Get best of the week

Authentication on network equipment through SSH using public keys

Bunch of keys

By default, engineers connect to network equipment using a username and password. Using Telnet, user credentials are transmitted in clear text, and over SSH, in encrypted. In order not to transmit the secret part over the network, public key authentication is used. With this authentication, the user's public key is pre-assigned to the user on the equipment. The private key is not transmitted over the network.

This guide will help you quickly start using public keys for authentication when connecting to network equipment using the SSH protocol. The guide is applicable for both Windows and Mac OS X. I tried to make it as simple and informative as possible. It is not overloaded, but answers the basic questions:





I also examined the "sore" topics:

  • Key conversion between OpenSSH <==> SecureCRT <==> PuTTY.
  • Using different pairs of public keys for different equipment. One key is good, but not applicable in reality. Different customers or equipment require different pairs of public keys (some with a password, others without).
  • Using the native (native) MAC OS X to work with public keys.
  • The guide should also help use Ansible with network equipment, since Ansible uses OpenSSH with public key authentication by default.

90% of the material presented is tested on real equipment.


Introduction


In addition to standard password authentication (password / keyboard) in the SSH protocol, there is also public key authentication (RSA).

For reference
RSA (https://ru.wikipedia.org/wiki/RSA) — . (public key) (private key). : . . , , .

Authentication using RSA keys consists of several steps:


Why only RSA? Why not a DSA? Unfortunately, I did not find the answer to this question (and did not really look for it). But officially, only RSA is supported on Cisco equipment.

Secure Shell Configuration Guide, Cisco IOS Release 15E:

Secure Shell Configuration Guide, Cisco IOS Release 15E
Restrictions for Secure Shell Version 2 Support
Rivest, Shamir, and Adleman (RSA) key generation is an SSH server-side requirement. Devices that act as SSH clients need not generate RSA keys.

Attempting to enter DSA key data:

CSR-1(conf-ssh-pubkey-data)#exit
%SSH: Only ssh-rsa type is supported
CSR-1(conf-ssh-pubkey-user)#


Creating a public RSA key


A pair of RSA keys can be created using various utilities: SecureCRT, PuTTYgen or any other software. When creating a key, you can set Passphrase (password protection with a key).


RSA pair generation in SecureCRT


SecureCRT -> Tools -> Create Public Key ...:


A bit of theory → the “Next>” button:


Type of RSA / DSA certificate → Select RSA → “Next>” button:


Encryption password for the secret key (optional, you can leave it blank and not encrypt) + Comment → “Next>” button:


Choose the key length (in SecureCRT version 6.1.0 the maximum key length is 2048 bits, in version 8.5.4 - 16 384 bits):


Key

generation → “Next>” button: To generate random numbers, you need to move the mouse within the window.



Saving a key pair → Selecting a storage location → Selecting a format for a saved key (VanDuke Private format, OpenSSH legacy, OpenSSH new) → “Finish” button:



SecureCRT asks whether to make this key the default key for SecureCRT:



RSA pair generation in PuTTYgen


You can download PuTTYgen here: https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html .

Launch PuTTYgen:


Select the parameters (pair type: RSA; key bit dimension: 2048; optionally set Passphrase (password protection with a password)) → Generate:


To guarantee random numbers, he asks to move the mouse within the window. This is a protection against pseudo random numbers.


Save RSA keys → “Save private key” button:


Please note: RSA keys stored in a private format in one software cannot be used in software of another manufacturer. That is, a pair of RSA keys created in PuTTYgen and saved in Putty Private Key format is not suitable for use in SecureCRT, and vice versa. PuTTY only supports the Putty Private Key format. A universal solution for distributing keys is to convert keys to OpenSSH format (See link 2: “Conversion from Putty to SecureCRT with auth. Keys”). Since SecureCRT works freely with the OpenSSH format. And PuTTYgen software converts the OpenSSH format into the Putty Private Key format.


Converting an RSA key from Putty Private Key (PuTTY) format to OpenSSH (SecureCRT) format


In order to use RSA keys in SecureCRT that are generated in PuTTYgen and saved in Putty Private Key format (* .ppk), we export them using PuTTYgen in OpenSSH format:

  1. Launch PuTTYgen.
  2. We load the existing RSA key in the Putty Private Key format (* .ppk) → The “Load” button.
  3. Save the public key file → “Save public key”.
  4. We export the secret key to the OpenSSH format: menu PuTTYgen → “Conversions” → “Export OpenSSH key”.
  5. We use OpenSSH files in SecureCRT. The file with the public key has the extension .pub, the file with the private key has no extension.


