OcNOS SP : System Management Guide : Remote Device Connect Configuration : SSH Client Server Configuration
SSH Client Server Configuration
Overview
SSH is a network protocol that allows data to be exchanged using a secure channel between two networked devices. SSH was designed as a replacement for Telnet and other insecure remote shells, which send information, notably passwords, in plain text, rendering them susceptible to packet analysis.[2] The encryption used by SSH is intended to provide confidentiality and integrity of data over an unsecured network, such as the Internet. SSH uses public-key cryptography to authenticate the remote computer and allow the remote computer to authenticate the user.
SSH is typically used to log into a remote machine and execute commands, but it also supports tunneling, forwarding TCP ports and X11 connections; it can transfer files using the associated SFTP or SCP protocols. SSH uses the client- server model
TCP port 22 is assigned for contacting SSH servers. This document covers the SSH server configuration to enable SSH service and key generation and SSH client configuration for remote login to server.
Note: For In-Band Management over Custom VRF, refer to In-band Management over Custom VRF.
In-band Management over Default VRF
OcNOS supports SSH over the default and management VRFs via the in-band management interface and out-of-band management interfaces, respectively.
SSH can run on the default and management VRFs simultaneously. By default, it runs on the management VRF.
SSH Configuration
SSH is performed with IPv4 and IPv6 addresses.
IPv4 Address Configuration
Topology
 
SSH sample topology
Basic Configuration
 
#configure terminal
Enter configure mode
(config)#ssh login-attempts 2 vrf management
Set the number of login attempts to 2
(config)#commit
 
 
Commit the candidate configuration to the running configuration
(config)#exit
Exit configure mode
Validation
#show ssh server
ssh server enabled port: 22
authentication-retries 2
 
#show running-config ssh server
feature ssh vrf management
ssh login-attempts 2 vrf management
SSH Client Session
When the device acts as an SSH client, it supports both SSH IPv4 sessions to log into the remote machine.
 
#ssh root@10.10.10.1 vrf management
Log into remote machine using an IPv4 address
SSH Keys
Use the ssh key command to generate new RSA/DSA keys for the SSH server. By default, the system has RSA/DSA public/private key pair placed in /etc/ssh/. If you want to regenerate RSA keys, you must specify the force option.
Configuration
 
#ssh keygen host rsa vrf management
Specify the force option to regenerate SSH RSA keys. This option overwrites the existing key.
Validation
#sh ssh key
****************RSA KEY********************
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDMuVc0jpNgMyNzaqzIELX6LlsaK/1q7pBixmwHAGDsZm/dClTLb18AIB27W68YD8k0+Yw0LR0rHuPtNeSFMEsMaQxsaLkSi7yg86xSJaqgLQTyOUTS/OC9hreXkJ73ay
n0yXa8+bre0oyJq1NWxAI9B1jEhfSSAipoDSp/dmc93VJyV+3hgy1FMTAheyebQaUVeLBEMH7siRlSfyo7OHsBYSF6GzAmSuCm6PAelpHm/3L4gChcnPL+0outQOifCSLdUOXEZhTFXrzC61l+14LGt8pR6YN+2uEnU6kq1i
aDLEffIWK4dWCp67JUIef1BTOvxRurpssuRdslhJQXDFaj
bitcount: 2048 fingerprint: a4:23:5d:8a:5a:54:8b:3e:0b:38:06:79:82:e9:83:48
**************************************
****************DSA KEY********************
ssh-dsa AAAAB3NzaC1kc3MAAACBALpY6MFhFPYI+VcAHzHppnwVnNXv9oR/EGHUM50BBqdQE1Qi1mlt1rft4oa4tYR46P4gazKnnNfVE/97FwEbCZaXaz9Wzfcfa3ALtsvGdyNQQk2BebYiRnmeWnS3wGV0M/D64bAiV0
2p/LyF6D0ygMnZ3up3ttTN5QfHeyYQtwyzAAAAFQD+k6wQyr51IhXIQSsQD8by8qxjUwAAAIB0LxP3ljnfzxEXyEkNNzlxCcJ7ZZkFYUmtDJxRZlDceuSf4QipMrQVrdrgdqZNhrUiDWM/HaCMO9LdEQxfPh5TaIwPyccngn
VUS83Tx577ofBW6hellTey3B3/3I+FfiGKUXS/mZSyf5FW3swwyZwMkF0mV0SRCYTprnFt5qx8awAAAIEAjDNqMkyxUvB6JBqfo7zbGqXjBQmJ+dE8fGjI2znlgq4lhYcMZJVNwTiydDIgMVNFfKc1dAT3zr6qMZfGv56EbK
1qUu103K5CF44XfVkYNcHJV+/fcfAJasGU8W6oSbU5Q08abyMsIGRYTurOMkRhvif6sxvieEpVnVK2/nPVVXA=
bitcount: 1024 fingerprint: d9:7a:80:e0:76:48:20:72:a6:5b:1c:67:da:91:9f:52
**************************************
 
