sshUtil
Manages public key authentication.
SYNOPSIS sshutil allowuser user name
sshutil showuser
sshutil importpubkey
sshutil showpubkeys
sshutil delpubkeys
sshutil genkey [-rsa | -dsa | -ecdsa]
sshutil exportpubkey
sshutil delprivkey
sshutil delknownhost [-all]
sshutil genhostkey [-rsa | -dsa | -ecdsa]
sshutil showhostkey
sshutil deletehostkey [-rsa | -dsa | -ecdsa]
sshutil help
DESCRIPTION Use this command to enable and manage SSH public key authentication on a switch. SSH public key
authentication provides a mechanism for authenticating an authorized user without a password. SSH
public key authentication is more secure than password authentication and can be used to securely
access services that require automatic login.
SSH public key authentication works as follows: An authorized user generates a pair of encryption keys
(public and private) on a local machine (a switch or a server). Messages encrypted with the private key
can only be decrypted by the public key, and vice versa. The private key remains on the local machine;
the public key is exported to a remote host. The remote host responds to login requests by sending a
brief message encrypted with the public key. The private key on the local host decrypts the message,
and the login succeeds.
Use the sshUtil command to do the following:
• Configure a user to manage keys on a switch.
• Generate a private/public key pair on the local switch.
• Import a public key for a specified user from a remote host to the local switch.
• Export the public key from the local switch to a remote host.
• Delete the public keys associated with a specified user or all users on the local switch.
• Delete the private key on the local switch.
• Delete the known host name or IP address from the file .ssh/known_hosts.
• Generate, display, and delete the SSH host keys.Brocade Fabric OS Command Reference 975
53-1004112-01
sshUtil 22
NOTES The execution of this command is subject to Virtual Fabric restrictions that may be in place. Refer to
Chapter 1, "Using Fabric OS Commands" and Appendix A, "Command Availability" for details.
Outgoing public key authentication from the switch to a remote host is restricted to Fabric OS Commands
which use secure copy (SCP), such as configDownload or configUpload.
This command supports generation of a public/private key pair on the switch to enable outgoing
connections between a switch and a remote host. To set up incoming connections, you must first
generate the public/private key pair on a remote host and then import the public key to the switch. Use
the SSH utility ssh-keygen -t dsa to generate the keys on the remote host. Refer to your UNIX system
documentation for details on this command.
OPERANDS This command supports the following operands:
allowuser user name
Configures the specified user to perform key management operations such as to
generate a key pair, export the public key, and delete the private key. The default
admin is, by default, a configured user. Only one user can be configured at any
given time.
The following operand is required:
user name
Specifies login name for the configured user. The user must be in the switch user
database and must have admin privileges on the switch.
showuser
Displays the currently configured user. This operation can only be performed by
the default admin.
importpubkey
Imports a public key from a remote host to the local switch. The protocol used is
SCP. This operation supports authentication for incoming connections. For this
operation to succeed, a public/private key pair must be generated on the remote
host prior to the import by issuing ssh-genkey -t dsa (a UNIX command). The
command prompts for a user name for whom the public key is imported. Once the
public key is imported successfully, the user for whom the key was imported can
perform public key authentication with the switch from the remote host, on which
the private key resides.
importpubkey prompts for the following input parameters:
Username
Enter the user name for whom the key is imported.
IP Address
Enter the IP address for the remote host. IPv4 and IPv6 addresses are supported.
remote directory
Enter the path where the public key is stored on the remote host. The default
directory where SSH stores public keys is ~username/.ssh.
public key name
Enter the name of the file in which the public key is stored on the remote host.
This is a user-generated file name that must have a .pub extension.
login name
Enter the user login name for the remote host.
password
Enter the password for the remote user.976 Brocade Fabric OS Command Reference
53-1004112-01
22 sshUtil
showpubkeys
Displays all imported public keys associated with the specified user. Public keys
generated on the switch are not shown. This command interactively prompts for a
username.
username
Enter the username for whom you want to display the public keys.
delpubkey
Deletes all imported public keys associated with a specified user on the switch or
with all users. This command prompts for the user name associated with the
public keys. Enter "all" to delete the public keys of all users. Deletion of a
configured user's public keys effectively blocks incoming connections from this
user that rely on public key authentication with the switch.
genkey [-rsa | -dsa | -ecdsa]
Generates a private or public key pair for the selected type on the local switch.
This option can be performed only by a configured user. This option enables
authentication for outgoing connections from the switch to a remote host. You
must export the public key to a remote host to complete the setup. For incoming
connections, the private or public key must first be generated on the remote host
by issuing ssh-genkey -t dsa (a UNIX command), and then importing the public
key from the remote host to the switch using the sshutil import command.
genkey prompts for user input on the following parameters:
passphrase
Accepts a string of arbitrary length. This operand is optional, but creating a pass
phrase is strongly recommended. A strong pass phrase is 10-30 characters long,
fairly complex and difficult to guess. and contains a mix of upper and lowercase
letters, numbers, and nonalphanumeric characters. There is no way to recover a
lost pass phrase. If the pass phrase is lost, a new key must be generated and
copied to the corresponding public key to other machines.
exportpubkey
Exports the public key from the switch to a specified remote host to support
outgoing connections from the switch to a remote host. This option can only be
performed by a configured user. The successfully exported public key must be
appended to the authorized_keys file on the remote host. Use the cat
~/.ssh/outgoing.pub >> ~/.ssh/authorized_keys command to append the file.
exportpubkey prompts for IP Address, remote directory, login name and
password. Refer to importpubkey for a description of these parameters.
delprivkey
Deletes the private key for outgoing connection from the switch. This option can
only be performed by a configured user. Deletion of a configured user's private
keys effectively blocks outgoing connections initiated by this user that rely on
public key authentication with a remote host.
delknownhost [-all]
Deletes the known host name or IP address from the file .ssh/known_hosts. This
option can only be performed by the authorized user. On deletion of a known host
name or IP address from the .ssh/known_hosts file, the next SSH connection
prompts the user to accept a new public key.
