RSA and Certificate Commands

Keys and Certificates

The device automatically generates default RSA/DSA keys and certificates at following times:

• When the device is booted with an empty configuration.
• When user-defined keys/certificates are deleted.

Some commands in this section are used to generate user-defined RSA/DSA keys and certificates that replace the default keys and are used by SSL and SSH server commands. Other commands can be used to import these keys from an external source.

These keys and certificates are stored in the configuration files.

The following table describes when these keys/certificates are displayed..

File Type Being Displayed	What is Displayed in aShow CommandWithout Detailed	What is Displayed in a Show Command WithDetailed
Startup Config	Only user-defined keys/certificates.	Option is not supported.
Running Config	Keys are not displayed.	All keys (default and user-defined)
Text-based CLI (local backup config. file, or remote backup config. file)	Keys are displayed as they were copied. There is no distinction here between default and user-defined keys.	Option is not supported.

The following table describes how keys/certificates can be copied from one type of configuration file to another (using the copy command)..

Destination FileType	Copy fromRunning Config.	Copy from Startup Config.	Copy fromRemote/LocalBackup Config. File
Startup Config.	Allkeys/certificate s are copied (but only user-defined ones can be displayed	Option is not supported.	All keys/certificates present in this file are copied (*, **).
Running Config	N/A	Only user defined.	All keys/certificates present in this file are copied (*).
Text-based CLI (local backup config. file, orremote backupconfig. file)	All keys (default and user)	Only user defined.	All keys/certificates present in this file are copied (**)

* If the Running Configuration file on the device contains default keys (not user-defined ones), the same default keys remain after reboot.

** In a text-based configuration file, there is no distinction between automatically-defined, default keys and user-defined keys.

crypto key generate dsa

The crypto key generate dsa Global Configuration mode command generates a DSA key pair for SSH Public-Key authentication.

Syntax

crypto key generate dsa

Parameters

N/A

Default Configuration

The application creates a default key automatically.

Command Mode

Global Configuration mode

User Guidelines

DSA keys are generated in pairs – one public DSA key and one private DSA key.

If the device already has DSA keys default or user defined, a warning is displayed with a prompt to replace the existing keys with new keys.

Erasing the startup configuration or returning to factory defaults automatically deletes the default keys and they are recreated during device initialization.

This command is not saved in the Running configuration file. However, the keys generated by this command are saved to the Running Configuration file.

See Keys and Certificates for information on how to display and copy this key pair.

Example

The following example generates a DSA key pair.

switchxxxxxx(config)# crypto key generate dsa

The SSH service is generating a private DSA key.

This may take a few minutes, depending on the key size.

……….

crypto key generate rsa

The crypto key generate rsa Global Configuration mode command generates RSA key pairs for SSH Public-Key Authentication.

Syntax

crypto key generate rsa

Parameters

N/A

Default Configuration

The application creates a default key automatically.

Command Mode

Global Configuration mode

User Guidelines

RSA keys are generated in pairs – one public RSA key and one private RSA key.

If the device already has RSA keys default or user defined, a warning is displayed with a prompt to replace the existing keys with new keys.

Erasing the startup configuration or returning to factory defaults automatically deletes the default keys and they are recreated during device initialization.

This command is not saved in the Running configuration file. However, the keys generated by this command are saved to the Running Configuration file.

See Keys and Certificates for information on how to display and copy this key pair.

Example

The following example generates RSA key pairs where a RSA key already exists.

switchxxxxxx(config)# crypto key generate rsa Replace Existing RSA Key [y/n]? N switchxxxxxx(config)#

crypto key import

 The crypto key import Global Configuration mode command imports the DSA/RSA key pair.

Use the no form of the command to remove the user key and generate a new default in its place.

Syntax

crypto key import {dsa | rsa} no crypto key {dsa | rsa}

Parameters

N/A

Default Configuration

DSA and RSA key pairs do not exist.

Command Mode

Global Configuration mode

User Guidelines

DSA/RSA keys are imported in pairs – one public DSA/RSA key and one private DSA/RSA key.

If the device already has DSA/RSA keys, a warning is displayed with a prompt to replace the existing keys with new keys.

This command is saved in the Running Configuration file.

