SSH Key Management

Warning

Private keys are secret. These keys should never need to leave the client system, with the exception of backups.

TNSR can manage SSH key pairs for use by services on the router, such as BGP RPKI.

Generate SSH Keys

At this time, the TNSR CLI cannot generate new SSH key pairs. However, they are relatively easy to generate using ssh-keygen from a shell.

The following shell command, for example, generates a new RSA type SSH key pair with a key length of 4096, a comment with the user’s e-mail address, and outputs the key data to a pair of files starting with mykey_id_rsa in the current user’s home directory.

$ ssh-keygen -t rsa -b 4096 -C "tnsr@example.com" -f $HOME/mykey_id_rsa

This results in two files: The private key (mykey_id_rsa) and the corresponding public key (mykey_id_rsa.pub).

These files and their data are used throughout this document as an example.

Import SSH Keys

There are two ways to import SSH key data from outside TNSR: Entering the key data in the CLI or reading the data from files.

When importing an SSH key (public key, private key, or both), TNSR stores the files at /etc/pki/tls/tnsr/ssh/. Private keys are named <name>.priv and public keys are named <name>.pub.

Copy and Paste

To copy and paste SSH key data into the TNSR CLI, use the enter command.

Note

This example demonstrates entering both the private and public key. If this entry should only have a public key, skip the private key step.

First, enter the private key with pki ssh-key <name> enter private:

tnsr# pki ssh-key mykey enter private
Import private-key key
Type or paste a PEM-encoded SSH private key.  Include
the lines containing 'BEGIN OPENSSH PRIVATE KEY'
and 'END OPENSSH PRIVATE KEY'

Paste the private key data:

-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABBUxXuO9s
[...]
ziT0uYtF7G7kRWnjCV5Ads5rI=
-----END OPENSSH PRIVATE KEY-----

End with a blank line to complete the process and return to the CLI prompt.

Next, enter the public key with pki ssh-key <name> enter public:

tnsr# pki ssh-key mykey enter public
Import public-key key
Type or paste a SSH public key starting with
'ssh-rsa' and ending with @hostname, followed by a blank line.

Next, paste the public key data:

ssh-rsa AAAAB3NzaC1yc[...]XW79hk86qrJQ== tnsr@example.com

End with a blank line to complete the process and return to the CLI prompt.

Import from File

Before starting, copy the key files to the TNSR host in the directory from which the user is running the TNSR CLI. Ensure the SSH key files are in the standard OpenSSH text format, not a binary or proprietary format.

Note

This example demonstrates entering both the private and public key. If this entry should only have a public key, skip the private key step.

Import the private key with pki ssh-key <name> import private <file>:

To import a private key:

tnsr# pki ssh-key mykey import private mykey_id_rsa

Import the public key with pki ssh-key <name> import public <file>:

tnsr# pki ssh-key mykey import public mykey_id_rsa.pub

List SSH Keys

To view a list of all current SSH keys known to TNSR, use pki ssh-key list:

tnsr# pki ssh-key list
Key Name                          Public/Private
--------                          --------------
mykey                             both
someguy                           public
tnsrssh                           both

View SSH Keys

To view the contents of the SSH key named mykey, use pki ssh-key mykey get [(private|public)].

To view only the private key:

tnsr# pki ssh-key mykey get private
Private Key:
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABBUxXuO9s
[...]
ziT0uYtF7G7kRWnjCV5Ads5rI=
-----END OPENSSH PRIVATE KEY-----

To view only the public key:

tnsr# pki ssh-key mykey get public
Public Key:
ssh-rsa AAAAB3NzaC1yc[...]XW79hk86qrJQ== tnsr@example.com

To view both private and public keys:

tnsr# pki ssh-key mykey get
Private Key:
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABBUxXuO9s
[...]
ziT0uYtF7G7kRWnjCV5Ads5rI=
-----END OPENSSH PRIVATE KEY-----

Public Key:
ssh-rsa AAAAB3NzaC1yc[...]XW79hk86qrJQ== tnsr@example.com

Note

Attempting to print both keys for an entry which only has a single key (public or private) will result in an error. For those types of entries, only attempt to print the specific key they contain.

Delete SSH Keys

To delete the contents of the SSH key named mykey, use pki ssh-key mykey delete [(private|public)].

To delete only the private key:

tnsr# pki ssh-key mykey delete private

To delete only the public key:

tnsr# pki ssh-key mykey delete public

To delete both private and public keys:

tnsr# pki ssh-key mykey delete

Note

Attempting to delete both keys for an entry which only has a single key (public or private) will delete the single key but it also results in an error message for the key which did not exist.