Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
13733
Views
0
Helpful
5
Replies

Enabling SSH Public Key Authentication on SG 300-10

Go to solution
mdainty
Level 1
Level 1

‎07-16-2011 04:57 AM

I'm trying to enable SSH Public Key Authentication on an SG 300-10 running 1.1.0.73.

I've generated RSA and DSA key pairs and enabled SSH so I can access the switch with a username and password no problem.

I then generated an SSH key pair on my client machine and added the public key to the switch using:

  1. crypto key pubkey-chain ssh
  2. user-key cisco rsa
  3. key-string
  4. <paste public key>

The switch then prints out the fingerprint which matches what ssh-keygen printed when I generated the key. However I can't work out what I'm supposed to do next. "sh ip ssh" still says public key authentication is disabled and I can't find another command to enable it explicitly.

What am I missing?

Thanks

Matt

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
michalpas
Level 1
Level 1

‎05-02-2012 12:04 AM

Hi,

Please add "ip ssh pubkey-auth" command to the switch configuration. This will enable public key authentication and "show ip ssh" should verify that it is enabled.

This will force the clients to use pubkey and login without it will not be possible. There are two authentication methods the switch's ssh server sends to clients, NULL or PUBKEY. To see how ssh client authenticates to the server add -v swtich to command line (openssh client) and look for lines contaning word "authentication".

This will look a bit surprising but when pubkey is used you will see a prompt for username and password. That is done after the session has been established. You can disable it via other configuration settings.

Regards.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
hugo.letemplier
Level 1
Level 1

‎04-26-2012 07:29 AM

Did you found a sollution? I am interseted in such a fuctionnality on this model.

thanks

Hugo

0 Helpful

Go to solution
michalpas
Level 1
Level 1

‎05-02-2012 12:04 AM

Hi,

Please add "ip ssh pubkey-auth" command to the switch configuration. This will enable public key authentication and "show ip ssh" should verify that it is enabled.

This will force the clients to use pubkey and login without it will not be possible. There are two authentication methods the switch's ssh server sends to clients, NULL or PUBKEY. To see how ssh client authenticates to the server add -v swtich to command line (openssh client) and look for lines contaning word "authentication".

This will look a bit surprising but when pubkey is used you will see a prompt for username and password. That is done after the session has been established. You can disable it via other configuration settings.

Regards.

0 Helpful

Go to solution
mdainty
Level 1
Level 1
In response to michalpas

‎05-12-2012 07:22 AM

Yes, "ip ssh publkey-auth" is indeed the correct command, however it was absent/removed from some releases of firmware. I was previously running version 1.1.1.8 and I had this problem, however I've just upgraded to version 1.1.2.0 and I'm pleased to say the command is available again.

The alternative is to use SNMP to enable the option, setting

1.3.6.1.4.1.9.6.1.101.78.2.103.0 to 1 will also enable the use of public keys.

0 Helpful

Go to solution
OmarGarcia2207
Level 1
Level 1

‎05-02-2012 08:40 AM

Hi,

Continuing the theme raised the following points I comment:

  • Enable telnet with the command ip telnet server.
  • I can not access via ssh.
  • Using putty to login via ssh user the message which appears as you type the following:Disconnected : No supported authentication methods available (server sent: publickey).

Stay tuned to your comments.

Thanks

Omar

0 Helpful

Go to solution
michalpas
Level 1
Level 1
In response to OmarGarcia2207

‎05-06-2012 12:16 AM

Hi Omar,

>> Enable telnet with the command ip telnet server.

This command enables telnet access which is a different protocol. You can access it via telnet command in Linux and Windows. It runs on tcp port 23. SSH run on tcp port 22. It is not recommended these days because this protocol sends everything in cleartext, username and password too. No encryption whatsoever.

>> Using putty to login via ssh user the message which appears as you type  the following:Disconnected : No supported authentication methods  available (server sent: publickey).

This tells me that you successfully enabled public key authentication. The problem is that you didn't configure the keys properly. You need to follow the points Matthew gave in the thread questions:

  1. crypto key pubkey-chain ssh
  2. user-key cisco rsa
  3. key-string # see below how to get new public key here

This public key can be obtained on Linux from a skrach configuration by issuing 'ssh-keygen' command. This will generate two keys (RSA by default). One is called private, the other public. They will be placed in ~/.ssh/ with the private key in a file named id_rsa and public as id_rsa.pub. The public key you need to paste is inside id_rsa.pub between text 'ssh-rsa ' and without an email at the end.

You can use telnet access or serial port to configure it so you don't have to reset the switch the default configuration (since ssh is not accessible this time).

Make sure you connect with proper user name which is 'cisco' in this example configuration.

I haven't tried putty key generation facilities with this procedure but it might also work. Checkout PuTTYgen.

Regards.

0 Helpful
Customers Also Viewed These Support Documents