Example

switchxxxxxx(config)# crypto key import rsa   ---- BEGIN SSH2 PRIVATE KEY ---switchxxxxxx(config)# encrypted crypto key import rsa   ---- BEGIN SSH2 ENCRYPTED PRIVATE KEY ----   Comment: RSA Private Key   84et9C2XUfcRlpemuGINAygnLwfkKJcDM6m2OReALHScqqLhi0wMSSYNlT1IWFZP1kEVHH   Fpt1aECZi7HfGLcp1pMZwjn1+HaXBtQjPDiEtbpScXqrg6ml1/OEnwpFK2TrmUy0Iifwk8   E/mMfX3i/2rRZLkEBea5jrA6Q62gl5naRw1ZkOges+GNeibtvZYSk1jzr56LUr6fT7Xu5i   KMcU2b2NsuSD5yW8R/x0CW2elqDDz/biA2gSgd6FfnW2HV48bTC55eCKrsId2MmjbExUdz   +RQRhzjcGMBYp6HzkD66z8HmShOU+hKd7M1K9U4Sr+Pr1vyWUJlEkOgz9O6aZoIGp4tgm4 VDy/K/G/sI5nVL0+bR8LFUXUO/U5hohBcyRUFO2fHYKZrhTiPT5Rw+PHt6/+EXKG9E+TRs lUADMltCRvs+lsB33IBdvoRDdl98YaA2htZay1TkbMqCUBdfl0+74UOqa/b+bp67wCYKe9 yen418MaYKtcHJBQmF7sUQZQGP34VPmOMyZzon68S/ZoT77cy0ihRZx9wcI1yYhJnDiYxP dgXHYhW6kCTcTj6LrUSQuxCJ9su89ZIWNn5OwdgonLSpvfnabv2GHmmelaveL7JJ/7UcfO 61q5D4PJ67Vk2xL7PqyHXN931rseTzPuJplkSLCFZ5uqTMbWWyQEKmHDlOx35vlGou5tky   9LgIwG4d+9edctZZaggeq5cgjnsZWJgUoB4Bn4hIreyOdHDiFUPPRxkoyhGOGnJuvxC9T9   K6BF1wBTdDQS+Gu47/0/gRoD/50q4sGkzqHsRJJ53WOT0Q1bHMTMLPpwn2nXzvfGxWL/bu   QhZZSqRonG6MX1cP7KT7i4TPq2w2k3TGtNBnVYHx6OoNcaTHmg1N2s5OgRsyXD9tF++6nY   RfMN8CsV+9jQKQP7ZaGc8Ju+d72jvSwppSr032HY+IpzZ4ujkK+/X5oawZL5NnkaEQTQKX RSL55S4O5NPOjS/pC9hg7GaVjoY2mQ7HDpSUBeTIDTlvOwC2kskA9C6aF/Axj2dXLweQd5 lxk7m0/mMNaiJsNk6y33LcuKjIxpNNjK9n9KzRPkGNMFObprfenWKteDftjQ==   ---- END SSH2 PRIVATE KEY ----   ---- BEGIN SSH2 PUBLIC KEY ----   Comment: RSA Public Key   AAAAB3NzaC1yc2EAAAABIwAAAIEAvRHsKry6NKMKymb+yWEp9042vupLvYVq3ngt1sB9JH   OcdK/2nw7lCQguy1mLsX8/bKMXYSk/3aBEvaoJQ82+r/nRf0y3HTy4Wp9zV0SiVC8jLD+7   7t0aHejzfUhr0FRhWWcLnvYwr+nmrYDpS6FADMC2hVA85KZRye9ifxT7otE=   ---- END SSH2 PUBLIC KEY ----

show crypto key

The show crypto key Privileged EXEC mode command displays the device’s SSH public keys for both default and user-defined keys.

Syntax

show crypto key [mypubkey] [rsa | dsa]

Parameters

• mypubkey—Displays only the public key.
• rsa—Displays the RSA key.
• dsa—Displays the DSA key.

Default Configuration

N/A

Command Mode

Privileged EXEC mode

User Guidelines

See Keys and Certificates for information on how to display and copy this key pair.

Example

The following example displays the SSH public DSA keys on the device.

switchxxxxxx# show crypto key mypubkey dsa   ---- BEGIN SSH2 PUBLIC KEY ----   Comment: RSA Public Key   AAAAB3NzaC1yc2EAAAABIwAAAIEAzN31fu56KSEOZdrGVPIJHpAs8G8NDIkB dqZ2q0QPiKCnLPw0Xsk9tTVKaHZQ5jJbXn81QZpolaPLJIIH3B1cc96D7IFf VkbPbMRbz24dpuWmPVVLUlQy5nCKdDCui5KKVD6zj3gpuhLhMJor7AjAAu5e   BrIi2IuwMVJuak5M098=   ---- END SSH2 PUBLIC KEY ----   Public Key Fingerprint: 6f:93:ca:01:89:6a:de:6e:ee:c5:18:82:b2:10:bc:1e

crypto certificate generate

The crypto certificate generate Global Configuration mode command generates a self-signed certificate for HTTPS.

