USG Series; Connecting to router via SSH with key pair
I've recently been learning about SSH and set up an SSH server on one of my Linux boxes I can connect remotely to from Windows via PuTTY using RSA certificates (public/private) with no username/password needed.
This got me to thinking...
I've been doing a little research via Google tonight but can't find anything definitive. Is it possible to set up the same type of connection to the USG device, using certificates as opposed to un/pw for a more secure experience? This is probably the only way I'd open up SSH connections to the router from the WAN (in my case the Internet) side.
From looking through the web interface of the device it doesn't appear this is possible. I can't have PuTTY generate a certificate pair them upload the public one to the router, and though the router can create a key pair exporting the private key doesn't seem to create anything PuTTY can use.
I did find one page (link downloads an HTML page via FTP; found by Googling usg ssh putty), »ftp://ftp.landata.ru/Huawei_Symantec/S···_05.html, which seems to indicate this is possible, but only on SSH-1 RSA (less secure) keys. Also, these instructions are for the CLI, much more difficult for a tinkerer like me.
Does anyone know if it is even possible to set up my described scenario? If I at least know it's possible I'll continue to try, but after five hours I really don't want to continue to try if someone else knows that it's not going to be possible.
Never mind on the document I linked - I found that it is not for ZyXEL USG routers.
Well, I gave up trying to get this to work. I'm trying to use PuTTY to connect to the router via SSH with a key pair and couldn't get it to work. I since figured out that the certificates the router makes are of the X.509 format and PuTTY can't use these. And apparently it's not possible to do something like extract a private key from them - they use a different method of certifcation than the key pairs PuTTY can use.
I'll just stick with accessing the router remotely through a VPN tunnel I guess. Maybe someday I'll be rich and can afford to buy SSH software all willy-nilly-like.