120 Fabric OS Administrator’s Guide
53-1001763-02
Secure Shell protocol
6

SSH public key authentication

OpenSSH public key authentication provides password-less logins, known as SSH authentication,
that uses public and private key pairs for incoming and outgoing authentication. This feature allows
only one allowed-user to be configured to utilize OpenSSH public key authentication. Using
OpenSSH RSA and DSA, the authentication protocols are based on a pair of specially generated
cryptographic keys, called the private key and the public key. The advantage of using these
key-based authentication systems is that in many cases, it is possible to establish secure
connections without having to manually type in a password. RSA and DSA asynchronous algorithms
are FIPS-compliant.

Allowed-user

The default admin user must set up the allowed-user with the admin role. By default, the admin is
the configured allowed-user. While creating the key pair, the configured allowed-user can choose a
passphrase with which the private key is encrypted. Then the passphrase must always be entered
when authenticating to the switch. The allowed-user must have an admin role that can perform
OpenSSH public key authentication, import and export keys, generate a key pair for an outgoing
connection, and delete public and private keys. After the allowed-user is changed, all the public
keys related to the old allowed-user are lost.

Configuring SSH authentication

Incoming authentication is used when the remote host needs to authenticate to the switch.
Outgoing authentication is used when the switch needs to authenticate to a server or remote host,
more commonly used for the configUpload command. Both password and public key authentication
can coexist on the switch.
After the allowed-user is configured, the remaining setup steps must be completed by the
allowed-user.
1. Log in to the switch as the default admin.
2. Change the allowed-user’s role to admin, if applicable.
switch:admin> userconfig --change username -r admin
Where username is the name of the user you want to perform SSH public key authentication,
import, export, and delete keys.
3. Set up the allowed-user by typing the following command:
switch:admin> sshutil allowuser username
Where username is the name of the user you want to perform SSH public key authentication,
import, export, and delete keys.
4. Generate a key pair for host-to-switch (incoming) authentication by logging in to your host as
admin, verifying that SSH v2 is installed and working (refer to your host’s documentation as
necessary) by typing the following command:
ssh-keygen -t dsa
If you need to generate a key pair for outgoing authentication, skip steps 4 and 5 and proceed
to step 6.