Converting an RSA key from VanDyke Private Key (SecureCRT) format to Putty Private Key (PuTTY) format


To use RSA keys in PuTTY that are generated in SecureCRT and saved in the VanDyke Private Key format (public key file * .pub, secret key file *. (Without extension)), export them using SecureCRT to OpenSSH format, and then using PuTTYgen we export to Putty Private Key (* .ppk) format:

  1. Launch SecureCRT.
  2. Menu “Tools” → “Convert Private Key to OpenSSH format ...”
  3. Select the source file with the VanDyke Private Key keys.
  4. We save OpenSSH keys with a new name.
  5. Launch PuTTYgen.
  6. We load the existing RSA-key in the OpenSSH format (*.): PuTTYgen Menu → “Conversions” → “Import key”.
  7. Save the file in Putty format: “Save private key”.


Generating public keys on MAC OS X using the operating system


We will use the built-in ssh-keygen utility (man ssh-keygen).
We generate an RSA key with a length of 2048 bits with the key name, the path to the folder with the key storage location:

ssh-keygen -b 2048 -t rsa -c "Lab router R4" -f /Users/ArtemiySP/Documents/python/r4

At run time, the program will ask for a password to protect the RSA key:

artemiy-2:Downloads ArtemiySP$ ssh-keygen -b 2048 -t rsa -C "Lab router R4" -f /Users/ArtemiySP/Documents/python/r4
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /Users/ArtemiySP/Documents/python/r4.
Your public key has been saved in /Users/ArtemiySP/Documents/python/r4.pub.
The key fingerprint is:
SHA256:WdT47SFvgGI7danxX94p8/cO3uyU12SB3ipkc7nHxzA Lab router R4
The key's randomart image is:
+---[RSA 2048]----+
|          .o     |
|         .. . .  |
|          .o + . |
|        oo+ B = .|
|       .S+ O OEoo|
|        o + + B*+|
|         . . =.*O|
|            .+o**|
|              =+O|
+----[SHA256]-----+
artemiy-2:Downloads ArtemiySP$

We generate an RSA key with a length of 4096 bits in indicating the name of the key, path to the folder with the key storage location, set the password explicitly in the key generation parameters (-N "cisco"):

artemiy-2:Downloads ArtemiySP$ ssh-keygen -b 4096 -t rsa -C "Lab router R5" -N "cisco" -f /Users/ArtemiySP/Documents/python/r5
Generating public/private rsa key pair.
Your identification has been saved in /Users/ArtemiySP/Documents/python/r5.
Your public key has been saved in /Users/ArtemiySP/Documents/python/r5.pub.
The key fingerprint is:
SHA256:NraLRMqB4qmA8qNjKdpBBt1JBw8Osf/3GfuB2k1R+zY Lab router R5
The key's randomart image is:
+---[RSA 4096]----+
|  o.+..          |
| . * =           |
|. o + .       .  |
| . o         . . |
|. + o . S   . .  |
|o+.. = o o . . . |
|+oo o o o o o  Eo|
|*=.. . o = * . ..|
|Boo.  . o =.o    |
+----[SHA256]-----+
artemiy-2:Downloads ArtemiySP$

Key generation parameters that are not recommended: an unreliable key with a length of 1024 bits, specifying the key name, the path to the folder with the key storage location, we set the password explicitly in the key generation parameters (-N "" - without password):

artemiy-2:Downloads ArtemiySP$ ssh-keygen -b 1024 -t rsa -C "Lab router R6" -N "" -f /Users/ArtemiySP/Documents/python/r6
Generating public/private rsa key pair.
Your identification has been saved in /Users/ArtemiySP/Documents/python/r6.
Your public key has been saved in /Users/ArtemiySP/Documents/python/r6.pub.
The key fingerprint is:
SHA256:LEcfgN+58TYMDv4MpBA2FGCWc2aFiY+SxWBf7pRViWs Lab router R6
The key's randomart image is:
+---[RSA 1024]----+
|.++=o*.o+..      |
|.oB % +. o       |
| o X * .o...     |
|o . =  E+.=.     |
| .   oo+So.*     |
|      .oo o =    |
|         + . .   |
|          o      |
|                 |
+----[SHA256]-----+
artemiy-2:Downloads ArtemiySP$

So, we created three keys in with the names of the keys and the location of the keys (by default, all keys are stored in /Users/[Username 022/.ssh).

