NVIDIA NVOS User Manual for InfiniBand Switches
NVIDIA NVOS User Manual for InfiniBand Switches
Breadcrumbs

SSH for Remote Access

Authorized SSH Key

To install an authorized SSH key, add the contents of a user’s SSH public key to the authorized keys file (~/.ssh/authorized_keys) for that user.

An SSH public key is a text string composed of three space-separated fields:

<type> <key string> <comment>

Installing an Authorized SSH Key

Use the following NVUE commands to configure an authorized SSH key for a user:

Bash
admin@nvos:~$ nv set system aaa user admin2 ssh authorized-key prod_key key XABDB3NzaC1yc2EAAAADAQABAAABgQCvjs/RFPhxLQMkckONg+1RE1PTIO2JQhzFN9TRg7ox7o0tfZ+IzSB99lr2dmmVe8FRWgxVjc...
admin@nvos:~$ nv set system aaa user admin2 ssh authorized-key prod_key type ssh-rsa
admin@nvos:~$ nv config apply

Public Key Authentication (PKA)

Public Key Authentication (PKA), also known as SSH key authentication, uses a public–private key pair generated by a key generation tool to authenticate a user to the SSH server.

  • The private key remains on the SSH client and is typically password-protected.

  • The public key is stored on the SSH server.

Enforcing PKA-Only Authentication

To allow only key-based authentication and disable password authentication for users with private keys, enable PKA-only mode:

Bash
admin@nvos:~$ nv set system ssh-server pka-only enabled
admin@nvos:~$ nv config apply

Certificate-Based Authentication

As an alternative to passwords and individual SSH keys, you can enable certificate-based authentication. This method uses a trusted Certificate Authority (CA) to authenticate users, automatically enforces certificate expiration, and eliminates Trust-On-First-Use (TOFU) risks.

Configuring Certificate-Based Authentication

To configure certificate-based authentication for a user:

  1. Set the trusted CA key ID, literal, and type. You can see the key ID, literal, and type in a public key file.

  2. Enable certificate authentication for the user.

  3. (Optional) Assign one or more certificate principals to the user. If no principal is specified, the user is treated as the sole principal.

Example Configuration

The following example sets the trusted CA key (KEY1) as type ssh-rsa with the specified literal (AAAAB3NzaC1yc2EAAAADA..), enables certificate authentication for the user ADMIN1,and adds the principle aaa:

Bash
admin@nvos:~$ nv set system ssh-server trusted-ca-keys KEY1 key AAAAB3NzaC1yc2EAAAADA..
admin@nvos:~$ nv set system ssh-server trusted-ca-keys KEY1 type ssh-rsa
admin@nvos:~$ nv set system aaa user ADMIN1 ssh cert-auth state enabled
admin@nvos:~$ nv set system aaa user ADMIN1 ssh cert-auth principals aaa
admin@nvos:~$ nv config apply

Viewing Trusted CA Configuration

To display the trusted CA certificate authentication configuration, run:


Bash
admin@nvos:~$ nv show system ssh-server trusted-ca-keys
      operational  applied 
---- ------------ -------- 
key   *           * 
type  ssh-rsa     ssh-rsa

SSH for Remote Access Commands


Last updated: