SSH Key-Based Authentication

OcNOS-SP : System Management Guide : System Management Configuration Guide : SSH Client Server Configuration : SSH Key-Based Authentication

Enable OcNOS device SSH server to perform public key based SSH authentication, to enable machine to machine communication possible without requiring password. Public key based authentication increases the trust between two Linux servers for easy file synchronization or transfer. Public-key authentication with SSH is more secure than password authentication, as it provides much stronger identity checking through keys.

Topology

Figure 4-6: SSH Key-based authentication

Public Key Authentication Method

The server has the public key of the user stored; using this the server creates a random value, encrypts it with the public key and sends it to the user. If the user is who is supposed to be, he can decrypt the challenge using the private key and send it back to the server, server uses the public key again to decrypt received message to confirm the identity of the user. SSH is supported in-band (default VRF) and out of band (management VRF). Installed keys are stored in the ~/.ssh/authorized_keys file.

SSH key based authentication steps:

1. Login to remote machine Linux desktop (ssh client) and generate the key pair using the ssh-keygen command.

2. Create the username in OcNOS device (ssh server).

3. Install the public key of remote Linux ssh client in the OcNOS device.

4. Display the installed key in the OcNOS device using the show running-config command.

5. Log in from the remote Linux ssh client to the OcNOS device without providing a password.

Useful Commands on Remote Desktop Client

# ssh-keygen	To generate key pair on remote Linux machine (ssh client)
# cd /bob/.ssh/	To go to the location of saved key pair
# cat id_rsa.pub	Command to display the generated public key in remote Linux client

Configuration commands in OcNOS

(config)#configure terminal	Enter configure mode.
(config)#feature ssh vrf management	Enable the SSH feature on vrf management. To enable in default vrf give the command "feature ssh"
(config)#username fred	To create username with default role as network-user. To create user with different role specify role using command "username <username> role <role_name>
(config)#username fred sshkey ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC8XhFiGlZP6yY6qIWUkew884NvqXqMPSOw3fQe5kgpXvX0SbcU15axI/VHVgU2Y0/ogAtRUlAk5soRrf5lZ2+rT0zNP37m+Tm5HIEFKZZut0FffGSuXtPKbE+GGlQYHEzC8RSnqQuHlxrlve3lGbB1UUxuWhMzJfgc2vZ78V2znd2zk4ygiN1jx1sE8UI98WyIcwuq44tzuIaUYAICIfrQJXriQml+QcJ9NER5O8rMS5D5NnTVh1nroqoozY8i/qMKfhCFMbysjiDMHU9GclNsNbIF/DQbvWEskFFEvf6fOrzXyvq26NpgaJnZ4pQVzgkOaVw16Cy3csoTncw0vyXV bob@localhost.localdomain	Install the public key of remote Linux client in OcNOS device.
(config)#commit	Commit the candidate configuration to the running configuration
(config)#exit	Exit configure mode.

Validation

The new cipher encryption algorithm takes effect for a new incoming ssh client connection.

#show running-config

feature ssh vrf management

username fred role network-user

username fred sshkey

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC8XhFiGlZP6yY6qIWUkew884NvqXqMPSOw3fQe5kgpXvX0SbcU15axI/VHVgU2Y0/ogAtRUlAk5soRrf5lZ2+rT0zNP37m+Tm5HIEFKZZut0FffGSuXtPKbE+GGlQYHEzC8RSnqQuHlxrlve3lGbB1UUxuWhMzJfgc2vZ78V2znd2zk4ygiN1jx1sE8UI98WyIcwuq44tzuIaUYAICIfrQJXriQml+QcJ9NER5O8rMS5D5NnTVh1nroqoozY8i/qMKfhCFMbysjiDMHU9GclNsNbIF/DQbvWEskFFEvf6fOrzXyvq26NpgaJnZ4pQVzgkOaVw16Cy3csoTncw0vyXV bob@localhost.localdomain

#show running-config ssh server

feature ssh vrf management

SSH Key-based Client Session

#ssh fred@10.10.26.186

Specify user name and ip address to access the device. Supports IPv4 and IPv6.User should be able to access without password and through key based authentication

Restrictions

• Key generation or installation are not supported for "root" user account in OcNOS device.

• Third party SSH utilities cannot be used for key installation, rather OcNOS CLI is the only way to install public keys.

Sample Use Case

1. Login to remote machine linux desktop (ssh client) and generate the key pair using the ssh-keygen command.

[bob@localhost ~]# ssh-keygen

Generating public/private rsa key pair.

Enter file in which to save the key (/bob/.ssh/id_rsa):

/bob/.ssh/id_rsa already exists.

Overwrite (y/n)? y

Enter passphrase (empty for no passphrase):

Enter same passphrase again:

Your identification has been saved in /bob/.ssh/id_rsa.

Your public key has been saved in /bob/.ssh/id_rsa.pub.

The key fingerprint is:

b2:d0:cc:d2:dd:db:3d:05:c1:33:fc:4a:df:8e:85:af bob@localhost.localdomain

The key's randomart image is:

+--[ RSA 2048]----+

| o. |

| =. |

| .+ |

| = . . ...|

| o * S . . +o|

| o o o .o.+|

| . . . o= |

| ..o|

| E. |

+-----------------+

[bob@localhost ~]# cd /bob/.ssh/

[bob@localhost .ssh]# cat id_rsa.pub

[bob@localhost .ssh]#

2. Create username in OcNOS switch device (ssh server)

(config)#username fred

Note: By default, the user role is network-user.

3. Install the public key of remote Linux ssh client in OcNOS device.

(config)#username fred sshkey

4. Display the installed key in OcNOS device using the show running-config command.

#show running-config

username fred role network-user

username fred sshkey

5. Login from remote Linux ssh client to OcNOS device without providing password

[bob@localhost .ssh]# ssh fred@10.10.26.186

Last modified date: 10/19/2023