SSH on Catalyst: public key authentication for some users

holmigeirr · ‎05-02-2024

Hello,

I've got a couple of Catalyst switches that are accessed by the admins via SSH.

For security reasons I like to change their login method from password to public key authentication.
In addition to the admin users, I have a few technical user accounts that still need to log in with a password.

For the admin users I configured each users public key with:

conf t
  ip ssh pubkey-chain
  username ...
  key-string
  AAA...
  ...==

So far, everything works fine.
Everyone is able to login using his private key.

But I've got a problem for which I couldn't find a solution in the forums or in the Cisco "Secure Shell Configuration Guide":

For some of the users I want to disable the ability to log in using SSH with a password. They should only be allowed to log in using public key authentication.
Some other users (the technical user accounts) should still be able to login via SSH using password authentication.

Is this possible?

Note: "no ip ssh server authenticate user password" is not an option, because I have some technical users who still need to login with a password instead of using public key authentication.

Thanks in advance!

Georg Pauwen · ‎05-02-2024

Hello,

I somewhere seem to remember the command 'username username nopassword' which keeps that specific user from logging in with a password...in theory, if you configure that it should prevent the specified user from logging in through SSH using a password...

holmigeirr · ‎05-16-2024

Hello Georg,

thank you - but this was my first thought and when you delete the user password by

username username nopassword

it doesn't prevent the user from logging in through SSH but makes him able to login without promting for a password.