Posted on July 4, 2019 3:14 pm
 |  Asked by Davide Ganna
 |  126 views
RESOLVED
0
0
Print Friendly, PDF & Email

Good evening,

I’d like access an Arista vEOS through SSH. Since I’m completely new to SSH (so far I’ve only accessed switches through the CLI) I am looking for the commands to enter to enable SSH on the switch.

I have a network automation container, I type ssh 192.168.122.11 and it asks me for a password. How do I set this password? How to generate keys? Please post the commands needed to access the switch via SSH since I don’t have much familiarity with Arista.

Thank you in advance,

Davide

1
Posted by Tamas Plugor
Answered on July 4, 2019 5:56 pm

SSH is enabled by default and a key is generated by default, but you need to have a username/password to be able to login

you can configure a username with:

username admin role network-admin priv 15 secret arista

You can also configure passwordless authentication with:

username admin privilege 15 role network-admin nopassword
aaa authentication policy local allow-nopassword-remote-login

Our config guide should be helpful:

https://www.arista.com/en/um-eos/eos-section-4-7-aaa-commands#ww1349963

To modify ssh params you can go to global config and go to management ssh config mode. You can see the default params by doing ‘show active all’

ats324…17:50:35(config)#management ssh
ats324…17:50:37(config-mgmt-ssh)#sh active
ats324…17:50:39(config-mgmt-ssh)#sh active all
management ssh
idle-timeout 0
authentication mode keyboard-interactive
server-port 22
cipher aes256-gcm@openssh.com aes128-gcm@openssh.com aes256-ctr aes192-ctr aes128-ctr
key-exchange curve25519-sha256@libssh.org ecdh-sha2-nistp521 ecdh-sha2-nistp256 ecdh-sha2-nistp384 diffie-hellman-group14-sha1
mac hmac-sha2-512-etm@openssh.com hmac-sha2-256-etm@openssh.com hmac-sha1-etm@openssh.com hmac-sha2-512 hmac-sha2-256 hmac-sha1
rekey frequency 3 gbytes
rekey interval 0 seconds
hostkey server ed25519 rsa ecdsa-nistp521
connection limit 50
no fips restrictions
no hostkey client strict-checking
authentication empty-passwords auto
default client-alive interval
default client-alive count-max
no shutdown
login timeout 120
log-level info
qos dscp 0

You can see the current ssh keys with the following command:

show management ssh hostkey (rsa | dsa) public

You can regenerate them if you want, however not necessary:

reset ssh hostkey (rsa | dsa)

The keys are stored in /persist/secure folder, which you can see from bash

ats324...17:54:52#bash

Arista Networks EOS shell

[admin@ats324 ~]$ cd /persist/secure
[admin@ats324 secure]$ ls -lt
total 60
-rw-rw-rw- 1 root root 620 Jun 24 13:14 ssh_host_dsa_key.pub
-rw-rw-rw- 1 root root 284 Jun 24 13:14 ssh_host_ecdsa_key.pub
-rw-rw-rw- 1 root root 192 Jun 24 13:14 ssh_host_ecdsa_nistp256_key.pub
-rw-rw-rw- 1 root root 112 Jun 24 13:14 ssh_host_ed25519_key.pub
-rw-rw-rw- 1 root root 412 Jun 24 13:14 ssh_host_rsa_key.pub
-rw-r--r-- 1 admin eosadmin 3132 Feb 15 19:29 self_cert.pem
-rw-rw-rw- 1 cvpadmin eosadmin 989 Sep 17 2018 capicsr.csr
-rw-rw-rw- 1 cvpadmin eosadmin 1704 Sep 17 2018 capikey1.pem
drwxrwxrwx 4 root root 120 Jan 30 2018 license
drwxrwsr-x 6 root eosadmin 140 Dec 19 2017 ssl
-rw-r----- 1 root ssh_keys 365 May 18 2017 ssh_host_ecdsa_key
-rw-r----- 1 root ssh_keys 227 May 18 2017 ssh_host_ecdsa_nistp256_key
-rw-r----- 1 root ssh_keys 387 May 18 2017 ssh_host_ed25519_key
-rw------- 1 root root 668 May 18 2017 ssh_host_dsa_key
-rw------- 1 root root 1679 May 18 2017 ssh_host_rsa_key
-rwxrwxrwx 1 root root 1103 May 18 2017 capi.pem
-rwxrwxrwx 1 root root 1708 May 18 2017 capikey.pem

Hope this helps!
Tamas

1
Posted by Jack Shen
Answered on July 4, 2019 9:04 pm

Hi Davide,

SSH is enabled by default. The default user “admin” does not have password so you need to provide one:

configure terminal
username admin secret admin

then as long as you can connect to the management port you can ssh admin@your_mgmt_ip_addr

Keys are pre-generated by linux. You don’t need to worry about it unless you want to regenerate.

0
Posted by Davide Ganna
Answered on July 5, 2019 12:34 pm

Perfect, thank you both!

Post your Answer

You must be logged in to post an answer.