Note: The newly created rsa/dsa key can be verified by logging into the device from a remote machine and checking whether the newly created key's fingerprint matches with the logging session fingerprint.
IPv6 Address Configuration
SSH is performed with IPv6 IP and verified by logging in on remote PC.
Topology
Figure 2-13 shows the sample configuration of SSH.
SSH Configuration topology
DUT
 
#configure terminal
Enter configure mode
(config)#ssh login-attempts 2 vrf management
Set the number of login attempts to 2
(config)#commit
 
 
Commit the candidate configuration to the running configuration
(config)#exit
Exit configure mode
Validation
#show ssh server ssh server
ssh server enabled port: 22
authentication-retries 2
 
#show running-config ssh server
feature ssh vrf management
ssh login-attempts 2 vrf management
SSH Client Session
When the device acts as an SSH client, it supports both SSH IPv6 sessions to log into the remote machine.
 
#ssh root@2001::1 vrf management
Log into remote machine using an IPv6 address
SSH Keys
Use the SSH key command to generate new RSA/DSA keys for the SSH server. By default, the system has RSA/DSA public/private key pair placed in /etc/ssh/. If you want to regenerate RSA keys, you must specify the force option.
 
#ssh keygen host rsa vrf management
Specify the force option to regenerate SSH RSA keys. This option overwrites the existing key.
Validation
#sh ssh key ****************RSA KEY********************
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDMuVc0jpNgMyNzaqzIELX6LlsaK/ 1q7pBixmwHAGDsZm/ dClTLb18AIB27W68YD8k0+Yw0LR0rHuPtNeSFMEsMaQxsaLkSi7yg86xSJaqgLQTyOUTS/ OC9hreXkJ73ay n0yXa8+bre0oyJq1NWxAI9B1jEhfSSAipoDSp/ dmc93VJyV+3hgy1FMTAheyebQaUVeLBEMH7siRlSfyo7OHsBYSF6GzAmSuCm6PAelpHm/ 3L4gChcnPL+0outQOifCSLdUOXEZhTFXrzC61l+14LGt8pR6YN+2uEnU6kq1i aDLEffIWK4dWCp67JUIef1BTOvxRurpssuRdslhJQXDFaj bitcount: 2048 fingerprint: a4:23:5d:8a:5a:54:8b:3e:0b:38:06:79:82:e9:83:48 **************************************
****************DSA KEY********************
ssh-dsa AAAAB3NzaC1kc3MAAACBALpY6MFhFPYI+VcAHzHppnwVnNXv9oR/ EGHUM50BBqdQE1Qi1mlt1rft4oa4tYR46P4gazKnnNfVE/ 97FwEbCZaXaz9Wzfcfa3ALtsvGdyNQQk2BebYiRnmeWnS3wGV0M/D64bAiV0 2p/ LyF6D0ygMnZ3up3ttTN5QfHeyYQtwyzAAAAFQD+k6wQyr51IhXIQSsQD8by8qxjUwAAAIB0LxP3ljn fzxEXyEkNNzlxCcJ7ZZkFYUmtDJxRZlDceuSf4QipMrQVrdrgdqZNhrUiDWM/ HaCMO9LdEQxfPh5TaIwPyccngn VUS83Tx577ofBW6hellTey3B3/3I+FfiGKUXS/ mZSyf5FW3swwyZwMkF0mV0SRCYTprnFt5qx8awAAAIEAjDNqMkyxUvB6JBqfo7zbGqXjBQmJ+dE8fG jI2znlgq4lhYcMZJVNwTiydDIgMVNFfKc1dAT3zr6qMZfGv56EbK1qUu103K5CF44XfVkYNcHJV+/ fcfAJasGU8W6oSbU5Q08abyMsIGRYTurOMkRhvif6sxvieEpVnVK2/nPVVXA= bitcount: 1024 fingerprint: d9:7a:80:e0:76:48:20:72:a6:5b:1c:67:da:91:9f:52 **************************************
SSH Encryption
The Secure Shell (SSH) management uses various algorithms in the security mechanisms such as key exchange (KEX), message authentication code (MAC), and encryption (Cipher) for security and flexibility. As part of the security enhancement, additional SSH management algorithms are added into KEX, MAC, and encryption methods.
The security encryption algorithms used in SSH are enhanced to enable the users to use preferable (including weaker algorithms) security mechanisms (for legacy SSH clients) if they want to use them in their network apart from the default cipher algorithms. The default SSH configurations do not use these weaker encryption cipher algorithms due to security priority.
However, OcNOS allows the users to enable or disable the desired algorithms option using the following newly introduced commands.
Note:  
If the user wishes to modify these defaults, they can reconfigure them with the desired algorithms. For instance, by default, the following algorithms are applied: "chacha20-poly1305@openssh.com, aes256-gcm@openssh.com, aes128-gcm@openssh.com, aes256-ctr, aes192-ctr, aes128-ctr." To remove any of these algorithms, the user must explicitly reconfigure the necessary algorithms, such as using the command: ssh server algorithm encryption aes256-gcm@openssh.com,aes128-gcm@openssh.com.
Feature Characteristics
Following are the currently supported encryptions in the SSH session.
Provides flexibility to user to add or remove the desired SSH encryption algorithms for the following encryption methods.
KEX
MAC
Encryption
By default, chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr ciphers are supported for a new SSH client to connect with the SSH server.
