Using SSH key based authentication for managing Arista switches can be useful for the purposes of better security, automation and not having to remember passwords. In this blog post, we’ll go through an example on how to set SSH key based authentication with Arista switches. These instructions should cover any MacOS or Linux variant operating system. Windows works as well but I don’t use it so you would be on your own to configure Windows on the client side. The switch configuration would be the same for any operating system you choose.
Let’s start off by creating an empty directory named “mgmt”. This name doesn’t really matter, it can be anything. Choose something meaningful to you.
Kevins-MacBook-Pro:Desktop kgiusti$ mkdir mgmt
Kevins-MacBook-Pro:Desktop kgiusti$ cd mgmt
After the new directory is created, let's create new dedicated management RSA keys specifically for the purposes of logging into your switches.
Kevins-MacBook-Pro:mgmt kgiusti$ ssh-keygen
Generating public/private rsa key pair.
Make sure to save this to the new directory you created and not the default path:
Enter file in which to save the key (/Users/kgiusti/.ssh/id_rsa): /Users/kgiusti/Desktop/mgmt/ssh_key
In this example no passphrase was used so...
Enter passphrase (empty for no passphrase): (just hit enter)
Enter same passphrase again: (just hit enter)
Your identification has been saved in /Users/kgiusti/Desktop/mgmt/ssh_key.
Your public key has been saved in /Users/kgiusti/Desktop/mgmt/ssh_key.pub.
The key fingerprint is:
SHA256:wNDBEx8g9jpOuolRhVR9NPFh6TBA5SkC9PK5IkGxBHU kgiusti@Kevins-MacBook-Pro.local
The key's randomart image is:
+---[RSA 3072]----+
|o==.E=*B*.o. |
|..o* ==o+*.. |
| oo + =o++. |
|. + + o . |
|. . * S |
| o + o |
|o o o |
| + + |
|. o |
+----[SHA256]-----+
There should now be two files in the mgmt directory:
Kevins-MacBook-Pro:mgmt kgiusti$ ls
ssh_key ssh_key.pub
“ssh_key” is your private key, you want to keep this safe.
“ssh_key.pub” is the public key that will be added to the switch.
View the public key and save this output for later:
Kevins-MacBook-Pro:mgmt kgiusti$ cat ssh_key.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC9oRKBOoN/RLZ7v/rgEsvPIAjFTA6GSuu7s+fVbu/kxff1/6J4tildNkfjr5FmTAgaA1XmgsxDekEbOanO45DJdbAqNk5IIMWhfEB2/1mvcfsrOdqFs/wFy7mcPosJr5hNyjBnTljIWS9IY2NbkmDMTAZtz0BYtYS/YNp0sja1K52Bt3cb3bsjDhvtaVUXf+R4/grtmL4uHPzTZguDdcLU/7g6tEZJty/pddTRCrEYgOBuEFwzZ8QxyWcDS+xlJZ2KIuIvokV3uF/58J3MkHleNNnNx9lIToS0l0RqF5OepNIhZMqMX0ipmDqxCjoSKEQsOsEEzlMVoU/qsdqJbfasYfl3D1SumPKuuwCe5vWIxs5k2K7xEYbx7qPpCsSwzFcaZbSdtLTGKXvavwWjIkAB6ocUW+L2x6DF4AgPzB5RGOS+9iDBgN8E/OyEuNFn37GJhgLf255IeCGkk9/G5AGGzaHX70Wn7+8dq+wg5f+HAnlwjTcCvmagYGkE8+gTtQU= kgiusti@Kevins-MacBook-Pro.local
Now it’s time to create the account on the Arista switch. You can configure the account to use a ssh key only:
Arista-720XP-CS1(config)#username kevin privilege 15 role network-admin nopassword
You can also configure the account to also accept a password in case you lose the SSH key:
Arista-720XP-CS1(config)#username kevin privilege 15 role network-admin secret secret_pass
Now you need to add the public key for the username you have configured:
Arista-720XP-CS1(config)#username kevin ssh-key ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC9oRKBOoN/RLZ7v/rgEsvPIAjFTA6GSuu7s+fVbu/kxff1/6J4tildNkfjr5FmTAgaA1XmgsxDekEbOanO45DJdbAqNk5IIMWhfEB2/1mvcfsrOdqFs/wFy7mcPosJr5hNyjBnTljIWS9IY2NbkmDMTAZtz0BYtYS/YNp0sja1K52Bt3cb3bsjDhvtaVUXf+R4/grtmL4uHPzTZguDdcLU/7g6tEZJty/pddTRCrEYgOBuEFwzZ8QxyWcDS+xlJZ2KIuIvokV3uF/58J3MkHleNNnNx9lIToS0l0RqF5OepNIhZMqMX0ipmDqxCjoSKEQsOsEEzlMVoU/qsdqJbfasYfl3D1SumPKuuwCe5vWIxs5k2K7xEYbx7qPpCsSwzFcaZbSdtLTGKXvavwWjIkAB6ocUW+L2x6DF4AgPzB5RGOS+9iDBgN8E/OyEuNFn37GJhgLf255IeCGkk9/G5AGGzaHX70Wn7+8dq+wg5f+HAnlwjTcCvmagYGkE8+gTtQU=
Time for testing:
Kevins-MacBook-Pro:mgmt kgiusti$ ssh kevin@192.168.30.30 -i ssh_key
If all is well you should now be logged into your switch.
Thanks for reading and if you like this, check out some of my other articles on Arista EOS and all the cool things you can do with it.
Three Features in Arista EOS That You Need to Know About
Dual Datacenter DMZ With VXLAN, VARP, VRF & OSPF with Arista Networks
8 Lessons Learned - Arista Datacenter Interconnect (DCI) with VXLAN and vARP