I previously wrote about how to enable SSH access to a Cisco switch by enabling the appropriate option in the GUI. This is great if you want to access the switch CLI over an encrypted connection, but it still only relies on the username and password.
If you are using this switch on a highly sensitive network that needs to be very secure, you may want to consider enabling public key authentication for your SSH connection. In fact, for maximum security, you can enable username / password and public key authentication to access your switch.
In this article, I will show you how to enable public key authentication on a Cisco SG300 switch and how to generate public / private key pairs using puTTYGen. Then I will show you how to log in with the new keys. Also, I’ll show you how to set it up so that you can either use only the key to log in, or force the user to enter the username / password along with the private key.
Note. Before proceeding with this tutorial, make sure you have already enabled SSH service on the switch I mentioned in the previous article above.
Enable SSH User Authentication with Public Key
In general, the process of making SSH public key authentication work is straightforward. In my example, I will show you how to enable features using the web GUI. I tried using the CLI to enable public key authentication, but it didn’t accept the format of my RSA private key.
Once I get this working, I’ll supplement this post with CLI commands that will do what we’ll now be doing through the GUI. First click on Security, then SSH Server and finally SSH User Authentication.
In the right pane, check the Enable box next to SSH User Authentication by Public Key. Click the Apply button to save your changes. Don’t check the “Enable” box next to “Auto Login” yet, I’ll explain that below.
Now we need to add the SSH username. Before we move on to adding a user, we first need to generate public and private keys. In this example, we will use puTTYGen, the program that comes with puTTY.
Create private and public keys
To generate keys, first open puTTYGen. You will see a blank screen and you really don’t need to change any of the settings from the defaults shown below.
Click the New button, and then hover your mouse over an empty area until the progress bar moves completely.
After the keys have been generated, you need to enter a passphrase, which is basically like a password to unlock the key.
It is recommended to use a long passphrase to protect the key from brute force attacks. After you have entered the passphrase twice, you must click the Save Public Key and Save Private Key buttons. Make sure these files are stored in a safe place, preferably in an encrypted container that requires a password to open. Check out my post on using VeraCrypt to create an encrypted volume
Add user and key
Now, back to the SSH user authentication screen we were on earlier. Here you can choose between two options. First, go to Administration – User Accounts to find out what accounts you have to log in.
As you can see, I have one account called akishore to access my switch. I can currently use this account to access the web and command line interface. Back on the SSH User Authentication page, the user you want to add to the SSH User Authentication table (by public key) can be the same as the user in the Administration – User Accounts section, or different.
If you choose the same username, then you can check the â€œEnableâ€ button in the â€œAuto Loginâ€ section, and when you log in, you just need to enter the username and password for the private key and you will be logged in.
If you choose to choose a different username here, you will receive a prompt asking you to enter your SSH private key username and password, and then you will need to enter your regular username and password (specified in the Admin – User Accounts section). If you need extra security, use a different username, otherwise just name it the same as your current one.
Click the Add button and the Add SSH User popup will open.
Make sure the Key type is set to RSA, and then open the SSH public key file that you saved earlier with a program such as Notepad. Copy all content and paste it into the public key window. Click Apply and then click Close if a Success message appears at the top.
Log in with the private key
Now all we have to do is log in using our private key and password. At this point, when you try to log in, you will need to enter your credentials twice: once for the private key and once for the regular user account. Once we enable automatic login, you just need to enter the username and password for the private key and you will be signed in.
Open puTTY and, as usual, enter the IP address of your switch in the Host Name field. However, this time we also need to load the private key into puTTY. To do this, expand “Connection”, then expand “SSH” and click “Auth”.
Click the Browse button under the Authentication Private Key File and select the Private Key File you saved earlier from puTTY. Now click the “Open” button to connect.
The first prompt will be a login, and this should be the username you added for SSH users. If you used the same username as the main account, it doesn’t matter.
In my case, I used akishore for both user accounts, but I used different passwords for the private key and for my main user account. You can make the passwords the same if you like, but that doesn’t make any sense, especially if you enable automatic login.
Now, if you don’t want to have to log in twice to log into the Switch, check the Enable box next to Auto Login on the SSH User Authentication page.
When this is enabled, you will simply need to enter credentials for the SSH user and you will be logged in.
It’s a little tricky, but it makes sense if you experiment a little. As I mentioned earlier, I will also write CLI commands as soon as I can get the private key in the correct format. By following the instructions given here, accessing your switch via SSH should now be much more secure. If you have any problems or have any questions, write in the comments. Enjoy!