SSH for Remote Access

To install an authorized SSH key, add the contents of a user’s SSH public key to the authorized keys file (~/.ssh/authorized_keys) for that user.

An SSH public key is a text string composed of three space-separated fields:

            

            
<type> <key string> <comment>
        

Installing an Authorized SSH Key

Use the following NVUE commands to configure an authorized SSH key for a user:

            

            
admin@nvos:~$ nv set system aaa user admin2 ssh authorized-key prod_key key XABDB3NzaC1yc2EAAAADAQABAAABgQCvjs/RFPhxLQMkckONg+1RE1PTIO2JQhzFN9TRg7ox7o0tfZ+IzSB99lr2dmmVe8FRWgxVjc...
admin@nvos:~$ nv set system aaa user admin2 ssh authorized-key prod_key type ssh-rsa
admin@nvos:~$ nv config apply
        

Public Key Authentication (PKA)

Public Key Authentication (PKA), also known as SSH key authentication, uses a public–private key pair generated by a key generation tool to authenticate a user to the SSH server.

• The private key remains on the SSH client and is typically password-protected.

• The public key is stored on the SSH server.

Enforcing PKA-Only Authentication

To allow only key-based authentication and disable password authentication for users with private keys, enable PKA-only mode:

            

            
admin@nvos:~$ nv set system ssh-server pka-only enabled
admin@nvos:~$ nv config apply
        

As an alternative to passwords and individual SSH keys, you can enable certificate-based authentication. This method uses a trusted Certificate Authority (CA) to authenticate users, automatically enforces certificate expiration, and eliminates Trust-On-First-Use (TOFU) risks.

Configuring Certificate-Based Authentication

To configure certificate-based authentication for a user:

1. Set the trusted CA key ID, literal, and type. You can see the key ID, literal, and type in a public key file.

2. Enable certificate authentication for the user.

3. (Optional) Assign one or more certificate principals to the user. If no principal is specified, the user is treated as the sole principal.

Example Configuration

The following example sets the trusted CA key (KEY1) as type ssh-rsa with the specified literal ( AAAAB3NzaC1yc2EAAAADA..), enables certificate authentication for the user ADMIN1,and adds the principle aaa:

            

            
admin@nvos:~$ nv set system ssh-server trusted-ca-keys KEY1 key AAAAB3NzaC1yc2EAAAADA..
admin@nvos:~$ nv set system ssh-server trusted-ca-keys KEY1 type ssh-rsa
admin@nvos:~$ nv set system aaa user ADMIN1 ssh cert-auth state enabled
admin@nvos:~$ nv set system aaa user ADMIN1 ssh cert-auth principals aaa
admin@nvos:~$ nv config apply
        

Viewing Trusted CA Configuration

To display the trusted CA certificate authentication configuration, run:

            

            
admin@nvos:~$ nv show system ssh-server trusted-ca-keys
      operational  applied 
---- ------------ -------- 
key   *           * 
type  ssh-rsa     ssh-rsa 
        

• SSH for Remote Access Commands