SSH authentication

Updated: April 24, 2026

Want to summarize with AI?

Describes SSH authentication, highlights related restrictions, outlines supported configuration methods using CLI commands, and instructs on configuring SSH authentication with templates for secure device access.

SSH authentication

The Secure Shell (SSH) protocol is a network protocol that

provides secure remote access connection to network devices
supports user authentication using public and private keys, and
enables encrypted communication between clients and network devices.

Enabling SSH authentication

To enable SSH authentication, store your public key in your home directory of in the following location:

 ~<user>/.ssh/authorized_keys

A new key is generated on the client machine which owns the private key. The client decrypts any message encrypted with the SSH server's public key using the client's private key.

Restrictions for SSH authentication

SSH RSA key size

The range of SSH RSA key sizes supported by Cisco IOS XE Catalyst SD-WAN device is from 2048 to 4096. SSH RSA key sizes of 1024 and 8192 are not supported.
A maximum of two keys per user are allowed on Cisco IOS XE Catalyst SD-WAN devices.

Supported methods for configuring SSH authentication using CLI commands

Use these supported SSH RSA key-based authentication methods when configuring SSH authetnciation using the CLI.

SSH key based login is supported on IOS. Per user a maximum of 2 keys can be supported. Also, IOS only supports RSA based keys.

Traditional IOS CLI, allow support for:

Key-string
Key-hash – The key-string is base64 decoded and MD5 hash is run on it.

The transaction yang model has provision to only copy the key-hash instead of the entire key-string. SD-WAN Manager does this conversion and pushes the configuration to the device.

Configure SSH Authentication using templates

Configure SSH authentication on Cisco IOS XE Catalyst SD-WAN devices using these steps.

Procedure

	1.	From the Cisco SD-WAN Manager menu, choose Configuration > Templates.
	2.	Click Feature Templates, and click Add Template. Note In Cisco vManage Release 20.7.x and earlier releases, Feature Templates is titled Feature.
	3.	From Select Devices, select the type of device for which you are creating the template.
	4.	From Basic Information, choose CISCO AAA template.
	5.	From Local, click New User and enter the details.
	6.	Enter SSH RSA Key. Note You must enter the complete public key from the id_rsa.pub file in SSH RSA Key.

Need help?

Open a support case

(Requires a Cisco Service Contract)

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.