Allows user to configure multiple algorithms.
Supports following Strongest Cipher algorithms
Strongest Ciphers
chacha20-poly1305@openssh.com,
aes256-gcm@openssh.com,
aes128-gcm@openssh.com,
aes256-ctr,aes192-ctr,aes128-ctr
MAC algorithms
hmac-sha2-512-etm@openssh.com,
hmac-sha2-256-etm@openssh.com,
hmac-sha2-512,
hmac-sha2-256,
KEX algorithms
curve25519-sha256@libssh.org,
diffie-hellman-group18-sha512,
diffie-hellman-group16-sha512,
ecdh-sha2-nistp521,
ecdh-sha2-nistp384,
ecdh-sha2-nistp256
diffie-hellman-group14-sha256 (uses 2048-bit keys and considered strong)
Avoid configuring the weaker Cipher algorithms
Legacy weaker Cipher
aes128-ctr
aes192-ctr
aes256-ctr
aes128-cbc
aes192-cbc
aes256-cbc (CBC mode is vulnerable to padding Oracle attacks)
3des-cbc
blowfish-cbc (Less efficient)
arcfour (Based on RC4 which has significant vulnerabilities)
hmac-md5 (MD5 can be broken and should not be used)
umac-64@openssh.com (Weaker than SHA-2 based MACs)
hmac-sha1 (Less secured and weak)
Extents support to all VRF interfaces including user-defined.
Allows users with Network Admin or Network Engineer or Network Operator privilege to configure.
Provides a show CLI command to view the configured SSH algorithms.
Configured algorithms are persistent even after reload.
Benefits
Enhanced security for remote terminal connections via SSH. It enables users to utilize the legacy SSH clients with the desired algorithms option through the newly introduced commands.
Prerequisites
The SSH process must be enabled.
Configuration
This section provides an example to encrypt an SSH session with cipher algorithm.
Use any one or all of the algorithms to encrypt a default, management or user defined interface SSH session.
ssh server algorithm kex KEY_NAME (vrf|management|Userdefined)
ssh server algorithm mac MAC_NAME (vrf|management|Userdefined)
ssh server algorithm encryption CIPHER_NAME (vrf|management|Userdefined)
ssh server default algorithm
Topology
In the below topology, the SSH client from the OcNOS device is initiating an SSH connection to a remote machine.
SSH Sample Topology
Note: Before configuration meet all Prerequisites.
Assign SSH security algorithm to a management Interface
1. Set the SSH server encryption algorithm for the management VRF.
(config)#ssh server algorithm encryption aes256-gcm rijndael-cbc aes128-ctr vrf management
2. Set the SSH server KEX algorithm for the management VRF.
(config)#ssh server algorithm kex ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 vrf management
3. Set the SSH server MAC algorithm for the management vrf.
(config)# ssh server algorithm mac hmac-sha2-256-etm hmac-sha1-96 hmac-md5-etm vrf management
4. Commit the configuration and exit.
(config)#commit
(config)#exit
Assign SSH security algorithm to a default VRF Interface
1. Set the SSH server encryption algorithm for the default VRF.
(config)#ssh server algorithm encryption 3des-cbc aes128-cbc aes192-cbc aes256-cbc
2. Set the SSH server KEX algorithm for the default VRF.
(config)#ssh server algorithm kex diffie-hellman-group14-sha256 diffie-hellman-group16-sha512 diffie-hellman-group18-sha512
3. Set the SSH server MAC algorithm for the default vrf.
(config)# ssh server algorithm mac hmac-md5-etm umac-128
4. Commit the configuration and exit.
(config)#commit
(config)#exit
Assign SSH security algorithm to a User Defined Interface
1. Create a user defined VRF interface with the name vrf1.
(config)#ip vrf vrf1
(config-vrf)# exit
2. Set the SSH server encryption algorithm for the user defined vrf1.
(config)#ssh server algorithm encryption 3des-cbc aes128-cbc aes192-cbc aes256-cbc vrf vrf1
3. Set the SSH server KEX algorithm for the user defined vrf1.
ssh server algorithm kex diffie-hellman-group1-sha1 diffie-hellman-group14-sha1
4. Set the SSH server MAC algorithm for the user defined vrf1.
(config)#ssh server algorithm mac hmac-md5 hmac-md5-96 vrf vrf1
5. Commit the configuration and exit.
(config)#commit
(config)#exit
Validation
Execute the following show command to view the SSH server information.
#show running ssh server
feature ssh vrf management
ssh server algorithm mac hmac-sha2-256-etm hmac-sha1-96 hmac-md5-etm vrf management
ssh server algorithm encryption aes256-gcm rijndael-cbc aes128-ctr vrf management
ssh server algorithm kex ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 vrf management
 
