Enabling SSH with RSA or ECDSA Public Key for CLI

Unless configured for TLS, Telnet is not secure as it requires passwords to be transmitted in clear text. To overcome this, you can use Secure SHell (SSH), which is the de-facto standard for secure CLI. SSH 2.0 is a protocol built above TCP providing methods for key exchange, authentication, encryption, and authorization. SSH requires appropriate client software for the management PC. Most Linux distributions have OpenSSH pre-installed; Windows-based PCs require an SSH client software such as PuTTY. By default, SSH uses the same username and password as the device's Telnet and Web server. SSH supports RSA or ECDSA public keys, providing carrier-grade security.

Follow the instructions below to configure the device with an administrator RSA or ECDSA key as a means of strong authentication.

To enable SSH and configure RSA or ECDSA public keys for Windows (using PuTTY SSH software):
1. Download and install the PuTTY application (free, open-source terminal emulator).
2. Start the PuTTYgen (PuTTY Key Generator) tool, and then do the following:
a. Under the Parameters group, do the following:
Select the RSA or ECDSA option.
In the 'Number of bits in a generated key' field, enter the bit size.
a. Under the Actions group, click Generate and then follow the on-screen instructions.
b. Under the Actions group, click Save private key to save the new private key to a file (*.ppk) on your PC.
c. Under the Key group, select and copy the generated encoded string (public key) to your clipboard, from after the first space to before the last space, for example:.

3. Open the Local Users table (see Configuring Management User Accounts), and then for the required user, paste the public key that you copied in Step 1.d into the 'SSH Public Key' field, as shown below:

The public key cannot be configured with wide characters.

4. On the CLI Settings page, do the following:
a. From the 'Enable SSH Server' drop-down list, select Enable.
b. For additional security, you can configure the 'Public Key' field to Enable. This ensures that SSH access is only possible by using the RSA or ECDSA key and not by username and password.

c. To enable SSH from the WAN, from the 'Allow WAN access to SSH' drop-down list, select Enable.
d. Configure the other SSH parameters as required. For a description of these parameters, see SSH Parameters.
e. Click Apply.
5. Start the PuTTY Configuration program, and then do the following:
a. In the 'Category' tree, drill down to Connection, then SSH, and then Auth; the 'Options controlling SSH authentication' pane appears.
b. Under the 'Authentication parameters' group, click Browse and then locate the private key file that you created and saved in Step 4.

6. Connect to the device with SSH using the username "Admin"; key negotiation occurs automatically and no password is required.
To configure SSH public keys for Linux (using OpenSSH 4.3):
1. Run the following command to create a new key in the admin.key file and to save the public portion to the admin.key.pub file: 
ssh-keygen -f admin.key -t [ecdsa|rsa]
2. Open the admin.key.pub file, and then copy the public key string to your clipboard, from after the first space to before the last space.
3. Open the Local Users table (see Configuring Management User Accounts), and then for the required user, paste the public key that you copied in Step 2 into the 'SSH Public Key' field.
4. Connect to the device with SSH, using the following command: 
ssh -i admin.key <Username>@<IP Address of Device>

For example:

ssh -i admin.key Admin@10.4.30.215

Key negotiation occurs automatically and no password is required.