Inline SSH Public Key Configuration

SSH password-less authentication supports specification of a public key directly in the command line, instead of importing it from the SSH server.

Previous functionality

Previously, the public key had to be imported from the server by means of an operational CLI, with the following syntax.

device# certutil import sshkey user <user> host <host> directory <directory> 
file <file> login <login> password <password>

The following is a completed command example.

device# certutil import sshkey user admin host 10.20.61.151 directory /root/.ssh/ 
file id_rsa.pub login root password pass

SLX-OS first tries to authenticate by using the public key. If it cannot find the public key, it falls back to password-based authentication and allows the user to log in by entering a valid password.

Current functionality

A public key can now be copied directly into the command line, instead of importing it from the server. The syntax is as follows.

device# certutil sshkey user <user> pubkey <public key>

The following is a complete example.

device# certutil sshkey user admin pubkey “ssh-rsa 
AAAAB3NzaC1yc2EAAAADAQABAAABAQDnim+Ofjx/id3z2jDxXu9DcMuQqVq/NKi2Lms+
q7dA5Dqww8jlrOGawG8tMySOvnB1ZEvJt1kqNneRi4l6Ot4/7hfd99rIOPGBP/NJs6xTLUrQhDgxB78ddTg+
6euBtkYLTAaTC7kbXGXcO8VVB9+4xrH+0bkvjU9RRvGJguUfdiFKEfIGVOyt0atdHi1dmgQ9BE0cO65nc/
i9MjMJedBe174/QT4TxeGeEgaQ57c2AL5It2V4CzrZBDtnixdnHUO5w2vmBR61LZIDVT1fuX/xYxDAm9H8SDpDX8pZlfFpQBy
/wrkIYPZ/p4OLrUApB/XAJGujrlNlZLEu9U9MPVM/ root@ldap.hc-fusion.in”

Note the following conditions:

The user must exist on the device. By default, there are two users: “admin” and “user”. New users can be added by means of the username command in global configuration mode.
The public key must be entered within double quotes (" ").
Do the following to generate a public key. Run ssh-keygen -t rsa on any server from which you want to start an SSH session to the device. Once you run this command, if you have not entered any other path while generating the key, the public key is generated at /root/.ssh/id_rsa.pub by default. Open this file and copy all its contents after the pubkey option in the CLI.
The command to delete the public key remains the same: device# no certutil sshkey user <user>

After the public key has been imported or copied by means of the certutil import sshkey or the certutil sshkey commands, for the specified user, then password-based authentication is disabled for that particular user. The user is not able to log in with a valid password, but password-based authentication continues to work for all other users who do not have the public key configured or imported on the device.

The specified user is allowed to log in only by using a public key. If anyone tries to log in from any other server for which the public key is not present on the device, then the client receives a “Permission denied (publickey)” error message. Once the public key has been removed for the specified user, then password-based authentication is enabled automatically for that particular user.

Note

Because NETCONF runs over SSH, its behavior is similar to that for SSH.

Note the following conditions:

Because certutil is not a configuration command, the public key configuration is not saved to the configuration file. In order to replay the public key configuration from a file, the following example public keys must be added manually for all the users to the configuration file.

do certutil sshkey user test123 pubkey "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDnim+
Ofjx/id3z2jDxXu9DcMuQqVq/NKi2Lms+q7dA5Dqww8jlrOGawG8tMySOvnB1ZEvJt1kqNneRi4l6Ot4/7hfd99rIOPGBP/
NJs6xTLUrQhDgxB78ddTg+6euBtkYLTAaTC7kbXGXcO8VVB9+4xrH+0bkvjU9RRvGJguUfdiFKEfIGVOyt0atdHi1dmgQ9BE0cO65nc/
i9MjMJedBe174/QT4TxeGeEgaQ57c2AL5It2V4CzrZBDtnixdnHUO5w2vmBR61LZIDVT1fuX/xYxDAm9H8SDpDX8pZlfFpQBy/
wrkIYPZ/p4OLrUApB/XAJGujrlNlZLEu9U9MPVM/ root@ldap.hc-fusion.in"

You can use echo to append this command to the end of the file.

A restart of the SSH server on all VRF instances occurs whenever the public key is configured or deleted, or a user with a public key is deleted. Therefore, all the existing SSH connections are disconnected.
Because public authentication is applicable only for SSH, Telnet and REST continue to use the configured password. Access is allowed through Telnet and REST by means of a valid password, even though password-based authentication is disabled for SSH for that user.