feature ssh
ssh server algorithm mac umac-128 hmac-md5-etm
ssh server algorithm encryption 3des-cbc aes128-cbc aes192-cbc aes256-cbc
ssh server algorithm kex diffie-hellman-group14-sha256 diffie-hellman-group16-sha512 diffie-hellman-group18-sha512
 
feature ssh vrf vrf1
ssh server algorithm mac hmac-md5 hmac-md5-96 vrf vrf1
ssh server algorithm encryption 3des-cbc aes128-cbc aes192-cbc aes256-cbc vrf vrf1
ssh server algorithm kex diffie-hellman-group1-sha1 diffie-hellman-group14-sha1 diffie-hellman-group14-sha256 vrf vrf1
 
Execute the following show command to view the configured SSH algorithms.
#show ssh server algorithm
management vrf ssh server algorithm:
Ciphers aes128-ctr,rijndael-cbc@lysator.liu.se,aes256-gcm@openssh.com,
KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
MACs hmac-sha1-96,hmac-sha2-256-etm@openssh.com,hmac-md5-etm@openssh.com,
 
default vrf ssh server algorithm:
Ciphers aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc,
KexAlgorithms diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,
MACs umac-128@openssh.com,hmac-md5-etm@openssh.com,
 
vrf1 vrf ssh server algorithm:
Ciphers aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc,
KexAlgorithms diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group14-sha256,
MACs hmac-md5,hmac-md5-96
 