By default, when connecting via SSH with authentication by public key, all public keys are stored in sequence, which are stored in the /Users/[Username†/.ssh folder.

R6 key: rename the key to “id_rsa” (by default the name of the generated key file is “id_rsa”) and transfer it to the folder with SSH keys (~ / .ssh /) (i.e., we will perform all the steps so that the R6 key is used as the main default SSH connection key):

Convert the public OpenSSH key to RFC4716 format (export to Cisco IOS):

https://serverfault.com/questions/706336/how-to-get-a-pem-file-from-ssh-key-pair
ssh-keygen -f ~/Documents/python/r4.pub -e -m RFC4716
ssh-keygen -f ~/Documents/python/r5.pub -e -m RFC4716
ssh-keygen -f ~/.ssh/id_rsa.pub -e -m RFC4716


Using a public key on equipment


How on various equipment to bind a public key to a user?

The process of binding a public key to a user is not standard and varies from equipment to equipment, therefore, examples are given for each type of equipment that is most often used on the network.


Cisco IOS XE, Catalyst (from version 15.1 and higher), IOS


  1. There is already a user on the device.
  2. In the SSH settings (ip ssh pubkey-chain) for the user (username cisco), specify the public key (key-string):
    CSR-1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
CSR-1(config)#ip ssh pubkey-chain 
CSR-1(conf-ssh-pubkey)#username ssh-putty
CSR-1(conf-ssh-pubkey-user)#key-string 
CSR-1(conf-ssh-pubkey-data)#$QAAAQEAnPbynT1+2rjlyqP4viSPdTVDFLSHzWjJnAwy     
CSR-1(conf-ssh-pubkey-data)#$NCfaqvMTPruCgG5096q8lO0ntURmNgmfMEQPOgb8weF     
CSR-1(conf-ssh-pubkey-data)#$AtMQYk7WFM+5iBnOQ32UAHNavCUA7YFEpAdOQO4W/qB     
CSR-1(conf-ssh-pubkey-data)#$SlOLy+PQ47jDUINBnuUeHd8ZXyzXxWglzSvqtwMEXBW     
CSR-1(conf-ssh-pubkey-data)#$VoUTBYbJ45DmFa93P50qf494ujaAsTbYyJ/GBzJUTK/     
CSR-1(conf-ssh-pubkey-data)#$UADAkNGxQARfOfHZWiIYb3rif6h6hfwwVUZS/Tw==       
CSR-1(conf-ssh-pubkey-data)#exit
CSR-1(conf-ssh-pubkey-user)#exit
CSR-1(conf-ssh-pubkey)#exit
CSR-1(config)#exit
CSR-1#exit

CSR-1#show running-config | inc ssh
username ssh-public-key secret 5 $1$ebjc$EYgwMFQXPPiywFVn6rl7t.
username ssh-putty privilege 15 secret 5 $1$vIhh$nM8iCeBKmLyVK4hA6./h4.
ip ssh pubkey-chain
   key-hash ssh-rsa D4E9AD62F7F6265EAAB3FB8778477612
  username ssh-public-key
   key-hash ssh-rsa C331DEE821A84681A4A7B1862C100D16
  username ssh-putty
   key-hash ssh-rsa F32BEB60290EA75D151447C0D42D2A99
   key-hash ssh-rsa 5432C275B363B646E02D3BA7E8D865B7
CSR-1#


Cisco ASA


LAB-ASA5516-X-01/pri/act# conf t
LAB-ASA5516-X-01/pri/act(config)# username artemiy password artemiy privilege $
LAB-ASA5516-X-01/pri/act(config)# username artemiy attributes 
LAB-ASA5516-X-01/pri/act(config-username)# ssh authentication publickey ?

username mode commands/options:
  WORD  Raw SSH-RSA public key
LAB-ASA5516-X-01/pri/act(config-username)# ssh authentication publickey AAAAB3$

We insert the whole key in one line (OpenSSH format).