Syntax

crypto certificate number generate [key-generate [length]] [cn common- name] [ou

organization-unit] [or organization] [loc location] [st state] [cu country] [duration days]

Parameters

• number—Specifies the certificate number. (Range: 1–2)
• key-generate length—Regenerates SSL RSA key and specifies the SSL’s

RSA key length. (Range: 2048–3072)

The following elements can be associated with the key. When the key is displayed, they are also displayed.

• cn common- name—Specifies the fully qualified device URL or IP address. (Length: 1–64 characters). If unspecified, defaults to the lowest IP address of the device (when the certificate is generated).
• ou organization-unit—Specifies the organization-unit or department name. (Length: 1–64 characters)
• or organization—Specifies the organization name. (Length: 1–64 characters)
• loc location—Specifies the location or city name. (Length: 1–64 characters)
• st state—Specifies the state or province name. (Length: 1–64 characters)
• cu country—Specifies the country name. (Length: 2 characters)
• duration days—Specifies the number of days a certification is valid. (Range: 30–3650)

Default Configuration

If the key-generate parameter is not used the certificate is generated using the existing key.

The default SSL’s RSA key length is 2048.

If cn common- name is not specified, it defaults to the device’s lowest static IPv6 address (when the certificate is generated), or to the device’s lowest static IPv4 address if there is no static IPv6 address, or to 0.0.0.0 if there is no static IP address.

If duration days is not specified, it defaults to 365 days.

Command Mode

Global Configuration mode

User Guidelines

If the specific certificate key does not exist, you must use the parameter key-generate.

If both certificates 1 and 2 have been generated, use the ip https certificate command to activate one of them.

See Keys and Certificates for information on how to display and copy this key pair.

Erasing the startup configuration or returning to factory defaults automatically deletes the default keys and they are recreated during device initialization.

Example

The following example generates a self-signed certificate for HTTPS whose length is 2048 bytes.

switchxxxxxx(config)# crypto certificate 1 generate key-generate 2048

crypto certificate request

The crypto certificate request Privileged EXEC mode command generates and displays a certificate request for HTTPS.

Syntax

crypto certificate number request [cn common- name] [ou organization-unit] [or

organization] [loc location] [st state] [cu country]

Parameters

• number—Specifies the certificate number. (Range: 1–2)
• The following elements can be associated with the key. When the key is displayed, they are also displayed.
  • cn common- name—Specifies the fully qualified device URL or IP address. (Length: 1–64 characters). If unspecified, defaults to the lowest IP address of the device (when the certificate is generated).
  • ou organization-unit—Specifies the organization-unit or department name. (Length: 1–64 characters)
  • or organization—Specifies the organization name. (Length: 1–64 characters)
  • loc location—Specifies the location or city name. (Length: 1–64 characters)
  • st state—Specifies the state or province name. (Length: 1–64 characters)
  • cu country—Specifies the country name. (Length: 2 characters)

Default Configuration

If cn common-name is not specified, it defaults to the device’s lowest static IPv6 address (when the certificate is generated), or to the device’s lowest static IPv4 address if there is no static IPv6 address, or to 0.0.0.0 if there is no static IP address.

Command Mode

Privileged EXEC mode

User Guidelines

Use this command to export a certificate request to a Certification Authority. The certificate request is generated in Base64-encoded X.509 format.

Before generating a certificate request, first generate a self-signed certificate using the crypto cerificate generate command to generate the keys. The certificate fields must be re-entered.

After receiving the certificate from the Certification Authority, use the crypto cerificate import command to import the certificate into the device. This certificate replaces the self-signed certificate.