-all
Deletes all the known host names or IP addresses from the file.
genhostkey [-rsa | -dsa | -ecdsa]
Generates a host key and installs it on the switch.
showhostkey
Displays the host keys installed on the switch.Brocade Fabric OS Command Reference 977
53-1004112-01
sshUtil 22
deletehostkey [-rsa | -dsa | -ecdsa]
Deletes the host keys installed on the switch.
help
Displays the command usage.
EXAMPLES To configure a user for public key authentication:
switch:admin> sshutil allowuser username
Allowed user has been successfully changed to username.
To display the configured user:
switch:admine> sshutil showuser
username
To set up SSH public key authentication on a switch for incoming connections:
1. Generate a private/public key pair on a remote host (accept default directory and file name):
username@remotehost> ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key \
(/users/home/username/.ssh/id_dsa):
Enter passphrase (empty for no passphrase):passphrase
Enter same passphrase again: passphrase
Your identification has been saved in \
/users/home/username/.ssh/id_dsa.
Your public key has been saved in \
/users/home/username/.ssh/id_dsa.pub.
The key fingerprint is:
3 0:9f:ae:b6:7f:7e:55:e4:b2:7a:51:f0:95:44:5c:d1
2. Import the public key from the remote host to the local switch:
switch:username> sshutil importpubkey
Enter user name for whom key is imported: username
Enter IP address:Remote host IP Address
Enter remote directory: ~username/.ssh
Enter public key name(must have .pub suffix):id_dsa.pub
Enter login name:username
Password:******
public key is imported successfully.
3. Connect to switch using remote ssh client with the -i private_key option:
username@remotehost> ssh username@IP Address-i id_dsaIP Address-i id_dsaIP
Address-i id_dsa
To display the imported public keys on a switch:
switch:username> sshutil showpubkeys
Enter user name whose ssh public key is to be displayed: username
user's public keys
ssh-dss AAAAB3NzaC1kc3MAAACBANXuRsJoIA0PFJtGuZVLfqvfSr\
DYPplWuFouOmTcmuNvpTnd+yoZ
u3C/lAu930HLTmhfxeke/NWRIdj2MJS8yTf30a0u4bf9MSNB8Pt453P/+ \
7VHHxNBYsh+Z++Dv1hfcTeb
0s53bdf7jyYSUdj1k+w//sNTaz0DCs0+rimo4l2NAAAAFQDCuHKRctSH \
D8PRYu5Ee1yWCQKT/wAAAIAo
AMvr1ooq0JVXmXfd0VKcC7AImzFYgRa/FOxZBe4JDkCAXztFk5wnAFy \
UbyTWEoC955mkYGqZRydMrSNM
9wLCAf2DTxXxuHFujA1REL5NGdZqRWo2Sk5HLkYQQYM1w9r9vfK \22 sshUtil
QnFH3wYsnHV2sq7+tyRlXfwE416ee
chdwWVpmjgAAAIEAqxcaE1vY4o/cBq1Py62lPaZTcfOHS3jjdKgSO \
BKPCCVeNyx4gxnmqvihtyroeWAY
dBDK4CFgyhut16a/QmdFjn6iyiNR2SGV7X9xqkjPN8H4EhIPXGxoD \
VOfY1Vdt3V3KUxVeEI+vTBI2KJd
PmmLfyEKZqCHOlwBx+HuuZP2BnU= username@host
To delete all imported public keys for a single user:
switch:username> sshutil delpubkeys
Enter user name for whom ssh public key is to deleted \
or all for all users:username
WARNING: It deletes all the ssh public keys for user. \
Do you want to proceed(Yes or No, default is No)?yes
ssh public keys associated to username are deleted.
To set up SSH public key authentication on a switch for outgoing connections:
1. Generate a private/public key pair on the local switch:
switch:username> sshutil genkey -rsa
Enter passphrase (empty for no passphrase):passphrase
Enter same passphrase again: passphrase
Key pair generated successfully.
2. Export the public key to a remote host:
switch:username> sshutil exportpubkey
Enter IP address: remote host IP Address
Enter remote directory: ~username/.ssh
Enter login name:username
Password:******
public key out_going.pub is exported successfully.
3. Append the public key to the authorized_keys file on the remote host:
username@remotehost> cat ~/.ssh/outgoing.pub >> \
~/.ssh/authorized_keys
To delete the private key on a switch:
switch:username> sshutil delprivkey
private key is deleted successfully.
To delete a known host or IP address from the file .ssh/known_hosts:
switch:username> sshutil delknownhost
IP Address/Hostname to be deleted:172.26.26.104
To delete all the known hosts or IP addresses from the file .ssh/known_hosts:
switch:username> sshutil delknownhost -all
This Command will delete all the known host keys.
Please Confirm with Yes(Y,y), No(N,n) [N]: Y
All known hosts are successfully deleted.
Linux2020. 6. 5. 03:28
