Showing results for 
Search instead for 
Did you mean: 


NSO Public key authentication to device

Hello all,

I have an issue trying to set up public key authentication with an iosxr device.

I have generated the public key (ssh-keygen -t rsa), copied it to the device. I have also added it to NSO and created an authgroup that uses the private key.

Regular ssh (from the NSO host) works ok using public key authentication:

ssh nso@ -i /home/nso/.ssh/nso_admin -s netconf

Thu May 19 16:33:39.940 UTC

<?xml version="1.0" encoding="UTF-8"?>

<hello xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">





However, when i try to do a sync-from via NSO:

devices device test-device sync-from               

result false

info Failed to connect to device test-device: closed


A debug of the SSH session shows the following error:

RP/0/RP0/CPU0:May 19 16:00:29.249 UTC: SSHD_[67379]: User:nso,service:ssh-connection,Method:publickey

RP/0/RP0/CPU0:May 19 16:00:29.249 UTC: SSHD_[67379]: (sshd_authenticate) RSA based authentication requested

RP/0/RP0/CPU0:May 19 16:00:29.249 UTC: SSHD_[67379]: (sshd_authenticate) Requested public-key algorithm rsa-sha2-512 not supported


During a regular ssh login (that works) i get a different message:

RP/0/RP0/CPU0:May 19 16:39:54.102 UTC: SSHD_[67567]: User:nso,service:ssh-connection,Method:publickey

RP/0/RP0/CPU0:May 19 16:39:54.102 UTC: SSHD_[67567]: (sshd_authenticate) RSA based authentication requested

RP/0/RP0/CPU0:May 19 16:39:54.102 UTC: SSHD_[67567]: (sshd_authenticate) bool: 1, Pub Alg: ssh-rsa


My first thought was to go and change the device public key algorithms and restrict to ssh-rsa

# show running-config devices device test-device ssh-algorithms public-key

 ssh-algorithms public-key [ ssh-rsa ]

But this doesn't work, it's most likely related to the hostkey not the user authentication key.

Any hints on how to solve this? I'm guessing i have to specify somewhere the user auth key exchange algorithm, but i haven't found where.




Can you specify NSO version ?


Can you provide us the output of the command 


show devices device <YOUR_DEVICE> active-settings ssh-algorithms

Sure, i'm running version 5.6.4. Here is the output of the command:


show devices device test-device active-settings ssh-algorithms

active-settings ssh-algorithms public-key [ ssh-rsa ]

active-settings ssh-algorithms kex [ curve25519-sha256 ecdh-sha2-nistp256 ecdh-sha2-nistp384 curve448-sha512 ecdh-sha2-nistp521 diffie-hellman-group15-sha512 diffie-hellman-group16-sha512 diffie-hellman-group14-sha256 diffie-hellman-group14-sha1 ]

active-settings ssh-algorithms mac [ AEAD_AES_128_GCM AEAD_AES_256_GCM hmac-sha2-512 hmac-sha2-256 hmac-sha1 ]

active-settings ssh-algorithms cipher [ AEAD_AES_128_GCM AEAD_AES_256_GCM aes128-ctr aes192-ctr aes256-ctr ]

active-settings ssh-algorithms compression [ none zlib ]

active-settings ssh-algorithms dh-group min-size 1024

active-settings ssh-algorithms dh-group preferred-size 2048

active-settings ssh-algorithms dh-group max-size 8192