SSH Key-Based Authentication
Enable OcNOS device SSH server to perform public key based SSH authentication, to enable machine to machine communication possible without requiring password. Public key based authentication increases the trust between two Linux servers for easy file synchronization or transfer. Public-key authentication with SSH is more secure than password authentication, as it provides much stronger identity checking through keys.
Note: No support for Digital Signature Algorithm (DSA) public key authentication.
Topology
SSH Key-based authentication
Public Key Authentication Method
The server has the public key of the user stored; using this the server creates a random value, encrypts it with the public key and sends it to the user. If the user is who is supposed to be, he can decrypt the challenge using the private key and send it back to the server, server uses the public key again to decrypt received message to confirm the identity of the user. SSH is supported in-band (default VRF) and out of band (management VRF). Installed keys are stored in the ~/.ssh/authorized_keys file.
SSH key based authentication steps:
1. Login to remote machine Linux desktop (ssh client) and generate the key pair using the ssh-keygen command.
2. Create the username in OcNOS device (ssh server).
3. Install the public key of remote Linux ssh client in the OcNOS device.
4. Display the installed key in the OcNOS device using the show running-config command.
5. Log in from the remote Linux ssh client to the OcNOS device without providing a password.
Useful Commands on Remote Desktop Client
 
# ssh-keygen
To generate key pair on remote Linux machine (ssh client)
# cd /bob/.ssh/
To go to the location of saved key pair
# cat id_rsa.pub
Command to display the generated public key in remote Linux client
 
Configuration commands in OcNOS
 
(config)#configure terminal
Enter configure mode.
(config)#feature ssh vrf management
Enable the SSH feature on vrf management. To enable in default vrf give the command "feature ssh"
(config)#username fred
To create username with default role as network-user. To create user with different role specify role using command "username <username> role <role_name>
(config)#username fred sshkey
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC8XhFiGlZP6y
Y6qIWUkew884NvqXqMPSOw3fQe5kgpXvX0SbcU15axI
/VHVgU2Y0/ogAtRUlAk5soRrf5lZ2+rT0zNP37m+Tm5HIEFKZZut0
FffGSuXtPKbE+GGlQYHEzC8RSnqQuHlxrlve3lGbB1U
UxuWhMzJfgc2vZ78V2znd2zk4ygiN1jx1sE8UI98WyI
cwuq44tzuIaUYAICIfrQJXriQml+QcJ9NER5O8rMS5D
5NnTVh1nroqoozY8i/qMKfhCFMbysjiDMHU9GclNsNbIF/DQbvWEskFFEvf6fOrzXyvq26NpgaJnZ4pQVzgkOaVw1
6Cy3csoTncw0vyXV bob@localhost.localdomain
Install the public key of remote Linux client in OcNOS device.
(config)#commit
 
 
Commit the candidate configuration to the running configuration
(config)#exit
Exit configure mode.
Validation
The new cipher encryption algorithm takes effect for a new incoming ssh client connection.
#show running-config
 
<skipped other content>
feature ssh vrf management
username fred role network-user
username fred sshkey
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC8XhFiGlZP6yY6qIWUkew884NvqXqMPSOw3fQe5kgpXvX0SbcU15axI/VHVgU2Y0/ogAtRUlAk5soRrf5lZ2+rT0zNP37m+Tm5HIEFKZZut0FffGSuXtPKbE+GGlQYHEzC8RSnqQuHlxrlve3lGbB1UUxuWhMzJfgc2vZ78V2znd2zk4ygiN1jx1sE8UI98WyIcwuq44tzuIaUYAICIfrQJXriQml+QcJ9NER5O8rMS5D5NnTVh1nroqoozY8i/qMKfhCFMbysjiDMHU9GclNsNbIF/DQbvWEskFFEvf6fOrzXyvq26NpgaJnZ4pQVzgkOaVw16Cy3csoTncw0vyXV bob@localhost.localdomain
<skipped other content>
#show running-config ssh server
feature ssh vrf management
SSH Key-based Client Session
 
