Before SSH can be used with PKI, the client must generate a public/private key pair. This is typically supported by the SSH client software. For example, PuTTY supports a utility called PuTTYGen that generates key pairs.
The 7210 SAS currently supports only Rivest, Shamir, and Adleman (RSA) and Elliptic Curve Digital Signature Algorithm (ECDSA) user public keys.
If the SSH client software uses PuTTY, it must first generate a key pair using PuTTYGen. The client sets the key type to SSH-2 RSA and configures the number of bits to be used for the key. The client can also configure a passphrase to store the key locally in encrypted form. If the passphrase is configured, it acts as a password that the client must enter to use the private key. If a passphrase is not configured, the private key is stored in plain text locally.
Next, use the config>system>security>user>public-keys command to configure the public key for the client (the public key is obtained as part of the key pair). On the 7210 SAS, the user can program the public key using CLI commands (accessed through Telnet/SSH) or SNMP.
The preceding process to generate a key pair is an example only. This process is not executed on a 7210 SAS node, but on a third-party node acting as the SSH client or any other node.