User Key-Based Authentication

Public key authentication is an alternative method to password authentication that SSH uses to verify identity. You can generate a key pair consisting of a private key and a public key. The public key is used by the ExtremeXOS SSH server to authenticate the user.

In ExtremeXOS, user public keys are stored in the switch‘s configuration file; these keys are then associated (or bound) to a user.

The keys are configured on the switch in one of two ways:

RSA and DSA encryption keys are both supported.

The public key can be loaded onto the switch using SCP or SFTP, where the switch is the server. The administrator can do this by using the SCP2 or SFTP2 client software to connect to and copy the key file to the switch. The public key file must have the extension ssh; for example, id_dsa_2048.ssh. When the .ssh file is copied to the switch, the key is loaded into the memory. The loaded public keys are saved to the configuration file (*.cfg) when the save command is issued via the CLI.

The key name is derived from the file name. For example, the key name for the file id_dsa_2048.ssh will be id_dsa_2048. The file name of the key or the keyname is restricted to 32 characters in length.

The key is associated with a user either implicitly, by pre-pending the user name to the file or explicitly using the CLI.

In order for a key to be bound or associated to a user, the user must be known. In other words, that user must have an entry in the local database on the switch. Once the user is authenticated, the user‘s rights (read-only or read/write) are obtained from the database.

The key can be associated with a user by pre-pending the user name to the file name. For example, admin.id_dsa_2048.ssh.

If the user specified in the file name does not exist on the switch, the key is still accepted, but is not associated to any user. Once the user is added, the key can be associated with the user using the CLI. If the user name is not pre-pended to the file name, the key is accepted by the switch but is not associated with any user. The key can be then be associated with the user using the command configure sshd2 user-key key_name add user user_name .

You can also enter or paste the key using the command configure ssh2 key {pregenerated} using the pregenerated keyword. There cannot be any carriage returns or new lines in the key. For more information, see the configure ssh2 key {pregenerated} command in the Switch Engine v33.1.1 Command Reference Guide

The host and user public keys can be written to a file in the config directory using the create sshd2 key-file {host-key | user-key} key_name command. This enables the administrator to copy the public key to an outside server.