Option B: Configuring the switch for client Public-Key SSH authentication

Using this option results in the switch also authenticating the client's public key.

If configured with this option, the switch uses its public key to authenticate itself to a client, but the client must also provide a client public key for the switch to authenticate. This option requires the additional step of copying a client public-key file from a TFTP or SFTP server into the switch.

With the prerequisite steps complete and SSH properly configured on the switch, if an SSH client contacts the switch, login authentication automatically occurs first, using the switch and client public keys. After the client gains login access, the switch controls client access to the manager level by requiring the passwords configured earlier by the aaa authentication ssh enable command.

NOTE:

Hewlett Packard Enterprise recommends that you always assign a manager-level (enable) password to the switch. Without this level of protection, any user with Telnet, web, or serial port access to the switch can change the switch configuration. If you configure only an operator password, entering the operator password through telnet, web, ssh or serial port access enables full manager privileges. See 1.

Prerequisites

Before you can use this option, you must do the following:

  1. Create a key pair on an SSH client.

  2. Copy the client's public key into a public-key file (which can contain up to 10 client public keys.)

  3. Copy the public-key file into a TFTP or SFTP server accessible to the switch and download the file to the switch.

Procedure
  1. Copy the public-key file into the switch.
    
    copy tftp pub-key-file <ipv4-address|ipv6-address> <filename>
    
  2. Configure the switch to authenticate a client public key at the login level with an optional secondary password method.
    
    aaa authentication ssh login public-key
    

    Default: none

  3. Configure a password method for the primary and secondary enable (manager) access. If you do not specify an optional secondary method, it defaults to none.
    
    aaa authentication ssh enable <local|tacacs|radius|public-key> <local|none|authorized>
    

    If the primary access method is local, you can only specify none for a secondary access method.

    The authorized option allows access without authentication.

    NOTE:

    The configuration of SSH clients' public keys is stored in flash memory on the switch. You also can save SSH client public-key configurations to a configuration file by entering the following commands:

    1. include-credentials

    2. write memory

    For more information about saving security credentials to a configuration file, see Saving security credentials in a config file.

Configuring for SSH access requiring a client public-key match and manager passwords

Assume you have a client public-key file named Client-Keys.pub (on a TFTP server at 10.33.18.117) ready for downloading to the switch:

  • For SSH access to the switch allow only clients having a private key that matches a public key found in Client-Keys.pub.

  • For manager-level (enable) access for successful SSH clients, use TACACS+ for primary password authentication and local for secondary password authentication, with a manager username of "leader" and a password of "m0ns00n".

To set up this operation, configure the switch in a manner similar to the following illustration:

The following illustration shows how to check the results of the above commands.