SSH Key-Based Authentication

Enable OcNOS device SSH server to perform public key based SSH authentication, to enable machine to machine communication possible without requiring password. Public key based authentication increases the trust between two Linux servers for easy file synchronization or transfer. Public-key authentication with SSH is more secure than password authentication, as it provides much stronger identity checking through keys.

No support for Digital Signature Algorithm (DSA) public key authentication.

Topology

Figure 17. SSH Key-based authentication

Public Key Authentication Method

The server has the public key of the user stored; using this the server creates a random value, encrypts it with the public key and sends it to the user. If the user is who is supposed to be, he can decrypt the challenge using the private key and send it back to the server, server uses the public key again to decrypt received message to confirm the identity of the user. SSH is supported in-band (default VRF) and out-band (management VRF). Installed keys are stored in the ~/.ssh/authorized_keys file.

SSH key based authentication steps:

  1. Login to remote machine Linux desktop (ssh client) and generate the key pair using the ssh-keygen command.
  2. Create the username in OcNOS device (ssh server).
  3. Install the public key of remote Linux ssh client in the OcNOS device.
  4. Display the installed key in the OcNOS device using the show running-config command.
  5. Log in from the remote Linux ssh client to the OcNOS device without providing a password.

Useful Commands on Remote Desktop Client

# ssh-keygen

To generate key pair on remote Linux machine (ssh client)

# cd /bob/.ssh/

To go to the location of saved key pair

# cat id_rsa.pub

Command to display the generated public key in remote Linux client

Configuration commands in OcNOS

(config)#configure terminal

Enter configure mode.

(config)#feature ssh vrf management

Enable the SSH feature on vrf management. To enable in default vrf give the command "feature ssh"

(config)#username fred

To create username with default role as network-user. To create user with different role specify role using command "username <username> role <role_name>

(config)#username fred sshkey

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC8XhFiGlZP6y

Y6qIWUkew884NvqXqMPSOw3fQe5kgpXvX0SbcU15axI

/VHVgU2Y0/ogAtRUlAk5soRrf5lZ2+rT0zNP37m+Tm5HIEFKZZut0

FffGSuXtPKbE+GGlQYHEzC8RSnqQuHlxrlve3lGbB1U

UxuWhMzJfgc2vZ78V2znd2zk4ygiN1jx1sE8UI98WyI

cwuq44tzuIaUYAICIfrQJXriQml+QcJ9NER5O8rMS5D

5NnTVh1nroqoozY8i/qMKfhCFMbysjiDMHU9GclNsNbIF
/DQbvWEskFFEvf6fOrzXyvq26NpgaJnZ4pQVzgkOaVw1

6Cy3csoTncw0vyXV bob@localhost.localdomain

Install the public key of remote Linux client in OcNOS device.

(config)#commit

Commit the candidate configuration to the running configuration

(config)#exit

Exit configure mode.

Validation

The new cipher encryption algorithm takes effect for a new incoming ssh client connection.

Copy 
#show running-config
 

feature ssh vrf management
username fred role network-user
username fred sshkey
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC8XhFiGlZP6yY6qIWUkew884NvqXqMPSOw3fQe5kgpXvX0SbcU15axI/VHVgU2Y0/ogAtRUlAk5soRrf5lZ2+rT0zNP37m+Tm5HIEFKZZut0FffGSuXtPKbE+GGlQYHEzC8RSnqQuHlxrlve3lGbB1UUxuWhMzJfgc2vZ78V2znd2zk4ygiN1jx1sE8UI98WyIcwuq44tzuIaUYAICIfrQJXriQml+QcJ9NER5O8rMS5D5NnTVh1nroqoozY8i/qMKfhCFMbysjiDMHU9GclNsNbIF/DQbvWEskFFEvf6fOrzXyvq26NpgaJnZ4pQVzgkOaVw16Cy3csoTncw0vyXV bob@localhost.localdomain
<skipped other content>
#show running-config ssh server
feature ssh vrf management