Creating SSH keys

SSH authentication works with two different procedures:

• Interactive with password entry by keyboard
• By exchanging public keys

Keys have to be created for each individual as there are no predefined standard keys. For this reason, LANCOM devices with their factory settings only support authentication by password.

Keys are generated by entering the command sshkeygen at the command line on the device that the administrator want to run the SSH client on. The following syntax applies:

• sshkeygen [-?] [-h] [-t dsa|rsa] [-b bits] [-f output-file]
  • -?, -h: Display a brief help text about the available arguments
  • -t: This argument sets the key type.
  SSH supports two types of key: RSA keys are most widely used and have a length between 512 and 16384 bits. If possible you should work with keys of 1024 to 2048 bits in length. DSS keys follow the standard set down by the National Institute of Standards and Technology (NIST) and are typically used in environments which are required to comply with the Federal Information Processing Standard (FIPS). DSS keys are always 1024 bits long, but they are slower to process than a corresponding RSA key. An RSA type key will be generated if no key type is specified.
  • -b: This argument sets the length of the RSA key in bits.
  If no length is specified, the default value is 1024 bits.
  • -f: Name for the output file of the key.
  After generating the key, the public part must be transmitted to the remote system. The public part of the key can be displayed with the following command:
• show ssh idkeys

This command generates output similar to the following:

Configured Client-Side SSH Host Keys For User 'root':

ssh-rsa AAAAB3NzaC1yc2EAAAABEQAAAQEA2

8BtnFFInAi8I5B1aOwq5g2YfwIX2O/vMX+9SLZ

AJVAhFnhdOG4wjTpLVuaQRNlITpBESPaWPLqoA

...

wd0T0nkuNQ== root@sshctest

Even though the output is divided into a number of lines, it is a single key consisting of three parts:

• The first part shows the key type (ssh-rsa or ssh-dss).
• The second part is the binary output of the key itself, coded as Base64.
• The third part contains the host name and is intended for entering comments.

This file can be edited with a convenient function in WEBconfig (WEBconfig / Extras / Edit list of allowed SSH public keys). Copy the first and second parts and replace the third part with a list of users to limit the use of this key to a selection of LCOS administrators.