Expected behaviors
With
include-credentials
command
When the command
include-credentials
is enabled, public keys are stored both in configuration and flash files.When the command
no include-credentials
is executed, the client public key is stored only in the flash.- When the command
no include-credentials store-in-config
is executed, behavior is then based on the user entry made with the pop-up message.
Zeroization
When the zeroization command
switch(config)# crypto key zeroize ssh-client-key
is executed, the client public keys will be zeroized in the flash.
switch(config)# crypto key zeroize ssh-client-key The manager key pair will be deleted, continue (y/n)? y The commanderase all zeroize
will also perform the zeroization of the key files in the flash. The commanderase all
will only delete the key files from flash.
Switch is moved to/from enhanced security mode
Since the secure mode change goes through zeroization, the client keys are deleted and the switch will revert to the default configuration without any client keys on the switch.
Attempting to configure a two-factor authentication method with no public key or username configured
username and/or public key is not configured.
An RMON will be logged with the message that the authentication method is set to two-factor with some configuration missing.
When the user tries to connect using SSH, the connection will fail.
Deletion of the public key and/or username when the authentication method is set to two-factor authentication
After the authentication method is set to two-factor, if the client public keys are deleted while the usernames still exists on the switch...
After the authentication method being set to two-factor, if the username is deleted the public key exists on the switch...
When both the public key and usernames are deleted while the authentication method is being set to two-factor authentication...
An alternative solution is to block the deletion of the public key and/or username when the authentication method is set as two-factor authentication. With this approach, the impact of many configurations need to be taken care cautiously since the username/password can be configured through many interfaces such as SNMP, REST, WebUI, Menu, setup mgmt.-interfaces, and include-credentials.
Authentication method re-configured at run time
If the authentication method is reconfigured at run time, the modified authentication method will be applied when the new connection will be established.