SSH Key Auth on Dell PowerConnect Switches

Today, I tried to setup ssh public keys on our Dell PowerConnect Switches, figuring that good key authentication should be more secure and easier than simple password auth, right? Clearly someone is in the camp of “fallor ergo sum” on this one, and I suppose it might be me.

Sure, it’s possible to configure the ssh server on the switch to require public-key authentication (can’t you just hear that “However” hovering?):

sw# conf
sw(config)# ip ssh server
sw(config)# ip ssh pubkey-auth
sw(config)# username bob password xxxxxxxxxxxxxx
sw(config)# crypto key pubkey-chain ssh
sw(config-pubkey-chain)# user-key bob rsa
sw(config-pubkey-key)# key-string
sw(config-pubkey-key)# exit
sw(config-pubkey-chain)# exit
sw(config)# exit

That’s about it. Unfortunately, it turns out that to Dell, this form of public-key authentication is akin to two-factor auth — it’s a layer on top of password auth. You need the key to get the login prompt, at which point you can login with any set of credentials —- BUT, you can’t bypass the password based login completely.  Sure, one could use empty password accounts, but that wasn’t the point of this experiment.

If by chance you still feel the need to experiment with this, make sure you don’t let all your active connections time out while in some inconsistent or intermediate state, e.g. requiring keys, but not have any keys setup, otherwise you could easily find yourself locked out via ssh and have to resort to console/line access.

References that (sort of) helped:

That’s in addition to the normal command reference manual for the PowerConnect switches, which is terrible by the way – longer separate discussion there.