Ssh public key authentication, Allowed-user, Configuring incoming ssh authentication – Brocade Fabric OS Administrators Guide (Supporting Fabric OS v7.3.0) User Manual

If you set up a message of the day (MOTD), the MOTD displays either before or after the login prompt,
depending on the SSH client implementation. Fabric OS does not control when the message displays.

SSH public key authentication

OpenSSH public key authentication provides password-less logins, known as SSH authentication, that
uses public and private key pairs for incoming and outgoing authentication.

This feature allows only one allowed-user to be configured to utilize outgoing OpenSSH public key
authentication. Any admin user can perform incoming Open SSH public key authentication.

Using OpenSSH RSA, DSA, and ECDSA, the authentication protocols are based on a pair of specially
generated cryptographic keys, called the private key and the public key. The advantage of using these
key-based authentication systems is that in many cases, it is possible to establish secure connections
without having to depend on passwords for security. RSA and ECDSA asynchronous algorithms are
FIPS-compliant.

Incoming authentication is used when the remote host needs to authenticate to the switch. Outgoing
authentication is used when the switch needs to authenticate to a server or remote host, such as when
running the configUpload or configDownload commands, or performing firmware download. Both
password and public key authentication can coexist on the switch.

Allowed-user

For outgoing authentication, the default admin user must set up the allowed-user with admin
permissions. By default, the admin is the configured allowed-user. While creating the key pair, the
configured allowed-user can choose a passphrase with which the private key is encrypted. Then the
passphrase must always be entered when authenticating to the switch. The allowed-user must have
admin permissions to perform OpenSSH public key authentication, import and export keys, generate a
key pair for an outgoing connection, and delete public and private keys.

Configuring incoming SSH authentication

1. Log in to your remote host.
2. Generate a key pair for host-to-switch (incoming) authentication by verifying that SSH v2 is installed

and working (refer to your host’s documentation as necessary) by entering the following command:

ssh-keygen -t rsa

Example of RSA/DSA key pair generation

anyuser@mymachine: ssh-keygen -t rsa

Generating public/private rsa key pair.

Enter file in which to save the key (/users/anyuser/.ssh/id_rsa

):

Enter passphrase (empty for no passphrase):

Enter same passphrase again:

Your identification has been saved in /users/anyuser/.ssh/id_rsa.

Your public key has been saved in /users/anyuser/.ssh/id_rsa.pub.

The key fingerprint is:

32:9f:ae:b6:7f:7e:56:e4:b5:7a:21:f0:95:42:5c:d1 anyuser@mymachine

3. Import the public key to the switch by logging in to the switch as any user with the admin role and

entering the sshUtil importpubkey command to import the key.

Example of adding the public key to the switch

switch:anyuser> sshutil importpubkey

Enter user name for whom key is imported: aswitchuser

Enter IP address:192.168.38.244

Enter remote directory:~auser/.ssh

SSH public key authentication

176

Fabric OS Administrators Guide

53-1003130-01