Example

The following example displays the certificate request for HTTPS.

switchxxxxxx# crypto certificate 1 request   -----BEGIN CERTIFICATE REQUEST-----   MIwTCCASoCAQAwYjELMAkGA1UEBhMCUFAxCzAJBgNVBAgTAkNDMQswCQYDVQQH   EwRDEMMAoGA1UEChMDZGxkMQwwCgYDVQQLEwNkbGQxCzAJBgNVBAMTAmxkMRAw   DgKoZIhvcNAQkBFgFsMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC8ecwQ HdML0831i0fh/F0MV/Kib6Sz5p+3nUUenbfHp/igVPmFM+1nbqTDekb2ymCu6K aKvEbVLF9F2LmM7VPjDBb9bb4jnxkvwW/wzDLvW2rsy5NPmH1QVl+8Ubx3GyCm /oW93BSOFwxwEsP58kf+sPYPy+/8wwmoNtDwIDAQABoB8wHQYJKoZIhvcNAQkH MRDjEyMwgICCAgICAICAgIMA0GCSqGSIb3DQEBBAUAA4GBAGb8UgIx7rB05m+2 m5ZZPhIwl8ARSPXwhVdJexFjbnmvcacqjPG8pIiRV6LkxryGF2bVU3jKEipcZa g+uNpyTkDt3ZVU72pjz/fa8TF0n3   -----END CERTIFICATE REQUEST-----

crypto certificate import

The crypto certificate import Global Configuration mode command imports a certificate signed by a Certification Authority for HTTPS. In addition, the relevant key-pair can also be imported.

Use the no form of the command to delete the user-defined keys and certificate.

Syntax

crypto certificate number import no crypto certificate number

Parameters

• number—Specifies the certificate number. (Range: 1–2).

Default Configuration

N/A

Command Mode

Global Configuration mode

User Guidelines

Certificate needs to be imported from PEM encoding/file extension

To end the session (return to the command line to enter the next command), enter a blank line.

The imported certificate must be based on a certificate request created by the crypto cerificate request command.

If only the certificate is imported, and the public key found in the certificate does not match the device’s SSL RSA key, the command fails. If both the public key and the certificate are imported, and the public key found in the certificate does not match the imported RSA key, the command fails.

This command is saved in the Running configuration file.

See Keys and Certificates for information on how to display and copy this key pair.

Examples

Example 1 – The following example imports a certificate signed by the Certification Authority for HTTPS.

switchxxxxxx(config)# crypto certificate 1 import   Please paste the input now, add a period (.) on a separate line after the input,and press Enter.   -----BEGIN CERTIFICATE-----   MIIBkzCB/QIBADBUMQswCQYDVQQGEwIgIDEKMAgGA1UECBMBIDEKMAgGA1UEBxMB   IDEVMBMGA1UEAxMMMTAuNS4yMzQuMjA5MQowCAYDVQQKEwEgMQowCAYDVQQLEwEg   MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDK+beogIcke73sBSL7tC2DMZrY   OOg9XM1AxfOiqLlQJHd4xP+BHGZWwfkjKjUDBpZn52LxdDu1KrpB/h0+TZP0Fv38   7mIDqtnoF1NLsWxkVKRM5LPka0L/ha1pYxp7EWAt5iDBzSw5sO4lv0bSN7oaGjFA   6t4SW2rrnDy8JbwjWQIDAQABoAAwDQYJKoZIhvcNAQEEBQADgYEAuqYQiNJst6hI   XFDxe7I8Od3Uyt3Dmf7KE/AmUV0Pif2yUluy/RuxRwKhDp/lGrK12tzLQz+s5Ox7 Klft/IcjzbBYXLvih45ASWG3TRv2WVKyWs89rPPXu5hKxggEeTvWqpuS+gXrIqjW   WVZd0n1fXhMacoflgnnEmweIzmrqXBs= .   -----END CERTIFICATE-----   Certificate imported successfully.   Issued by : C=  , ST= , L= , CN=0.0.0.0, O= , OU=   Valid From: Jan 24 18:41:24 2011 GMT   Valid to: Jan 24 18:41:24 2012 GMT   Subject: C=US , ST= , L= , CN=router.gm.com, O= General Motors, OU=   SHA1 Finger print: DC789788 DC88A988 127897BC BB789788

Example 2:The following example imports a certificate signed by the Certification Authority for HTTPS, and the RSA key-pair.

