# SSH Public Key Authentication

Public Key Authentication (PKI) is an authentication method that uses a key pair for authentication instead of a password. Two keys are generated for SSH authentication:

- Public key
- Private key

**Note:** Network Configuration Manager supports only Open SSH key format.

## Steps to import Private key in NCM

1. Go to **Config Automation -> Credentials -> SSH Key**.

   ![Config automation](https://www.manageengine.com/network-configuration-manager/help/images/import-private-key.png)

2. Now, click on the + icon to perform an import operation.

   In SSH Key Import slide, browse and select the Private key file and enter a SSH Key Profile Name, Password Phrase and Comment.

   ![SSH Key import](https://www.manageengine.com/network-configuration-manager/help/images/import-operation.png)

3. Click on Save button.

**Note:** Private key file must have permission "600" - (It denotes that only the user can perform read and write operation).

## Steps to generate a private and public keys

### Linux

1. Open Terminal.
2. Execute below command:

```
ssh-keygen -t <algorithm-name> -b <no of bits>
```

**Example:**

![Generating public and private keys](https://www.manageengine.com/network-configuration-manager/help/images/command-execution-1.png)

For more details, please refer below link:

[https://www.ssh.com/academy/ssh/keygen](https://www.ssh.com/academy/ssh/keygen)

3. Cisco IOS only supports a maximum of 254 characters on a single line. So you won’t be able to paste this in one go.

   We can use "fold" command to break the public key in multiple parts:

```
fold -b -w 72 <public key file>
```

   Example:

   ![Generating public and private keys](https://www.manageengine.com/network-configuration-manager/help/images/command-execution-2.png)

   We can strip the contents like "ssh-rsa" and "root@ncm-test1".

4. Now we can use the stripped content in Cisco IOS Router.

### Windows

1. Install OpenSSH in windows.
2. Open Command Prompt with "Administrator" privilege.
3. Use "ssh-keygen" command to generate the key pair (Steps used in Linux).

## Adding public Key in Cisco IOS Router

1. Login to Cisco Router using privilege mode.
2. Execute the below commands:

```
configure terminal
ip ssh pubkey-chain
username <username>
key-string
```

   Example:

   ![Adding public key](https://www.manageengine.com/network-configuration-manager/help/images/command-execution-3.png)

3. Now paste the stripped public key, line by line.
4. After pasting the public key, exit from configure mode.
5. Once the public key is added, execute below command to check the fingerprint.

## Verification

To check the fingerprint of public key in Cisco IOS Router, execute the below command.

```
show running-config | begin pubkey
```

Example output:

![verification](https://www.manageengine.com/network-configuration-manager/help/images/command-execution-4.png)

On Windows, check with the fingerprint copied from PuTTYgen with command output.

On Linux, execute the below command to get the fingerprint.

```
ssh-keygen -l -f <public key file> -E md5
```

Example:

![verification](https://www.manageengine.com/network-configuration-manager/help/images/command-execution-5.png)