User Key Files

Generating keys requires that you have free space on the flash. A typical configuration requires less than 2 kbyte of free space. Before you generate a key, verify that you have sufficient space on the flash, using the dir command. If the flash is full when you attempt to generate a key, the system displays an error message and the key is not generated. You must delete some unused files and regenerate the key.

If you remove only the public keys, enabling the SSH does not create new public keys.

SSHv2 password authentication uses the same login and password authentication mechanism as Telnet. The SSHv2 client also supports DSA public key authentication compatible with the switch SSHv2 server and Linux SSHv2 server for SSHv2.

If the switch is the client, use the following table to locate the DSA user key files for DSA authentication for user access level rwa.

Note

Note

For certain switches in enhanced secure mode, all sensitive files are protected. The home directory for enhanced secure mode is /intflash/shared. You cannot access any sensitive files using Telnet, SSH, FTP, SFTP, TFTP, and SCP connections. For more information, see Sensitive File Protection.

Table 1. DSA user key files

SSH server

SSH client side

SSH server side

switch with enhanced secure mode disabled

Private and public keys by access level:

  • rwa—/intflash/.ssh/id_dsa_rwa (private key), /intflash/.ssh/id_dsa_rwa.pub (public key)

  • rw—/intflash/.ssh/id_dsa_rw (private key), /intflash/.ssh/id_dsa_rw.pub (public key)

  • ro—/intflash/.ssh/id_dsa_ro (private key), /intflash/.ssh/id_dsa_ro.pub (public key)

  • rwl1—/intflash/.ssh/id_dsa_rwl1 (private key), /intflash/.ssh/id_dsa_rwl1.pub (public key)

  • rwl2—/intflash/.ssh/id_dsa_rwl2 (private key), /intflash/.ssh/id_dsa_rwl2.pub (public key)

  • rwl3—/intflash/.ssh/id_dsa_rwl3 (private key), /intflash/.ssh/id_dsa_rwl3.pub (public key)

Public keys on the server side based on access level:

  • rwa—/intflash/.ssh/dsa_key_rwa (public key)

  • rw—/intflash/.ssh/dsa_key_rw (public key)

  • ro—/intflash/.ssh/dsa_key_ro (public key)

  • rwl1—/intflash/.ssh/dsa_key_rwl1 (public key)

  • rwl2—/intflash/.ssh/dsa_key_rwl2 (public key)

  • rwl3—/intflash/.ssh/dsa_key_rwl3 (public key)

switch with enhanced secure mode enabled

Private and public keys by access role level:

  • administrator—/intflash/shared/id_dsa_admin (private key), /intflash/shared/id_dsa_admin.pub (public key)

  • operator —/intflash/shared/id_dsa_operator (private key), /intflash/shared/id_dsa_operator.pub (public key)

  • security —/intflash/shared/id_dsa_security (private key), /intflash/shared/id_dsa_security.pub (public key)

  • auditor —/intflash/shared/id_dsa_auditor (private key), /intflash/shared/id_dsa_auditor.pub (public key)

  • privilege —/intflash/shared/id_dsa_priv (private key), /intflash/shared/id_dsa_priv.pub (public key)

Public keys on the server side based on access level:

  • administrator—/intflash/shared/dsa_key_admin (public key)

  • operator—/intflash/shared/dsa_key_operator (public key)

  • security—/intflash/shared/dsa_key_security (public key)

  • privilege—/intflash/shared/dsa_key_priv (public key)

  • auditor—/intflash/shared/dsa_key_auditor (public key)

Linux with Open SSH

~/.ssh/id_dsa (private key) file permission 400

~/.ssh/id_dsa.pub (public key) file permission 644

~/.ssh/authorized_keys (public key) file

When you attempt to make an SSH connection from the switch, the SSHv2 client looks in its own internal flash for the public key pair files. If the key files exist, the SSHv2 client prompts you for the passphrase to decrypt the key files. If the passphrase is correct, the SSHv2 client initiates the DSA key authentication to the remote SSHv2 server. The SSHv2 client looks for the login user access level public key file on the SSHv2 server to process and validate the public key authentication. If the DSA authentication is successful, then the SSHv2 session is established.

If no matching user key pair files exist on the client side when initiating the SSHv2 session, or if the DSA authentication fails, you are automatically prompted for a password to attempt password authentication.

If the remote SSHv2 server is a Linux system, the server looks for the login user public key file ~/.ssh/authorized_keys by default for DSA authentication. For a Linux SSHv2 client, the user DSA key pair files are located in the user home directory as ~/.ssa/id_dsa and ~/.ssa/id_dsa.pub.