switchxxxxxx(config)# crypto certificate 1 import   Please paste the input now, add a period (.) on a separate line after the input,and press Enter.   -----BEGIN RSA PRIVATE KEY-----   ACnrqImEGlXkwxBuZUlAO9nHq9IGJsnkf7/MauGPVqxt5vfDf77uQ5CPf49JWQhu07cVXh   2OwrBhJgB69vLUlJujM9p1IXFpMk8qR3NS7JzlInYAWjHKKbEZBMsKSA6+t/UzVxevKK6H   TGB7vMxi+hv1bL9zygvmQ6+/6QfqA51c4nP/8a6NjO/ZOAgvNAMKNr2Wa+tGUOoAgL0b/C   11EoqzpCq5mT7+VOFhPSO4dUU+NwLv1YCb1Fb7MFoAa0N+y+2NwoGp0pxOvDA9ENYl7qsZ MWmCfXu52/IxC7fD8FWxEBtks4V81Xqa7K6ET657xS7m8yTJFLZJyVawGXKnIUs6uTzhhW dKWWc0e/vwMgPtLlWyxWynnaP0fAJ+PawOAdsK75bo79NBim3HcNVXhWNzqfg2s3AYCRBx WuGoazpxHZ0s4+7swmNZtS0xI4ek43d7RaoedGKljhPqLHuzXHUon7Zx15CUtP3sbHl+XI   B3u4EEcEngYMewy5obn1vnFSot+d5JHuRwzEaRAIKfbHa34alVJaN+2AMCb0hpI3IkreYo   A8Lk6UMOuIQaMnhYf+RyPXhPOQs01PpIPHKBGTi6pj39XMviyRXvSpn5+eIYPhve5jYaEn   UeOnVZRhNCVnruJAYXSLhjApf5iIQr1JiJb/mVt8+zpqcCU9HCWQqsMrNFOFrSpcbHu5V4 ZX4jmd9tTJ2mhekoQf1dwUZbfYkRYsK70ps8u7BtgpRfSRUr7g0LfzhzMuswoDSnB65pkC ql7yZnBeRS0zrUDgHLLRfzwjwmxjmwObxYfRGMLp4=   -----END RSA PRIVATE KEY-----   -----BEGIN RSA PUBLIC KEY-----   MIGHAoGBAMVuFgfJYLbUzmbm6UoLD3ewHYd1ZMXY4A3KLF2SXUd1TIXq84aME8DIitSfB2   Cqy4QB5InhgAobBKC96VRsUe2rzoNG4QDkj2L9ukQOvoFBYNmbzHc7a+7043wfVmH+QOXf   TbnRDhIMVrZJGbzl1c9IzGky1l21Xmicy0/nwsXDAgEj   -----END RSA PUBLIC KEY-----   -----BEGIN CERTIFICATE-----   MIIBkzCB/QIBADBUMQswCQYDVQQGEwIgIDEKMAgGA1UECBMBIDEKMAgGA1UEBxMB   IDEVMBMGA1UEAxMMMTAuNS4yMzQuMjA5MQowCAYDVQQKEwEgMQowCAYDVQQLEwEg   MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDK+beogIcke73sBSL7tC2DMZrY   OOg9XM1AxfOiqLlQJHd4xP+BHGZWwfkjKjUDBpZn52LxdDu1KrpB/h0+TZP0Fv38   7mIDqtnoF1NLsWxkVKRM5LPka0L/ha1pYxp7EWAt5iDBzSw5sO4lv0bSN7oaGjFA   6t4SW2rrnDy8JbwjWQIDAQABoAAwDQYJKoZIhvcNAQEEBQADgYEAuqYQiNJst6hI   XFDxe7I8Od3Uyt3Dmf7KE/AmUV0Pif2yUluy/RuxRwKhDp/lGrK12tzLQz+s5Ox7 Klft/IcjzbBYXLvih45ASWG3TRv2WVKyWs89rPPXu5hKxggEeTvWqpuS+gXrIqjW   WVZd0n1fXhMacoflgnnEmweIzmrqXBs=   -----END CERTIFICATE----.   Certificate imported successfully.   Issued by : C=  , ST= , L= , CN=0.0.0.0, O= , OU=   Valid From: Jan 24 18:41:24 2011 GMT   Valid to: Jan 24 18:41:24 2012 GMT   Subject: C=US , ST= , L= , CN=router.gm.com, O= General Motors, OU=  SHA1 Finger print: DC789788 DC88A988 127897BC BB789788

show crypto certificate

The show crypto certificate Privileged EXEC mode command displays the device SSL certificates and key-pair for both default and user defined keys.

Syntax

show crypto certificate [mycertificate] [number]

Parameters

• number—Specifies the certificate number. (Range: 1,2)

Default Configuration displays both keys.

