring
:-
A legal SSHv2 (RSA or DSA) public key. The text string for the public key must be a single quoted token. If the keystring contains double-quotes, it can be quoted with single quotes (
'keystring'
). The following restrictions for a keystring apply.-
A keystring cannot contain both single and double quotes.
-
A keystring cannot have extra characters, such as a blank space or a new line. However, to improve readability, you can add a backlash at the end of each line.
-
The
ip ssh public-key
command allows you to configure only one SSH client public key at a time. The
ip ssh public-key
command behavior includes an implicit append that never overwrites existing public-key configurations on a running switch.
If you download a software configuration file that contains SSH client publickey configurations, the downloaded public keys overwrite any existing keys, as happens with any other configured values.
To display the SSH public-key configurations (72 characters per line) stored in a configuration file, enter the
show config
or
show running-config
command. The following example shows the SSH public keys configured for manager access, along with the hashed content of each SSH client public key, that are stored in a configuration file.
SSH public keys
... include-credentials ip ssh public-key manager “ssh-dss \ AAAAB3NzaC1kc3MAAACBAPwJHSJmTRtpZ9BUNC+ZrsxhMuZEXQhaDME1vc/ \ EvYnTKxQ31bWvr/bT7W58NX/YJ1ZKTV2GZ2QJCicUUZVWjNFJCsa0v03XS4 \ BhkXjtHhz6gD701otgizUOO6/Xzf4/J9XkJHkOCnbHIqtB1sbRYBTxj3NzA \ K1ymvIaU09X5TDAAAAFQCPwKxnbwFfTPasXnxfvDuLSxaC7wAAAIASBwxUP \ pv2scqPPXQghgaTkdPwGGtdFW/+K4xRskAnIaxuG0qLbnekohi+ND4TkKZd \ EeidgDh7qHusBhOFXM2g73RpE2rNqQnSf/QV95kdNwWIbxuusBAzvfaJptd \ gca6cYR4xS4TuBcaKiorYj60kk144E1fkDWieQx8zABQAAAIEAu7/1kVOdS \ G0vE0eJD23TLXvu94plXhRKCUAvyv2UyK+piG+Q1el1w9zsMaxPA1XJzSY/ \ imEp4p6WXEMcl0lpXMRnkhnuMMpaPMaQUT8NJTNu6hqf/LdQ2kqZjUuIyV9 \ LWyLg5ybS1kFLeOt0oo2Jbpy+U2e4jh2Bb77sX3G5C0= spock@sfc.gov” \ ip ssh public-key manager ‘ssh-rsa \ AAAAB3NzaC1yc2EAAAADAQABAAAAgQDyO9RDD52JZP8k2F2YZXubgwRAN0R \ JRs1Eov6y1RK3XkmgVatzl+mspiEmPS4wNK7bX/IoXNdGrGkoE8tPkxlZOZ \ oqGCf5Zs50P1nkxXvAidFs55AWqOf4MhfCqvtQCe1nt6LFh4ZMig+YewgQG \ M6H1geCSLUbXXSCipdPHysakw== "TectiaClientKey [1024-bit rsa, \ nobody@testmachine, Mon Aug 15 2005 14:47:34]”’ ip ssh public-key manager “ssh-rsa \ AAAAB3NzaC1yc2EAAABIwAAAIEA1Kk9sVQ9LJOR6XO/hCMPxbiMNOK8C/ay \ +SQ10qGw+K9m3w3TmCfjh0ud9hivgbFT4F99AgnQkvm2eVsgoTtLRnfF7uw \ NmpzqOqpHjD9YzItUgSK1uPuFwXMCHKUGKa+G46A+EWxDAIypwVIZ697QmM \ qPFj1zdI4sIo5bDett2d0= joe@hp.com” ...
If a switch configuration contains multiple SSH client public keys, each public key is saved as a separate entry in the configuration file. You can configure up to 10 SSH client public keys on a switch.