Huawei routers and switches


[R1]rsa peer-public-key test-key1 encoding-type pem 
Enter "RSA public key" view, return system view with "peer-public-key end".
NOTE: The number of the bits of public key must be between 769 and 2048.
[R1-rsa-public-key]public-key-code begin 
Enter "RSA key code" view, return last view with "public-key-code end".
[R1-rsa-key-code]---- BEGIN SSH2 PUBLIC KEY ----
[R1-rsa-key-code]Subject: Subject
[R1-rsa-key-code]Comment: " Subject@Subject.local"
[R1-rsa-key-code]ModBitSize: 2048
[R1-rsa-key-code]AAAAB3NzaC1yc2EAAAADAQABAAABAQC4YLFhPqfsz4a6PUpZOtvm6zGn5TWOVMnx
[R1-rsa-key-code]lTH5hr/u+aYnoM2XnDTu4Ul1iB8MMPLVKXzV4LgYhaFcU1rz2/yYhTKIwbiQTHof
[R1-rsa-key-code]63fJjyWwkvyBuVZTSKh4b2pfoF2mXgdJzzRmUaiRrZZUVJWsX+CbgtKQuktG7sTK
[R1-rsa-key-code]2eguHwdfhilbOAsUaL0/q39Y0aTAMnLMtn0m5r6MD/UopQPI3Fxm1L9azJ7zYIZa
[R1-rsa-key-code]yI43Solg0AOupPl8FHFI9Cxq81/uZRACx5lAyuObaQ4/t1Rdh3CAJj1qwfZjZFTP
[R1-rsa-key-code]VdJxwTDxwfkpOzMD193M0ThOSrgfWe336Q9F3jbSWrEYUQDX8ew7
[R1-rsa-key-code]---- END SSH2 PUBLIC KEY ----
[R1-rsa-key-code]public-key-code end
[R1-rsa-public-key]peer-public-key end 
[R1]display rsa peer-public-key 

=====================================
    Key name: test-key1
=====================================
Key Code:
---- BEGIN SSH2 PUBLIC KEY ----
AAAAB3NzaC1yc2EAAAADAQABAAABAQC4YLFhPqfsz4a6PUpZOtvm6zGn5TWOVMnx
lTH5hr/u+aYnoM2XnDTu4Ul1iB8MMPLVKXzV4LgYhaFcU1rz2/yYhTKIwbiQTHof
63fJjyWwkvyBuVZTSKh4b2pfoF2mXgdJzzRmUaiRrZZUVJWsX+CbgtKQuktG7sTK
2eguHwdfhilbOAsUaL0/q39Y0aTAMnLMtn0m5r6MD/UopQPI3Fxm1L9azJ7zYIZa
yI43Solg0AOupPl8FHFI9Cxq81/uZRACx5lAyuObaQ4/t1Rdh3CAJj1qwfZjZFTP
VdJxwTDxwfkpOzMD193M0ThOSrgfWe336Q9F3jbSWrEYUQDX8ew7
---- END SSH2 PUBLIC KEY ----
aaa
local-user jet privilege level 15
 local-user jet service-type telnet terminal ssh http
ssh user jet assign rsa-key test-key1

Types of key formats imported to Huawei:

“The SecureCRT and PuTTY generate RSA keys in PEM format.”

rsa peer-public-key test-key1 encoding-type pem

“The OpenSSH generates RSA keys in OpenSSH format.”

rsa peer-public-key test-key1 encoding-type openssh

“The OpenSSL generates RSA keys in DER format.”

rsa peer-public-key test-key1 encoding-type der

The default is in hexadecimal:

rsa peer-public-key test-key1

Note: Huawei equipment not only supports keys in RSA format, but also other formats:

ssh user user-name assign { rsa-key | dsa-key | ecc-key } key-name

You can rigidly set the authentication type for the user over SSH:

[R1]ssh user jet authentication-type ?
  all           All authentication, password,RSA or ECC
  ecc           ECC authentication
  password      Password authentication
  password-ecc  Both password and ECC
  password-rsa  Both password and RSA
  rsa           RSA authentication
[R1]

That is, we allow access using either a password, or public and private keys, or both.


Huawei USG (6000)


The configuration is completely similar to the settings on the router, but has some features.