Command Mode

Privileged EXEC mode

Examples

The following example displays SSL certificate # 1 present on the device.

switchxxxxxx# show crypto certificate 1 Certificate 1:   Certificate Source: Default -----BEGIN CERTIFICATE-----   dHmUgUm9vdCBDZXJ0aWZpZXIwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAp4HS nnH/xQSGA2ffkRBwU2XIxb7n8VPsTm1xyJ1t11a1GaqchfMqqe0kmfhcoHSWr yf1FpD0MWOTgDAwIDAQABo4IBojCCAZ4wEwYJKwYBBAGCNxQCBAYeBABDAEEw CwR0PBAQDAgFGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFAf4MT9BRD47   ZvKBAEL9Ggp+6MIIBNgYDVR0fBIIBLTCCASkwgdKggc+ggcyGgclsZGFwOi8v L0VByb3h5JTIwU29mdHdhcmUlMjBSb290JTIwQ2VydGlmaWVyLENOPXNlcnZl   -----END CERTIFICATE-----   Issued by: www.verisign.com   Valid from: 8/9/2003 to 8/9/2004   Subject: CN= router.gm.com, 0= General Motors, C= US   Finger print: DC789788 DC88A988 127897BC BB789788

ip telnet server

Use the ip telnet server Global Configuration mode command to enable the device as a Telnet server that accepts connection requests from remote Telnet clients. Remote Telnet clients can configure the device through the Telnet connections.

Use the no form of this command to disable the Telnet server functionality on the device.

Syntax ip telnet server no ip telnet server

Default Configuration

Enabled

Command Mode

Global Configuration mode

User Guidelines

The device can be enabled to accept connection requests from both remote SSH and Telnet clients. It is recommended that the remote client connects to the device using SSH (as opposed to Telnet), since SSH is a secure protocol and Telnet is not. To enable the device to be an SSH server, use the ip  ssh server command.

Example

The following example enables the device to be configured from a Telnet server.

switchxxxxxx(config)# ip telnet server

ip ssh server

The ip ssh server Global Configuration mode command enables the device to be an SSH server and so to accept connection requests from remote SSH clients. Remote SSH clients can manage the device through the SSH connection.

Use the no form of this command to disable the SSH server functionality from the device.

Syntax

ip ssh server no ip ssh server

Default Configuration

The SSH server functionality is disabled by default.

Command Mode

Global Configuration mode

User Guidelines

The device, as an SSH server, generates the encryption keys automatically.

To generate new SSH server keys, use the crypto key generate dsa and crypto key generate rsa commands.

Example

The following example enables configuring the device to be an SSH server.

switchxxxxxx(config)# ip ssh server

ip ssh port

The ip ssh port Global Configuration mode command specifies the TCP port used by the SSH server. Use the no form of this command to restore the default configuration.

Syntax

ip ssh port port-number

no ip ssh port

Parameters

• port-number—Specifies the TCP port number to be used by the SSH server. (Range: 1–65535).

Default Configuration

The default TCP port number is 22.

Command Mode

Global Configuration mode

Example

The following example specifies that TCP port number 8080 is used by the SSH server.

switchxxxxxx(config)# ip ssh port 8080

ip ssh password-auth

Use the ip ssh password-auth Global Configuration mode command to enable password authentication of incoming SSH sessions.

Use the no form of this command to disable this function.

Syntax ip ssh password-auth no ip ssh password-auth

Default Configuration

Password authentication of incoming SSH sessions is disabled.

Command Mode

Global Configuration mode

User Guidelines

This command enables password key authentication by a local SSH server of remote SSH clients.

The local SSH server advertises all enabled SSH authentication methods and remote SSH clients are responsible for choosing one of them.

After a remote SSH client is successfully authenticated by public key, the client must still be AAA-authenticated to gain management access to the device.

If no SSH authentication method is enabled, remote SSH clients must still be AAA-authenticated before being granted management access to the device.

Example

The following example enables password authentication of the SSH client.

switchxxxxxx(config)# ip ssh password-auth

ip ssh pubkey-auth

Use the ip ssh pubkey-auth Global Configuration mode command to enable public key authentication of incoming SSH sessions.

Use the no form of this command to disable this function.

Syntax

ip ssh pubkey-auth [auto-login] no ip ssh pubkey-auth

Parameters

• auto-login—Specifies that the device management AAA authentication (CLI login) is not needed. By default, the login is required after the SSH authentication.