#ssh fred@10.10.26.186
Specify user name and ip address to access the device. Supports IPv4 and IPv6.User should be able to access without password and through key based authentication
Restrictions
Key generation or installation are not supported for "root" user account in OcNOS device.
Third party SSH utilities cannot be used for key installation, rather OcNOS CLI is the only way to install public keys.
Sample Use Case
1. Login to remote machine linux desktop (ssh client) and generate the key pair using the ssh-keygen command.
[bob@localhost ~]# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/bob/.ssh/id_rsa):
/bob/.ssh/id_rsa already exists.
Overwrite (y/n)? y
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /bob/.ssh/id_rsa.
Your public key has been saved in /bob/.ssh/id_rsa.pub.
The key fingerprint is:
b2:d0:cc:d2:dd:db:3d:05:c1:33:fc:4a:df:8e:85:af bob@localhost.localdomain
The key's randomart image is:
+--[ RSA 2048]----+
| o. |
| =. |
| .+ |
| = . . ...|
| o * S . . +o|
| o o o .o.+|
| . . . o= |
| ..o|
| E. |
+-----------------+
[bob@localhost ~]# cd /bob/.ssh/
[bob@localhost .ssh]# cat id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC8XhFiGlZP6yY6qIWUkew884NvqXqMPSOw3fQe5kgpXvX0SbcU15axI/VHVgU2Y0/ogAtRUlAk5soRrf5lZ2+rT0zNP37m+Tm5HIEFKZZut0FffGSuXtPKbE+GGlQYHEzC8RSnqQuHlxrlve3lGbB1UUxuWhMzJfgc2vZ78V2znd2zk4ygiN1jx1sE8UI98WyIcwuq44tzuIaUYAICIfrQJXriQml+QcJ9NER5O8rMS5D5NnTVh1nroqoozY8i/qMKfhCFMbysjiDMHU9GclNsNbIF/DQbvWEskFFEvf6fOrzXyvq26NpgaJnZ4pQVzgkOaVw16Cy3csoTncw0vyXV bob@localhost.localdomain
[bob@localhost .ssh]#
2. Create username in OcNOS switch device (ssh server)
(config)#username fred
Note: By default, the user role is network-user.
3. Install the public key of remote Linux ssh client in OcNOS device.
(config)#username fred sshkey
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC8XhFiGlZP6yY6qIWUkew884NvqXqMPSOw3fQe5kgpXvX0SbcU15axI/VHVgU2Y0/ogAtRUlAk5soRrf5lZ2+rT0zNP37m+Tm5HIEFKZZut0FffGSuXtPKbE+GGlQYHEzC8RSnqQuHlxrlve3lGbB1UUxuWhMzJfgc2vZ78V2znd2zk4ygiN1jx1sE8UI98WyIcwuq44tzuIaUYAICIfrQJXriQml+QcJ9NER5O8rMS5D5NnTVh1nroqoozY8i/qMKfhCFMbysjiDMHU9GclNsNbIF/DQbvWEskFFEvf6fOrzXyvq26NpgaJnZ4pQVzgkOaVw16Cy3csoTncw0vyXV bob@localhost.localdomain
4. Display the installed key in OcNOS device using the show running-config command.
#show running-config
<skipped other content>
username fred role network-user
username fred sshkey
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC8XhFiGlZP6yY6qIWUkew884NvqXqMPSOw3fQe5kgpXvX0SbcU15axI/VHVgU2Y0/ogAtRUlAk5soRrf5lZ2+rT0zNP37m+Tm5HIEFKZZut0FffGSuXtPKbE+GGlQYHEzC8RSnqQuHlxrlve3lGbB1UUxuWhMzJfgc2vZ78V2znd2zk4ygiN1jx1sE8UI98WyIcwuq44tzuIaUYAICIfrQJXriQml+QcJ9NER5O8rMS5D5NnTVh1nroqoozY8i/qMKfhCFMbysjiDMHU9GclNsNbIF/DQbvWEskFFEvf6fOrzXyvq26NpgaJnZ4pQVzgkOaVw16Cy3csoTncw0vyXV bob@localhost.localdomain
<skipped other content>
5. Login from remote Linux ssh client to OcNOS device without providing password
[bob@localhost .ssh]# ssh fred@10.10.26.186