====== Login to OmniSwitch AOS R6 via SSH private/public key ======

Before you can login to an Alcatel-Lucent OmniSwitch running AOS Release 6 via "SSH private/public-key", you'll firstly need a key.

**Create private/public-key for AOS R6 login:**
<code>
Benny$ ssh-keygen -t dsa -C sshuser
Generating public/private dsa key pair.
Enter file in which to save the key (/Users/Benny/.ssh/id_dsa): sshuser
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in sshuser.
Your public key has been saved in sshuser.pub.
The key fingerprint is:
ae:7f:0f:a9:f6:e4:70:93:9e:95:59:96:d5:56:01:01 sshuser
The key's randomart image is:
+--[ DSA 1024]----+
|           E.oo.o|
|                o|
|                +|
|               + |
|        S     +  |
|       .   o =   |
|        o B +    |
|       ..B.=     |
|      .ooo=..    |
+-----------------+
Benny$ ls
sshuser.pub
sshuser
</code>

<WRAP center round tip 60%>
You should protect your private key with a strong passphrase and __never__ upload it to a switch/remote system.
</WRAP>


**For a successful authentication you need to create a user on the OmniSwitch:**
<code>
OmniSwitch-> user sshuser read-write all password verysecret123
OmniSwitch-> show user
...
User name = sshuser,
  Password expiration     = None,
  Password allow to be modified date     = None,
  Account lockout     = None,
  Password bad attempts     = 0,
  Read Only for domains   = None,
  Read/Write for domains  = All ,
  Snmp allowed     = NO,
  Console-Only    = Disabled
</code>
<WRAP center round tip 60%>
**Trap:**
The OmniSwitch will look for a file called "sshuser**_dsa**.pub" in directory ///flash/network/pub//! If you don't follow this requirement, you'll encounter the following error message.
</WRAP>

<code>
Benny$ ssh -i sshuser sshuser@192.168.2.106
Received disconnect from 192.168.2.106: 2: Only Public Key authentication is allowed.
</code>

**Analysis:**
<code>
SUN DEC 31 01:59:31 2000            SSH  debug1 [SSH 16] userauth-request for user sshuser service ssh-connection method publick
SUN DEC 31 01:59:31 2000            SSH  debug1 [Count.]ey
SUN DEC 31 01:59:31 2000            SSH  debug1 [SSH 16] attempt 1 failures 1
SUN DEC 31 01:59:31 2000            SSH  debug1 [SSH 16] authmethod_lookup, (0) name: publickey
SUN DEC 31 01:59:31 2000            SSH  debug1 [SSH 16] authmethod_lookup,   auth method: none, len: 4
SUN DEC 31 01:59:31 2000            SSH  debug1 [SSH 16] authmethod_lookup, (1) name: publickey
SUN DEC 31 01:59:31 2000            SSH  debug1 [SSH 16] authmethod_lookup,   auth method: publickey, len: 9
SUN DEC 31 01:59:31 2000            SSH  debug2 [SSH 16] input_userauth_request: try method publickey
SUN DEC 31 01:59:31 2000            SSH  debug2 [SSH 16] userauth_pubkey(): user=sshuser
SUN DEC 31 01:59:31 2000            SSH  debug1 [SSH 16] test whether pkalg/pkblob are acceptable
SUN DEC 31 01:59:31 2000            SSH  debug1 [SSH 16] user_key_allowed: PubKey file = "/flash/network/pub/sshuser_dsa.pub"
SUN DEC 31 01:59:31 2000            SSH  debug1 [SSH 16] user_key_allowed: can not find file "/flash/network/pub/sshuser_dsa.pub
</code>

**Upload the SSH public-key via FTP (ASCII):**
<code>
Benny$ ftp 192.168.2.106
Connected to 192.168.2.106.
220 FTP server ready
Name (192.168.2.106:Benny): admin
331 Password required
Password: 
230-
  
Welcome to the Alcatel-Lucent OmniSwitch 6450
Software Version 6.6.3.451.R01 Service Release, December 20, 2012. 

Copyright(c), 1994-2012 Alcatel-Lucent. All Rights reserved.

OmniSwitch(TM) is a trademark of Alcatel-Lucent registered
in the United States Patent and Trademark Office.
  
230 
ftp> cd ..
250 Changed directory to "/flash"
ftp> cd network/pub
250 Changed directory to "/flash/network/pub"
ftp> put sshuser.pub sshuser_dsa.pub
local: sshuser.pub remote: sshuser_dsa.pub
229 Entering Extended Passive Mode (|||1125|)
150 Opening ASCII mode data connection
100% |**************************************************************************************|   598        6.00 MiB/s    --:-- ETA
226 Transfer complete
598 bytes sent in 00:00 (51.42 KiB/s)
ftp> bye
221 Bye...see you later
</code>

**In the following example we specify the identity to be used with -i. The username (that needs to exist on the OmniSwitch) is specified in front of the @ sign:**
<code>
Benny$ ssh -i sshuser sshuser@192.168.2.106
  
Welcome to the Alcatel-Lucent OmniSwitch 6450
Software Version 6.6.3.451.R01 Service Release, December 20, 2012. 

Copyright(c), 1994-2012 Alcatel-Lucent. All Rights reserved.

OmniSwitch(TM) is a trademark of Alcatel-Lucent registered
in the United States Patent and Trademark Office.
  
OmniSwitch-> 
</code>

<WRAP center round tip 60%>
If there is a public-key for a user on the OmniSwitch, this takes priority over RADIUS authentication. As a consequence the user "sshuser" will always be authenticated locally against the key.
</WRAP>