Default Configuration

Public key authentication of incoming SSH sessions is disabled.

Command Mode

Global Configuration mode

User Guidelines

This command enables public key authentication by a local SSH server of remote SSH clients.

The local SSH server advertises all enabled SSH authentication methods and remote SSH clients are responsible for choosing one of them.

After a remote SSH client is successfully authenticated by public key, the client must still be AAA-authenticated to gain management access to the device, except if the auto-login parameter was specified.

If no SSH authentication method is enabled, remote SSH clients must still be AAA-authenticated before being granted management access to the device.

If the auto-login keyword is specified for SSH authentication by public key management access is granted if SSH authentication succeeds and the name of SSH used is found in the local user database.  The device management AAA authentication is transparent to the user.  If the user name is not in the local user database, then the user receives a warning message, and the user will need to pass the device management AAA authentication independently of the SSH authentication.

if the auto-login keyword is not specified, management access is granted only if the user engages and passes both SSH authentication and device management AAA authentication independently.If no SSH authentication method is enabled management access is granted only if the user is AAA authenticated by the device management. No SSH authentication method means SSH is enabled and neither SSH authentication by public key nor password is enabled.

Example

The following example enables authentication of the SSH client.

switchxxxxxx(config)# ip ssh pubkey-auth

crypto key pubkey-chain ssh

The crypto key pubkey-chain ssh Global Configuration mode command enters the SSH Public Key-chain Configuration mode. This mode is used to manually specify device public keys, such as SSH client public keys.

Syntax

crypto key pubkey-chain ssh

Default Configuration Keys do not exist.

Command Mode

Global Configuration mode

User Guidelines

Use this command when you want to manually specify SSH client’s public keys.

Example

The following example enters the SSH Public Key-chain Configuration mode and manually configures the RSA key pair for SSH public key-chain to the user ‘bob’.

switchxxxxxx(config)# crypto key pubkey-chain ssh switchxxxxxx(config-keychain)# user-key bob rsa switchxxxxxx(config-keychain-key)# key-string   AAAAB3NzaC1yc2EAAAADAQABAAABAQCvTnRwPWl   Al4kpqIw9GBRonZQZxjHKcqKL6rMlQ+   ZNXfZSkvHG+QusIZ/76ILmFT34v7u7ChFAE+ Vu4GRfpSwoQUvV35LqJJk67IOU/zfwOl1g kTwml75QR9gHujS6KwGN2QWXgh3ub8gDjTSq muSn/Wd05iDX2IExQWu08licglk02LYciz   +Z4TrEU/9FJxwPiVQOjc+KBXuR0juNg5nFYsY   0ZCk0N/W9a/tnkm1shRE7Di71+w3fNiOA   6w9o44t6+AINEICBCCA4YcF6zMzaT1wefWwX6f+ Rmt5nhhqdAtN/4oJfce166DqVX1gWmN zNR4DYDvSzg0lDnwCAC8Qh   Fingerprint: a4:16:46:23:5a:8d:1d:b5:37:59:eb:44:13:b9:33:e9

user-key

The user-key SSH Public Key-string Configuration mode command associates a username with a manually-configured SSH public key.

Use the no user-key command to remove an SSH user and the associated public key.

Syntax

user-key username {rsa | dsa}

no user-key username

Parameters

• username—Specifies the remote SSH client username. (Length: 1–48 characters)
• rsa—Specifies that the RSA key pair is manually configured.
• dsa—Specifies that the DSA key pair is manually configured.

Default Configuration

No SSH public keys exist.

Command Mode

SSH Public Key-string Configuration mode

User Guidelines

After entering this command, the existing key, if any, associated with the user will be deleted. You must follow this command with the key-string command to configure the key to the user.

Example

The following example enables manually configuring an SSH public key for SSH public key-chain bob.

switchxxxxxx(config)# crypto key pubkey-chain ssh switchxxxxxx(config-keychain)# user-key bob rsa switchxxxxxx(config-keychain-key)# key-string row   AAAAB3NzaC1yc2EAAAADAQABAAABAQCvTnRwPWl

key-string (Telnet, Secure Shell (SSH) and Secure Login (Slogin) Commands)

The key-string SSH Public Key-string Configuration mode command manually specifies an SSH public key.

Syntax key-string [row key-string]

Parameters

• row—Specifies the SSH public key row by row. The maximum length of a row is 160 characters.
• key-string—Specifies the key in UU-encoded DER format. UU-encoded

DER format is the same format as in the authorized_keys file used by OpenSSH.

