Manage Switch Credentials

You must have switch access credentials to install and upgrade software on a switch. You can choose between basic authentication (SSH username/password) and SSH (Public/Private key) authentication. These credentials apply to all switches. If some of your switches have alternate access credentials, you must change them or modify the credential information before attempting installations or upgrades with the lifecycle management feature.

Specify Switch Credentials

Switch access credentials are not specified by default. You must add these.

To specify access credentials:

  1. Open the LCM dashboard.

  2. Click the Click here to add Switch access link on the Access card.

  1. Select the authentication method you want to use; SSH or Basic Authentication. Basic authentication is selected by default.

Be sure to use credentials for a user account that has permission to configure switches.

The default credentials for Cumulus Linux have changed from cumulus/CumulusLinux! to cumulus/cumulus for releases 4.2 and later. For details, read Cumulus Linux User Accounts.

  1. Enter a username.

  2. Enter a password.

  3. Click Save.

    The Access card now indicates your credential configuration.

You must have sudoer permission to properly configure switches when using the SSH key method.

  1. Create a pair of SSH private and public keys.

    ssh-keygen -t rsa -C "<USER>"
    
  2. Copy the SSH public key to each switch that you want to upgrade using one of the following methods:

    • Manually copy the SSH public key to the /home/<USER>/.ssh/authorized_keys file on each switch, or
    • Run ssh-copy-id USER@<switch_ip> on the server where you generated the SSH key pair for each switch
  3. Copy the SSH private key into the entry field in the Create Switch Access card.

For security, your private key is stored in an encrypted format, and only provided to internal processes while encrypted.

The Access card now indicates your credential configuration.

To configure basic authentication, run:

cumulus@switch:~$ netq lcm add credentials username cumulus password cumulus

The default credentials for Cumulus Linux have changed from cumulus/CumulusLinux! to cumulus/cumulus for releases 4.2 and later. For details, read Cumulus Linux User Accounts.

To configure SSH authentication using a public/private key:

You must have sudoer permission to properly configure switches when using the SSH Key method.

  1. If the keys do not yet exist, create a pair of SSH private and public keys.

    ssh-keygen -t rsa -C "<USER>"
    
  2. Copy the SSH public key to each switch that you want to upgrade using one of the following methods:

    • Manually copy the SSH public key to the /home/<USER>/.ssh/authorized_keys file on each switch, or
    • Run ssh-copy-id USER@<switch_ip> on the server where you generated the SSH key pair for each switch
  3. Add these credentials to the switch.

    cumulus@switch:~$ netq lcm add credentials ssh-key PUBLIC_SSH_KEY
    

View Switch Credentials

You can view the type of credentials used to access your switches in the NetQ UI. You can view the details of the credentials using the NetQ CLI.

  1. Open the LCM dashboard.

  2. On the Access card, select either Basic or SSH.

To see the credentials, run netq lcm show credentials.

If you use an SSH key for the credentials, the public key appears in the command output:

cumulus@switch:~$ netq lcm show credentials
Type             SSH Key        Username         Password         Last Changed
---------------- -------------- ---------------- ---------------- -------------------------
SSH              MY-SSH-KEY                                       Tue Apr 28 19:08:52 2020

If you use a username and password for the credentials, the username appears in the command output with the password masked:

cumulus@switch:~$ netq lcm show credentials
Type             SSH Key        Username         Password         Last Changed
---------------- -------------- ---------------- ---------------- -------------------------
BASIC                           cumulus          **************   Tue Apr 28 19:10:27 2020

Modify Switch Credentials

You can modify your switch access credentials at any time. You can change between authentication methods or change values for either method.

To change your access credentials:

  1. Open the LCM dashboard.

  2. On the Access card, click the Click here to change access mode link in the center of the card.

  3. Select the authentication method you want to use; SSH or Basic Authentication. Basic authentication is the default selection.

  4. Based on your selection:

    • Basic: Enter a new username and/or password
    • SSH: Copy and paste a new SSH private key

Refer to Specify Switch Credentials for details.

  1. Click Save.

To change the basic authentication credentials, run the add credentials command with the new username and/or password. This example changes the password for the cumulus account created above:

cumulus@switch:~$ netq lcm add credentials username cumulus password Admin#123

To configure SSH authentication using a public/private key:

You must have sudoer permission to properly configure switches when using the SSH Key method.

  1. If the new keys do not yet exist, create a pair of SSH private and public keys.

    ssh-keygen -t rsa -C "<USER>"
    
  2. Copy the SSH public key to each switch that you want to upgrade using one of the following methods:

    • Manually copy the SSH public key to the /home/<USER>/.ssh/authorized_keys file on each switch, or
    • Run ssh-copy-id USER@<switch_ip> on the server where you generated the SSH key pair for each switch
  3. Add these new credentials to the switch.

    cumulus@switch:~$ netq lcm add credentials ssh-key PUBLIC_SSH_KEY
    

Remove Switch Credentials

You can remove the access credentials for switches using the NetQ CLI. Note that without valid credentials, you cannot upgrade your switches.

To remove the credentials, run netq lcm del credentials. Verify their removal by running netq lcm show credentials.