Manage Switch Credentials
You must have switch access credentials to install and upgrade software on a switch. You can choose between basic authentication (SSH username/password) and SSH (Public/Private key) authentication. These credentials apply to all switches. If some of your switches have alternate access credentials, you must change them or modify the credential information before attempting installations or upgrades with the lifecycle management feature.
Specify Switch Credentials
Switch access credentials are not specified by default. You must add these.
To specify access credentials:
-
Open the LCM dashboard.
-
Click the Click here to add Switch access link on the Access card.
- Select the authentication method you want to use; SSH or Basic Authentication. Basic authentication is selected by default.
Be sure to use credentials for a user account that has permission to configure switches.
The default credentials for Cumulus Linux have changed from cumulus/CumulusLinux! to cumulus/cumulus for releases 4.2 and later. For details, read Cumulus Linux User Accounts.
-
Enter a username.
-
Enter a password.
-
Click Save.
The Access card now indicates your credential configuration.
You must have sudoer permission to properly configure switches when using the SSH key method.
-
Create a pair of SSH private and public keys.
ssh-keygen -t rsa -C "<USER>"
-
Copy the SSH public key to each switch that you want to upgrade using one of the following methods:
- Manually copy the SSH public key to the /home/<USER>/.ssh/authorized_keys file on each switch, or
- Run
ssh-copy-id USER@<switch_ip>
on the server where you generated the SSH key pair for each switch
-
Copy the SSH private key into the entry field in the Create Switch Access card.
For security, your private key is stored in an encrypted format, and only provided to internal processes while encrypted.
The Access card now indicates your credential configuration.
To configure basic authentication, run:
cumulus@switch:~$ netq lcm add credentials username cumulus password cumulus
The default credentials for Cumulus Linux have changed from cumulus/CumulusLinux! to cumulus/cumulus for releases 4.2 and later. For details, read Cumulus Linux User Accounts.
To configure SSH authentication using a public/private key:
You must have sudoer permission to properly configure switches when using the SSH Key method.
-
If the keys do not yet exist, create a pair of SSH private and public keys.
ssh-keygen -t rsa -C "<USER>"
-
Copy the SSH public key to each switch that you want to upgrade using one of the following methods:
- Manually copy the SSH public key to the /home/<USER>/.ssh/authorized_keys file on each switch, or
- Run
ssh-copy-id USER@<switch_ip>
on the server where you generated the SSH key pair for each switch
-
Add these credentials to the switch.
cumulus@switch:~$ netq lcm add credentials ssh-key PUBLIC_SSH_KEY
View Switch Credentials
You can view the type of credentials used to access your switches in the NetQ UI. You can view the details of the credentials using the NetQ CLI.
-
Open the LCM dashboard.
-
On the Access card, select either Basic or SSH.
To see the credentials, run netq lcm show credentials
.
If you use an SSH key for the credentials, the public key appears in the command output:
cumulus@switch:~$ netq lcm show credentials
Type SSH Key Username Password Last Changed
---------------- -------------- ---------------- ---------------- -------------------------
SSH MY-SSH-KEY Tue Apr 28 19:08:52 2020
If you use a username and password for the credentials, the username appears in the command output with the password masked:
cumulus@switch:~$ netq lcm show credentials
Type SSH Key Username Password Last Changed
---------------- -------------- ---------------- ---------------- -------------------------
BASIC cumulus ************** Tue Apr 28 19:10:27 2020
Modify Switch Credentials
You can modify your switch access credentials at any time. You can change between authentication methods or change values for either method.
To change your access credentials:
-
Open the LCM dashboard.
-
On the Access card, click the Click here to change access mode link in the center of the card.
-
Select the authentication method you want to use; SSH or Basic Authentication. Basic authentication is the default selection.
-
Based on your selection:
- Basic: Enter a new username and/or password
- SSH: Copy and paste a new SSH private key
Refer to Specify Switch Credentials for details.
- Click Save.
To change the basic authentication credentials, run the add credentials command with the new username and/or password. This example changes the password for the cumulus account created above:
cumulus@switch:~$ netq lcm add credentials username cumulus password Admin#123
To configure SSH authentication using a public/private key:
You must have sudoer permission to properly configure switches when using the SSH Key method.
-
If the new keys do not yet exist, create a pair of SSH private and public keys.
ssh-keygen -t rsa -C "<USER>"
-
Copy the SSH public key to each switch that you want to upgrade using one of the following methods:
- Manually copy the SSH public key to the /home/<USER>/.ssh/authorized_keys file on each switch, or
- Run
ssh-copy-id USER@<switch_ip>
on the server where you generated the SSH key pair for each switch
-
Add these new credentials to the switch.
cumulus@switch:~$ netq lcm add credentials ssh-key PUBLIC_SSH_KEY
Remove Switch Credentials
You can remove the access credentials for switches using the NetQ CLI. Note that without valid credentials, you cannot upgrade your switches.
To remove the credentials, run netq lcm del credentials
. Verify their removal by running netq lcm show credentials
.