Default Configuration Keys do not exist.

Command Mode

SSH Public Key-string Configuration mode

User Guidelines

Use the key-string SSH Public Key-string Configuration mode command without the row parameter to specify which SSH public key is to be interactively configured next. Enter a row with no characters to complete the command.

Use the key-string row SSH Public Key-string Configuration mode command to specify the SSH public key, row by row. Each row must begin with a key-string row command.

The UU-encoded DER format is the same format as in the authorized_keys file used by OpenSSH.

Example

The following example enters public key strings for SSH public key client ‘bob’.

switchxxxxxx(config)# crypto key pubkey-chain ssh switchxxxxxx(config-keychain)# user-key bob rsa switchxxxxxx(config-keychain-key)# key-string AAAAB3NzaC1yc2EAAAADAQABAAABAQCvTnRwPWl   Al4kpqIw9GBRonZQZxjHKcqKL6rMlQ+   ZNXfZSkvHG+QusIZ/76ILmFT34v7u7ChFAE+ Vu4GRfpSwoQUvV35LqJJk67IOU/zfwOl1g kTwml75QR9gHujS6KwGN2QWXgh3ub8gDjTSq muSn/Wd05iDX2IExQWu08licglk02LYciz   +Z4TrEU/9FJxwPiVQOjc+KBXuR0juNg5nFYsY   0ZCk0N/W9a/tnkm1shRE7Di71+w3fNiOA   6w9o44t6+AINEICBCCA4YcF6zMzaT1wefWwX6f+ Rmt5nhhqdAtN/4oJfce166DqVX1gWmN zNR4DYDvSzg0lDnwCAC8Qh   Fingerprint: a4:16:46:23:5a:8d:1d:b5:37:59:eb:44:13:b9:33:e9 switchxxxxxx(config)# crypto key pubkey-chain ssh switchxxxxxx(config-keychain)# user-key bob rsa switchxxxxxx(config-keychain-key)# key-string row AAAAB3Nza switchxxxxxx(config-keychain-key)# key-string row C1yc2

show ip ssh

The show ip ssh Privileged EXEC mode command displays the SSH server configuration.

Syntax show ip ssh

Command Mode

Privileged EXEC mode

Example

The following example displays the SSH server configuration.

switchxxxxxx# show ip ssh SSH server enabled. Port: 22 RSA key was generated. DSA (DSS) key was generated. SSH Public Key Authentication is enabled with auto-login. SSH Password Authentication is enabled.

Active incoming sessions:

IP Address SSH Username———  ———–172.16.0.1 John Brown	Version——-1.5	Cipher——3DES	Auth Code———-HMAC-SHA1
182.20.2.1 Bob Smith	1.5	3DES	Password

The following table describes the significant fields shown in the display.

Field	Description
IP Address	The client address
SSH Username	The user name
Version	The SSH version number
Cipher	The encryption type (3DES, Blowfish, RC4)
Auth Code	The authentication Code (HMAC-MD5, HMAC-SHA1) or Password

show crypto key pubkey-chain ssh

The show crypto key pubkey-chain ssh Privileged EXEC mode command displays SSH public keys stored on the device.

Syntax show crypto key pubkey-chain ssh [username username] [fingerprint {bubble-babble | hex}]

Parameters

• username username—Specifies the remote SSH client username. (Length: 1–48 characters)
• fingerprint {bubble-babble | hex}—Specifies the fingerprint display format. The possible values are:
  • bubble-babble—Specifies that the fingerprint is displayed in Bubble Babble format.
  • hex—Specifies that the fingerprint is displayed in hexadecimal format.

Default Configuration

The default fingerprint format is hexadecimal.

Command Mode

Privileged EXEC mode

Example

The following examples display SSH public keys stored on the device.

switchxxxxxx# show crypto key pubkey-chain ssh   Username      Fingerprint   -----------   ---------------------------------------------------------bob           9A:CC:01:C5:78:39:27:86:79:CC:23:C5:98:59:F1:86 john          98:F7:6E:28:F2:79:87:C8:18:F8:88:CC:F8:89:87:C8   switchxxxxxx# show crypto key pubkey-chain ssh username bob   Username      Fingerprint   -----------   ---------------------------------------------------------bob           9A:CC:01:C5:78:39:27:86:79:CC:23:C5:98:59:F1:86