Passwordless File Copy And Ssh - Cisco MDS 9000 Series Configuration Manual

Configuring SSH Services
You can configure your switch for either SSH authentication using an X.509 certificate or SSH authentication
using a Public Key Certificate, but not both. If either of them is configured and the authentication fails, you
will be prompted for a password.

Passwordless File copy and SSH

Secure Shell (SSH) public key authentication can be used to achieve password free logins. SCP and SFTP
uses SSH in the background and hence these copy protocols can be used for a password free copy with public
key authentication. The NX-OS version only supports the SCP and STFP client functionality.
You can create an RSA/DSA identity which can be used for authentication with ssh. The identity will consist
of two parts: public and private keys. The public and the private keys are generated by the switch or can be
generated externally and imported to the switch. For import purposes, the keys should be in OPENSSH format.
To use the key on a host machine hosting an SSH server, you must transfer the public key file to the machine
and add the contents of it to the file 'authorized_keys' in your ssh directory (e.g. $HOME/.ssh) on the server.
For import and export of private keys, the key will be protected by encryption. You will be asked to enter a
Passphrase for the same. If you enter a passphrase, the private key is protected by encryption. If you leave
the password field blank, the key will not be encrypted.
If you need to copy the keys to another switch, you will have to export the keys out of the switch to a host
machine and then import the same to other switches from that machine.
• The key files are persistent across reload.
To import and export the key pair, the following CLIs are provided. The CLI command to generate the ssh
user key pairs on the switch is defined as follows:
Procedure
Step 1 switch# configure terminal
Enters configuration mode.
Step 2 switch(config)# username admin keypair generate rsa
Example:
generating rsa key(1024 bits).....
generated rsa key
Generates public and private RSA keys for the account (admin). It then stores the key files in the home
directory of the specified user. Use the force option to overwrite that server keypair.
Note
Step 3
switch(config)# no username admin keypair generate rsa
(Optional) Deletes the public and private RSA keys for the account (admin).
Step 4
switch# show username admin keypair
Example:
**************************************
rsa Keys generated: Thu Jul 9 11:10:29 2009
This example is for RSA keys. Replace rsa with dsa for DSA keys.
Cisco MDS 9000 Series Security Configuration Guide, Release 8.x
Passwordless File copy and SSH
163