Public Key Authentication Method
The server has the public key of the user stored; using this the server creates a random value, encrypts it with the public key and sends it to the user. If the user is who is supposed to be, he can decrypt the challenge using the private key and send it back to the server, server uses the public key again to decrypt received message to confirm the identity of the user. SSH is supported in In-band (default VRF) and Out of band (management VRF). Installed keys are stored at ~/.ssh/authorized_keys file.
SSH key based authentication steps:
1. Login to remote machine linux desktop (ssh client) and generate the key pair using the command “ssh-keygen”.
2. Create username in OCNOS switch device (ssh server).
3. Install the public key of remote Linux ssh client in OCNOS device.
4. Display the installed key in OCNOS device using “show running-config”.
5. Login from remote Linux ssh client to OCNOS device without providing password.
Useful commands on Remote Desktop Client
#ssh-keygen | To generate key pair on remote Linux machine (ssh client) |
#cd /bob/.ssh/ | To go to the location of saved key pair |
#cat id_rsa.pub | Command to display the generated public key in remote Linux client |
Configuration commands in OCNOS
#configure terminal | Enter configure mode. |
#feature ssh vrf management | Enable the SSH feature on vrf management. To enable in default vrf give the command “feature ssh” |
#username fred | To create username with default role as network-user. To create user with different role specify role using command “username <username> role <role_name> |
#username fred sshkey ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC8XhFiGlZP6yY6qIWUkew884NvqXqMPSOw3fQe5kgpXvX0SbcU15axI/VHVgU2Y0/ogAtRUlAk5soRrf5lZ2+rT0zNP37m+Tm5HIEFKZZut0FffGSuXtPKbE+GGlQYHEzC8RSnqQuHlxrlve3lGbB1UUxuWhMzJfgc2vZ78V2znd2zk4ygiN1jx1sE8UI98WyIcwuq44tzuIaUYAICIfrQJXriQml+QcJ9NER5O8rMS5D5NnTVh1nroqoozY8i/qMKfhCFMbysjiDMHU9GclNsNbIF/DQbvWEskFFEvf6fOrzXyvq26NpgaJnZ4pQVzgkOaVw16Cy3csoTncw0vyXV bob@localhost.localdomain | Install the public key of remote Linux client in ocnos device. |
#exit | Exit configuration mode |
Validation
The new cipher encryption algorithm takes effect for a new incoming ssh client connection.
#show running-config
<skipped other content>
feature ssh vrf management
username fred role network-user
username fred sshkey
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC8XhFiGlZP6yY6qIWUkew884NvqXqMPSOw3fQe5kgpXvX0SbcU15axI/VHVgU2Y0/ogAtRUlAk5soRrf5lZ2+rT0zNP37m+Tm5HIEFKZZut0FffGSuXtPKbE+GGlQYHEzC8RSnqQuHlxrlve3lGbB1UUxuWhMzJfgc2vZ78V2znd2zk4ygiN1jx1sE8UI98WyIcwuq44tzuIaUYAICIfrQJXriQml+QcJ9NER5O8rMS5D5NnTVh1nroqoozY8i/qMKfhCFMbysjiDMHU9GclNsNbIF/DQbvWEskFFEvf6fOrzXyvq26NpgaJnZ4pQVzgkOaVw16Cy3csoTncw0vyXV bob@localhost.localdomain
<skipped other content>
OCNOS#show running-config ssh server
feature ssh vrf management
SSH Key based Client Session
#ssh fred@10.10.26.186 | Specify user name and ip address to access the device. Supports IPv4 and IPv6.User should be able to access without password and through key based authentication |
Last modified date: 08/28/2023