By default, the privilege level after logging using certificates is 0 and cannot be elevated. Therefore, the priority level is set using

user-interface vty 0 4 
user privilege level 15
user-interface vty 16 20:
user privilege level 15

Example:

[USG-a]rsa peer-public-key test-key1 encoding-type pem 
Enter "RSA public key" view, return system view with "peer-public-key end".
[USG-a-rsa-public-key]public-key-code begin
Enter "RSA key code" view, return last view with "public-key-code end".
[USG-a-rsa-key-code]---- BEGIN SSH2 PUBLIC KEY ----
[USG-a-rsa-key-code]Subject: subject
[USG-a-rsa-key-code]Comment: " subject@subject.local"
[USG-a-rsa-key-code]ModBitSize: 2048
[USG-a-rsa-key-code]AAAAB3NzaC1yc2EAAAADAQABAAABAQC4YLFhPqfsz4a6PUpZOtvm6zGn5TWOVMnx
[USG-a-rsa-key-code]lTH5hr/u+aYnoM2XnDTu4Ul1iB8MMPLVKXzV4LgYhaFcU1rz2/yYhTKIwbiQTHof
[USG-a-rsa-key-code]63fJjyWwkvyBuVZTSKh4b2pfoF2mXgdJzzRmUaiRrZZUVJWsX+CbgtKQuktG7sTK
[USG-a-rsa-key-code]2eguHwdfhilbOAsUaL0/q39Y0aTAMnLMtn0m5r6MD/UopQPI3Fxm1L9azJ7zYIZa
[USG-a-rsa-key-code]yI43Solg0AOupPl8FHFI9Cxq81/uZRACx5lAyuObaQ4/t1Rdh3CAJj1qwfZjZFTP
[USG-a-rsa-key-code]VdJxwTDxwfkpOzMD193M0ThOSrgfWe336Q9F3jbSWrEYUQDX8ew7
[USG-a-rsa-key-code]---- END SSH2 PUBLIC KEY ----
[USG-a-rsa-key-code]public-key-code end
[USG-a-rsa-public-key]peer-public-key end
[USG-a]
[USG-a]ssh user admin assign rsa-key test-key1
! Out-of-band management interface:
[USG-a-GigabitEthernet0/0/0]service-manage ssh permit
! Grant user level 15 privillege:
[USG-a]user-interface vty 0 4
[USG-a-ui-vty0-4]user privilege level 15


Cisco Nexus 9.3


Option 1: pre-install the public key file on the device and attach the public key file to the user.

  • Copy the public key file to the device.
  • We instruct the user to use the public key file.

switch# copy tftp://10.10.1.1/secsh_file.pub bootflash:secsh_file.pub
username User1 sshkey file bootflash:secsh_file.pub

Option 2: copy the public key to the user:

username User1 sshkey
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC4YLFhPqfsz4a6PUpZOtvm6zGn5TWOVMnxlTH5hr/u+aYnoM2XnDTu4Ul1iB8MMPLVKXzV4LgYhaFcU1rz2/yYhTKIwbiQTHof63fJjyWwkvyBuVZTSKh4b2pfoF2mXgdJzzRmUaiRrZZUVJWsX+CbgtKQuktG7sTK2eguHwdfhilbOAsUaL0/q39Y0aTAMnLMtn0m5r6MD/UopQPI3Fxm1L9azJ7zYIZayI43Solg0AOupPl8FHFI9Cxq81/uZRACx5lAyuObaQ4/t1Rdh3CAJj1qwfZjZFTPVdJxwTDxwfkpOzMD193M0ThOSrgfWe336Q9F3jbSWrEYUQDX8ew7


Using a secret key for SSH connection


This section is devoted to configuring SSH clients for authentication using RSA keys on network equipment (or other equipment, provided that the hardware and software supports public key authentication).

We will consider setting up the use of the public key in the most popular programs: SecureCRT and PuTTY.


SecureCRT


There is an Authentication list in the SSH settings window. In it, you need to increase the priority of PublicKey to the highest - make it top in the list.



Then go to the PublicKey options and select the private key file. The topmost switch allows you to use the global settings of the secret key or session settings - another secret key (non-default key) - only for this connection.



Configure the global public key: in the menu Options → Global options → Category SSH2.



PuTTY


In the SSH settings (Connection → SSH → Auth) in the field “Private key file for authentication” specify the file Putty Private Key (* .ppk):



MAC OS X


Setting up a standard client for using public keys:

  • Connection with a non-default key specified manually:

    artemiy-2:~ ArtemiySP$ ssh r4@10.31.73.29 -i ~/Documents/python/r4
The authenticity of host '10.31.73.29 (10.31.73.29)' can't be established.
RSA key fingerprint is SHA256:fxOLFKU6YGyIqisrIh2P0O52Rr6Wx/wsSAcHsTz8fo0.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.31.73.29' (RSA) to the list of known hosts.
CSR-4#
  • Connection with a non-default key specified manually:

    artemiy-2:~ ArtemiySP$ ssh r5@10.31.73.30 -i ~/Documents/python/r5
The authenticity of host '10.31.73.30 (10.31.73.30)' can't be established.
RSA key fingerprint is SHA256:4l67C4Il4pTaqYT4vrtWr0aY7rPmNWKsjRv2zlYtQIU.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.31.73.30' (RSA) to the list of known hosts.
MGTU#exit
Connection to 10.31.73.30 closed.

    Example Error
    — . MAC OS X — .
  • Connection with the default key (default key - the system itself will find and use the Default public key):

    artemiy-2:~ ArtemiySP$ ssh r6@10.31.73.31
The authenticity of host '10.31.73.31 (10.31.73.31)' can't be established.
RSA key fingerprint is SHA256:2/ysACJQw48Q8S45ody4wna+6nJspcsEU558HiUN43Q.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.31.73.31' (RSA) to the list of known hosts.
PR#exit
Connection to 10.31.73.31 closed.
artemiy-2:~ ArtemiySP$


How to simplify working with SSH on MAC OS X:


  • Create SSH Aliases.
  • In SSH Aliases, we immediately set the users.
  • Immediately register the location of the keys.

The location of Aliases and the pre-configured SSH configuration are specified in the ~ / .ssh / config file (/Users/[Username†/.ssh/config).

Filled in this way:

host r4
   Hostname 10.31.73.29
   Port 22
   User r4
   IdentityFile ~/Documents/python/r4

host r5
   Hostname 10.31.73.30
   Port 22
   User r5
   IdentityFile ~/Documents/python/r5

host r6
   Hostname 10.31.73.31
   Port 22
   User r6

Note: my default connection is incorrectly configured (I don’t know how correctly), because the connection to the R6 host (10.31.73.31) takes a very long time. It is recommended that you specify immediately specify the path to the default key.

An example of an ssh connection using public keys and a config file:

artemiy-2:Documents ArtemiySP$ ssh r5
MGTU#exit
Connection to 10.31.73.30 closed by remote host.
Connection to 10.31.73.30 closed.
artemiy-2:Documents ArtemiySP$ ssh r4
CSR-4#exit
Connection to 10.31.73.29 closed by remote host.
Connection to 10.31.73.29 closed.
artemiy-2:Documents ArtemiySP$ ssh r6
PR#exit
Connection to 10.31.73.31 closed.
artemiy-2:Documents ArtemiySP$ ssh r6
PR#


Conclusion


RSA keys can be used to replace password authentication, but not in all cases:

  • Public key authentication is not possible if domain authentication is configured (because LDAP requests (kerberos) to the server are proxied for authentication).
  • Public key authentication on old network equipment is not possible (example: failed to configure on Cisco Catalyst 2960 with firmware 12.2).

Password-protected public keys are conveniently used in bench equipment. Disadvantage: it is necessary to send a bunch of private and public keys to colleagues and partners.

On some equipment, several pairs of public keys can correspond to one user, on other equipment only one public key corresponds to one user.

There are also different formats in which a pair of public and private keys is stored. But this guide will help you export keys in different formats.

Today, it is optimal to use keys with a length of 2048 bits, but for some equipment this is the maximum possible key length (maybe this will be fixed in new firmware). For instance:

[R1]rsa peer-public-key test-key2 encoding-type pem
Enter "RSA public key" view, return system view with "peer-public-key end".
NOTE: The number of the bits of public key must be between 769 and 2048.
[R1-rsa-public-key]

It is recommended to use public keys to replace passwords if passwords are entered using scripts (example: autologon in SecureCRT).

It is recommended that you use public keys to protect against password transmission over the network.

Some software uses public keys by default for SSH authentication instead of a password (example: Ansible).


List of sources:


  1. Wikipedia RSA
  2. Conversion from Putty to SecureCRT with auth. keys, SecureCRT Forum
  3. Secure Shell Configuration Guide, Cisco IOS Release 15E
  4. Download PuTTYgen
  5. Huawei official documentation - a description of the various key formats for importing to a Huawei router
  6. Huawei USG 6000, Configuring Public Key Authentication (CLI: Example for Logging In to the CLI Using STelnet (RSA Authentication))
  7. Nexus 9000 Configuration guide SSH public key
  8. man ssh-keygen — mac os x.
  9. SSH config file MAC OS X
  10. SSH
  11. SSH config
  12. openssh public key RFC4716

More articles:


All Articles