This will allow SSH key authentication to Cisco Nexus (NXOS) and Catalyst (IOSXE) switches.

Local login will not be available without also adding standard local secret/password configurations.

Validation environment details:

  • Ubuntu 24.04 LTS
  • Cisco Nexus N9K-C9332C running NXOS 10.3(4a)
  • Cisco Catalyst C9500-48Y4C running IOSXE 17.9.5

Prep Workstation

We'll need to generate keys we'll use for authentication and configure the hosts in our SSH config file for easy connection.

Generate Keys

I typically generate keys for different environments using my initials and an acronym for the client. In this case, I'll use ds for my initials and c1 for the client acronym.

  1. Generate SSH keys.
Expand for command template & explanation.
ssh-keygen -t {dsa_type} -b {bit_count} -C {user}@{client} -f ~/.ssh/{user}@{client}
  • -t specifies the Digital Signature Algorithm to use for the key.
  • -b specifies the bits count for the key.
  • -C specifies a comment for the key.
  • -f specifies the output file for the key.

To generate an ed25519 key that is encrypted with 4096 bits with the comment ds@c1 to the file ~/.ssh/ds@c1...

ssh-keygen -t ed25519 -b 4096 -C ds@c1 -f ~/.ssh/ds@c1
  1. Get the contents of the .pub file for the new key, this is the data/string that needs to be copied to the NXOS/IOSXE switches. In this example, we need ~/.ssh/ds@c1.pub.
cat ~/.ssh/ds@c1.pub 
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL0gdfA+p4+Cu9kBIEfhRXT+RFcjaiwyZ57D0fT7Q3Ce ds@c1

Configure Hosts

Add the NXOS/IOSXE devices to your ~/.ssh/config file.

Expand for SSH host template.
Host {nxos_hostname}
  HostName {nxos_ip_address}
  Port {nxos_ssh_port}
  User {nxos_username}
  IdentityFile ~/.ssh/{user}@{client}

Host {iosxe_hostname}
  HostName {iosxe_ip_address}
  Port {iosxe_ssh_port}
  User {iosxe_username}
  IdentityFile ~/.ssh/{user}@{client}
Host NXOS-SW-1
  HostName 10.63.255.11
  Port 22
  User c1ds
  IdentityFile ~/.ssh/ds@c1

Host IOSXE-SW-1
  HostName 10.63.255.21
  Port 22
  User c1ds
  IdentityFile ~/.ssh/ds@c1

Configure NXOS

  1. Create user with desired role.
  2. Configure the SSH public key data for the user using the entire contents of the .pub file.
Expand for NX-OS config template.
username {username} role {role}
username {username} sshkey {entire_contents_of_pub_file}
username c1ds role network-admin
username c1ds sshkey ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL0gdfA+p4+Cu9kBIEfhRXT+RFcjaiwyZ57D0fT7Q3Ce ds@c1

Configure IOSXE

  1. Create user with desired privilege level.
  2. Enable the ssh-ed25519 public key algorithm.
  3. Configure the public key chain for the user using just the string from the .pub file.
Expand for IOSXE config template.
username {username} privilege 15
ip ssh server algorithm publickey ssh-ed25519
ip ssh pubkey-chain
 username {username}
  key-string
   {string_data_from_pub_file}
username c1ds privilege 15
ip ssh server algorithm publickey ssh-ed25519
ip ssh pubkey-chain
 username c1ds
  key-string
   AAAAC3NzaC1lZDI1NTE5AAAAIL0gdfA+p4+Cu9kBIEfhRXT+RFcjaiwyZ57D0fT7Q3Ce

Testing & Validation Examples

Since the hosts were added to our ~/.ssh/config file we can simply type ssh {host} into our prompt without having to specify our identity file (or any othe parameters) in our connection command.

SSH Connection

$ ssh NXOS-SW-1
User Access Verification

|~~~~~~~~~~~~~~~EXEC MODE DISCLAIMER~~~~~~~~~~~~~~~|
|~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
| UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED |
|~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
| You must have explicit, authorized permission to |
| access or configure this device.                 |
| Unauthorized attempts and actions to access or   |
| use this system may result in civil and/or       |
| criminal penalties. All activities performed on  |
| this device are logged and monitored.            |
|~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|

Cisco Nexus Operating System (NX-OS) Software
TAC support: http://www.cisco.com/tac
Copyright (C) 2002-2023, Cisco and/or its affiliates.
All rights reserved.
The copyrights to certain works contained in this software are
owned by other third parties and used and distributed under their own
licenses, such as open source.  This software is provided "as is," and unless
otherwise stated, there is no warranty, express or implied, including but not
limited to warranties of merchantability and fitness for a particular purpose.
Certain components of this software are licensed under
the GNU General Public License (GPL) version 2.0 or 
GNU General Public License (GPL) version 3.0  or the GNU
Lesser General Public License (LGPL) Version 2.1 or 
Lesser General Public License (LGPL) Version 2.0. 
A copy of each such license is available at
http://www.opensource.org/licenses/gpl-2.0.php and
http://opensource.org/licenses/gpl-3.0.html and
http://www.opensource.org/licenses/lgpl-2.1.php and
http://www.gnu.org/licenses/old-licenses/library.txt.

`terminal color`
NXOS-SW-1# 

SSH Send Command

$ ssh NXOS-SW-1 "show ip int brief vrf management"
User Access Verification

IP Interface Status for VRF "management"(2)
Interface            IP Address      Interface Status
mgmt0                10.63.255.11    protocol-up/link-up/admin-up 

SSH Send Command (NXOS JSON-pretty format)

$ ssh NXOS-SW-1 "show ip int brief vrf management | json-pretty"
User Access Verification
{
    "TABLE_intf": {
        "ROW_intf": {
            "vrf-name-out": "management",
            "intf-name": "mgmt0",
            "proto-state": "up",
            "link-state": "up",
            "admin-state": "up",
            "iod": "2",
            "prefix": "10.63.255.11",
            "ip-disabled": "FALSE"
        }
    }
}