SSH Key Management¶
Warning
Private keys are secret. These keys should never need to leave the client system, with the exception of backups.
TNSR can manage SSH key pairs for use by services on the router, such as BGP RPKI.
Generate SSH Keys¶
At this time, the TNSR CLI cannot generate new SSH key pairs. However, they are
relatively easy to generate using ssh-keygen
from a shell.
The following shell command, for example, generates a new RSA type SSH key pair
with a key length of 4096
, a comment with the user’s e-mail address, and
outputs the key data to a pair of files starting with mykey_id_rsa
in the
current user’s home directory.
$ ssh-keygen -t rsa -b 4096 -C "tnsr@example.com" -f $HOME/mykey_id_rsa
This results in two files: The private key (mykey_id_rsa
) and the
corresponding public key (mykey_id_rsa.pub
).
These files and their data are used throughout this document as an example.
Import SSH Keys¶
There are two ways to import SSH key data from outside TNSR: Entering the key data in the CLI or reading the data from files.
When importing an SSH key (public key, private key, or both), TNSR stores the
files at /etc/pki/tls/tnsr/ssh/
. Private keys are named <name>.priv
and public keys are named <name>.pub
.
Copy and Paste¶
To copy and paste SSH key data into the TNSR CLI, use the enter
command.
Note
This example demonstrates entering both the private and public key. If this entry should only have a public key, skip the private key step.
First, enter the private key with pki ssh-key <name> enter private
:
tnsr# pki ssh-key mykey enter private
Import private-key key
Type or paste a PEM-encoded SSH private key. Include
the lines containing 'BEGIN OPENSSH PRIVATE KEY'
and 'END OPENSSH PRIVATE KEY'
Paste the private key data:
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABBUxXuO9s
[...]
ziT0uYtF7G7kRWnjCV5Ads5rI=
-----END OPENSSH PRIVATE KEY-----
End with a blank line to complete the process and return to the CLI prompt.
Next, enter the public key with pki ssh-key <name> enter public
:
tnsr# pki ssh-key mykey enter public
Import public-key key
Type or paste a SSH public key starting with
'ssh-rsa' and ending with @hostname, followed by a blank line.
Next, paste the public key data:
ssh-rsa AAAAB3NzaC1yc[...]XW79hk86qrJQ== tnsr@example.com
End with a blank line to complete the process and return to the CLI prompt.
Import from File¶
Before starting, copy the key files to the TNSR host in the directory from which the user is running the TNSR CLI. Ensure the SSH key files are in the standard OpenSSH text format, not a binary or proprietary format.
Note
This example demonstrates entering both the private and public key. If this entry should only have a public key, skip the private key step.
Import the private key with pki ssh-key <name> import private <file>
:
To import a private key:
tnsr# pki ssh-key mykey import private mykey_id_rsa
Import the public key with pki ssh-key <name> import public <file>
:
tnsr# pki ssh-key mykey import public mykey_id_rsa.pub
List SSH Keys¶
To view a list of all current SSH keys known to TNSR, use pki ssh-key list
:
tnsr# pki ssh-key list
Key Name Public/Private
-------- --------------
mykey both
someguy public
tnsrssh both
View SSH Keys¶
To view the contents of the SSH key named mykey
, use pki ssh-key mykey
get [(private|public)]
.
To view only the private key:
tnsr# pki ssh-key mykey get private
Private Key:
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABBUxXuO9s
[...]
ziT0uYtF7G7kRWnjCV5Ads5rI=
-----END OPENSSH PRIVATE KEY-----
To view only the public key:
tnsr# pki ssh-key mykey get public
Public Key:
ssh-rsa AAAAB3NzaC1yc[...]XW79hk86qrJQ== tnsr@example.com
To view both private and public keys:
tnsr# pki ssh-key mykey get
Private Key:
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABBUxXuO9s
[...]
ziT0uYtF7G7kRWnjCV5Ads5rI=
-----END OPENSSH PRIVATE KEY-----
Public Key:
ssh-rsa AAAAB3NzaC1yc[...]XW79hk86qrJQ== tnsr@example.com
Note
Attempting to print both keys for an entry which only has a single key (public or private) will result in an error. For those types of entries, only attempt to print the specific key they contain.
Delete SSH Keys¶
To delete the contents of the SSH key named mykey
, use pki ssh-key mykey
delete [(private|public)]
.
To delete only the private key:
tnsr# pki ssh-key mykey delete private
To delete only the public key:
tnsr# pki ssh-key mykey delete public
To delete both private and public keys:
tnsr# pki ssh-key mykey delete
Note
Attempting to delete both keys for an entry which only has a single key (public or private) will delete the single key but it also results in an error message for the key which did not exist.