Generate User Key Files

Configure the SSH parameters to generate DSA user key files.

Procedure

  1. Enter Global Configuration mode:

    enable

    configure terminal

  2. Enable SSH server.
  3. Create the DSA user key file:

    ssh dsa-user-key [WORD<1–15>][size <1024–1024>]

  4. Enter the encryption password to protect the key file.
  5. Copy the user public key file to the remote SSH servers.
    Note

    Note

    For certain switches in enhanced secure mode, the public key is copied from /intflash/.ssh to /intflash/shared after key pair generation to be available in enhanced secure mode.

  6. If you are generating the compatible keys on a Linux system, use the following steps:
    1. Create the DSA user key file:

      ssh-keygen –t dsa

    2. Copy the user public key to the remote SSH servers.
      Note

      Note

      The DSA pair key files can be generated on the Linux system and used by the SSH client on the switch.

Example

Create the DSA user key file with the user access level set to read-write-all and size of the DSA user key set to 1024 bits:

Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#ssh dsa-user-key rwa size 1024

Variable Definitions

The following table defines parameters for the ssh dsa-user-key command.

Variable

Value

WORD <1–15>

Specifies the user access level. If enhanced secure mode is disabled, the valid user access levels for the switch are:

  • rwa—Specifies read-write-all.

  • rw—Specifies read-write.

  • ro—Specifies read-only

  • rwl3—Specifies read-write for Layer 3.

  • rwl2—Specifies rread-write for Layer 2.

  • rwl1—Specifies read-write for Layer 1.

If you enable enhanced secure mode, the switch uses role-based authentication. You associate each username with a specific role and the appropriate authorization rights to commands based on that role.

If enhanced secure mode is enabled, the valid user access levels for the switch are:

  • admin—Specifies a user role with access to all of the configurations, show commands, and the ability to view the log file and security commands. The administrator role is the highest level of user roles.

  • operator—Specifies a user role with access to all of the configurations for packet forwarding on Layer 2 and Layer 3, and has access to show commands to view the configuration, but cannot view the audit logs and cannot access security and password commands.

  • auditor—Specifies a user role that can view log files and view all configurations, except password configuration.

  • security—Specifies a user role with access only to security settings and the ability to view the configurations.

  • priv—Specifies a user role with access to all of the commands that the administrator has access to, and is referred to as an emergency-admin. However, the user with the privilege role must be authenticated within the switch locally. RADIUS and TACACS+ authentication is not accessible. A user role at the privilege level must login to the switch through the console port only.

size <1024–1024>

Specifies the size of the DSA user key. The default is 1024 bits.