When commissioning a new router, you can setup your user for password-less SSH authentication.

The only info you need is your public SSH key.

The general server side configuration in IOS-XE is all described in the Secure Shell Configuration Guide, and there are very useful security guidelines described in this community blog post (make sure your key complies with the hardened algorithm selection though).

Note: I use ECDSA keys because they are shorter, and the IOS-XE CLI appears to better “digest” them ¯\_(ツ)_/¯


These are the steps you need to follow:

  1. (If doesn’t exist already) generate a EDCSA key: ssh-keygen -t ecdsa
  2. In configure mode do:
    (config)#ip ssh pubkey-chain
    (conf-ssh-pubkey)#username <your user>
    (conf-ssh-pubkey-user)#key-string
    (conf-ssh-pubkey-data)#<paste the content of id_ecdsa.pub here>
    (conf-ssh-pubkey-data)#exit
    
  3. Write your configuration and try to connect using the id_ecdsa identity file.

If your user has privilege level 15, you should be seeing the prompt already in enable mode:

ssh <user>@<router> -i <identity file>
Router#