Creating a client public-key text file

These steps describe how to copy client public keys into the switch for challenge-response authentication, and require an understanding of how to use your SSH client application.
A client public key
NOTE:

Comments in public-key files may appear in a SSH client application's generated public key. While such comments may help to distinguish one key from another, they do not pose any restriction on the use of a key by multiple clients and/or users.

Public key illustrations such as the key shown in A client public key

usually include line breaks as a method for showing the whole key. However, in practice, line breaks in a public key will cause errors resulting in authentication failure.

Procedure
  1. Use your SSH client application to create a public/private key pair, and see the documentation provided with your SSH client application for details. The switch supports the following client public-key properties:

    Property

    Supported value

    Comments

    Key format

    ASCII

    See Providing the switch public key to clients. The key must be one unbroken ASCII string. If you add more than one client public key to a file, terminate each key (except the last one) with a <CR><LF>. Spaces are allowed within the key to delimit the key's components. Note that, unlike the use of the switch public key in an SSH client application, the format of a client public key used by the switch does not include the client's IP address.

    Key type

    RSA or DSA

    You can choose either RSA or DSA key types when using the crypto key generate ssh command. The cert parameter only use RSA key type.

    Maximum supported public-key length

    3072 bits

    Shorter key lengths allow faster operation, but also mean diminished security.

    Maximum host key sizes in bits

    RSA:1024, 2048, 3072DSA:1024

    Includes the bit size, public index, modulus, any comments,<CR>, <LF>, and all blank spaces.

    If necessary, you can use an editor application to verify the size of a key. For example, placing a client public key into a Word for Windows text file and clicking on File|Properties|Statistics lets you view the number of characters in the file, including spaces.

  2. Copy the client's public key into a text file (filename.txt). For example, use the Notepad editor included with the Microsoft® Windows® software. If you want several clients to use client public-key authentication, copy a public key for each of these clients (10) into the file. Each key should be separated from the preceding key by a <CR><LF>.
  3. Copy the client public-key file into a TFTP server accessible to the switch.

    Copying a client public key into the switch requires the following:

    • One or more client-generated public keys. See the documentation provided with your SSH client application.

    • A copy of each client public key stored in a single text file or individually on a TFTP server to which the switch has access. Terminate all client public keys in the file except the last one with a <CR><LF>.

NOTE:

The actual content of a public-key entry in a public-key file is determined by the SSH client application generating the key. Although you can manually add or edit any comments the client application adds to the end of the key.

Syntax: 


copy <tftp|sftp> pub-key-file <ip-address> <filename>[<append|manager|operator>]


copy <tftp|sftp> pub-key-file <ip-address> <filename>[<append|manager|operator>][oobm]

Copies a public-key file from a TFTP server into flash memory in the switch.

The append option adds the keys for operator access.

The manager option replaces the keys for manager access; follow with the 'append' option to add the keys.

The operator option replaces the keys for operator access (default); follow with the 'append' option to add the keys.

The oobm option specifies that the traffic will go through the out-of-band management interface. If this option is not specified, the traffic goes through the data interface. 


show crypto client-public-key [<manager|operator>][keylist-str][babble|fingerprint]

Displays the client public keys in the switch current client public-key file.

See SSH client public-key authentication for information about public keys saved in a configuration file.

The babble option converts the key data to phonetic hashes that are easier for visual comparisons.

The fingerprint option converts the key data to hexadecimal hashes that are for the same purpose.

The keylist-str selects keys to display (comma-delimited list).

The manager option allows you to select manager public keys

The operator option allows you to select operator public keys.

NOTE: Command copy usb pub-key file or SFTP can also be used to copy a public key file to the switch.

Copying and displaying a client public-key file containing two different client public keys for the same client

To copy a client public-key file named clientkeys.txt from a TFTP server at 10.38.252.195 and then display the file contents: