07-16-2011 04:57 AM
I'm trying to enable SSH Public Key Authentication on an SG 300-10 running 1.1.0.73.
I've generated RSA and DSA key pairs and enabled SSH so I can access the switch with a username and password no problem.
I then generated an SSH key pair on my client machine and added the public key to the switch using:
The switch then prints out the fingerprint which matches what ssh-keygen printed when I generated the key. However I can't work out what I'm supposed to do next. "sh ip ssh" still says public key authentication is disabled and I can't find another command to enable it explicitly.
What am I missing?
Thanks
Matt
Solved! Go to Solution.
05-02-2012 12:04 AM
Hi,
Please add "ip ssh pubkey-auth" command to the switch configuration. This will enable public key authentication and "show ip ssh" should verify that it is enabled.
This will force the clients to use pubkey and login without it will not be possible. There are two authentication methods the switch's ssh server sends to clients, NULL or PUBKEY. To see how ssh client authenticates to the server add -v swtich to command line (openssh client) and look for lines contaning word "authentication".
This will look a bit surprising but when pubkey is used you will see a prompt for username and password. That is done after the session has been established. You can disable it via other configuration settings.
Regards.
04-26-2012 07:29 AM
Did you found a sollution? I am interseted in such a fuctionnality on this model.
thanks
Hugo
05-02-2012 12:04 AM
Hi,
Please add "ip ssh pubkey-auth" command to the switch configuration. This will enable public key authentication and "show ip ssh" should verify that it is enabled.
This will force the clients to use pubkey and login without it will not be possible. There are two authentication methods the switch's ssh server sends to clients, NULL or PUBKEY. To see how ssh client authenticates to the server add -v swtich to command line (openssh client) and look for lines contaning word "authentication".
This will look a bit surprising but when pubkey is used you will see a prompt for username and password. That is done after the session has been established. You can disable it via other configuration settings.
Regards.
05-12-2012 07:22 AM
Yes, "ip ssh publkey-auth" is indeed the correct command, however it was absent/removed from some releases of firmware. I was previously running version 1.1.1.8 and I had this problem, however I've just upgraded to version 1.1.2.0 and I'm pleased to say the command is available again.
The alternative is to use SNMP to enable the option, setting
1.3.6.1.4.1.9.6.1.101.78.2.103.0 to 1 will also enable the use of public keys.
05-02-2012 08:40 AM
Hi,
Continuing the theme raised the following points I comment:
Stay tuned to your comments.
Thanks
Omar
05-06-2012 12:16 AM
Hi Omar,
>> Enable telnet with the command ip telnet server.
This command enables telnet access which is a different protocol. You can access it via telnet command in Linux and Windows. It runs on tcp port 23. SSH run on tcp port 22. It is not recommended these days because this protocol sends everything in cleartext, username and password too. No encryption whatsoever.
>> Using putty to login via ssh user the message which appears as you type the following:Disconnected : No supported authentication methods available (server sent: publickey).
This tells me that you successfully enabled public key authentication. The problem is that you didn't configure the keys properly. You need to follow the points Matthew gave in the thread questions:
This public key can be obtained on Linux from a skrach configuration by issuing 'ssh-keygen' command. This will generate two keys (RSA by default). One is called private, the other public. They will be placed in ~/.ssh/ with the private key in a file named id_rsa and public as id_rsa.pub. The public key you need to paste is inside id_rsa.pub between text 'ssh-rsa ' and without an email at the end.
You can use telnet access or serial port to configure it so you don't have to reset the switch the default configuration (since ssh is not accessible this time).
Make sure you connect with proper user name which is 'cisco' in this example configuration.
I haven't tried putty key generation facilities with this procedure but it might also work. Checkout PuTTYgen.
Regards.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide