Access Security Guide K/KA/KB.15.15
Figure 177 Copying and displaying a client public-key file containing two different client public
keys for the same client
Replacing or clearing the Public-Key file
The client public-key file remains in the switch flash memory even if you erase the startup-config
file, reset the switch, or reboot the switch.
Remove the existing client public-key file or specific keys by executing the clear crypto
public-key command. This clears the public keys from both management modules. The module
that is not active must be in standby mode.
Syntax:
clear crypto public-key
Deletes the client public-key file from the switch.
Syntax:
clear crypto public-key 3
Deletes the entry with an index of 3 from the client public-key file on the switch.
Enabling client Public-Key authentication
After you TFTP a client public-key file into the switch, configure the switch to allow the following:
• Configures a password method for the primary and secondary login (Operator) access
• If an SSH client's public key matches the switch client public-key file, allow that client access
to the switch. If there is not a public-key match, then deny access to that client.
• If you do not specify an optional secondary method, it defaults to none.
• If the primary method is local, the secondary method must be none.
Syntax:
aaa authentication ssh login <local |tacacs |radius
|public-key> [local|none]
CAUTION: To enable client public-key authentication to block SSH clients whose public keys are
not in the client public-key file copied into the switch, you must configure the Login Secondary as
none. Otherwise, the switch allows such clients to attempt access using the switch operator password.
Using client public-key authentication
1. Generate a public/private key pair for each client you want to have SSH access to the switch.
This can be a separate key for each client or the same key copied to several clients.
2. Copy the public key for each client into a client public-key text file.
250 Secure Shell (SSH)