Inline SSH Public Key Configuration

SSH password-less authentication supports specification of a public key directly in the command line, instead of importing it from the SSH server.

Previous functionality

Previously, the public key had to be imported from the server by means of an operational CLI, with the following syntax.

device# certutil import sshkey user <user> host <host> directory <directory> 
file <file> login <login> password <password>

The following is a completed command example.

device# certutil import sshkey user admin host 10.20.61.151 directory /root/.ssh/ 
file id_rsa.pub login root password pass

SLX-OS first tries to authenticate by using the public key. If it cannot find the public key, it falls back to password-based authentication and allows the user to log in by entering a valid password.

Current functionality

A public key can now be copied directly into the command line, instead of importing it from the server. The syntax is as follows.
device# certutil sshkey user <user> pubkey <public key>
The following is a complete example.
device# certutil sshkey user admin pubkey “ssh-rsa 
AAAAB3NzaC1yc2EAAAADAQABAAABAQDnim+Ofjx/id3z2jDxXu9DcMuQqVq/NKi2Lms+
q7dA5Dqww8jlrOGawG8tMySOvnB1ZEvJt1kqNneRi4l6Ot4/7hfd99rIOPGBP/NJs6xTLUrQhDgxB78ddTg+
6euBtkYLTAaTC7kbXGXcO8VVB9+4xrH+0bkvjU9RRvGJguUfdiFKEfIGVOyt0atdHi1dmgQ9BE0cO65nc/
i9MjMJedBe174/QT4TxeGeEgaQ57c2AL5It2V4CzrZBDtnixdnHUO5w2vmBR61LZIDVT1fuX/xYxDAm9H8SDpDX8pZlfFpQBy
/wrkIYPZ/p4OLrUApB/XAJGujrlNlZLEu9U9MPVM/ root@ldap.hc-fusion.in”

Note the following conditions:

After the public key has been imported or copied by means of the certutil import sshkey or the certutil sshkey commands, for the specified user, then password-based authentication is disabled for that particular user. The user is not able to log in with a valid password, but password-based authentication continues to work for all other users who do not have the public key configured or imported on the device.

The specified user is allowed to log in only by using a public key. If anyone tries to log in from any other server for which the public key is not present on the device, then the client receives a “Permission denied (publickey)” error message. Once the public key has been removed for the specified user, then password-based authentication is enabled automatically for that particular user.

Note

Note

Because NETCONF runs over SSH, its behavior is similar to that for SSH.

Note the following conditions: