SSH RSA authentication works in IOS release 15.0M
The feature we’ve begged, prayed, sobbed, yelled, screamed for has finally been implemented in Cisco IOS: public key SSH authentication works in IOS release 15.0M (and is surprisingly easy to use).
After configuring SSH server on IOS (see also comments to this post), you have to configure the ssh pubkey-chain, where you can enter the key string (from your SSH public key file) or the key’s hash (which is displayed by the ssh-keygen command).
It’s probably easier to copy/paste the public key from your id_rsa.pub file into the terminal window …
R2#conf t Enter configuration commands, one per line. End with CNTL/Z. R2(config)#ip ssh pubkey-chain R2(conf-ssh-pubkey)#username pipi R2(conf-ssh-pubkey-user)#key-string R2(conf-ssh-pubkey-data)#$AAQEA6jYlf9MBskhkWov+ZOUDKun0ExQIRj1zfWA/YciO02VS R2(conf-ssh-pubkey-data)#$XsxM7SqNkRSQOR7y7HBMoxTHV7o+R/uS6A8/mF0A3P/ScRjct R2(conf-ssh-pubkey-data)#$JrNGACGaFy1njD9PrrvrU4o4hx6XDr6xVXF4sP4OCSXIn+Cp8 R2(conf-ssh-pubkey-data)#$bCnZLmv908AeDb1Ac4nPdsn1OhCPIg6fxZjB7DvAMB8Dbr+7Y R2(conf-ssh-pubkey-data)#$apEbGE94luIqnBc61HsMd6JCWbQ== pipi@fedi.nil.si R2(conf-ssh-pubkey-data)#exit R2(conf-ssh-pubkey-user)#^Z
… and let the router convert it into the key hash, which is stored in the configuration:
R2#show run | section ssh ip ssh rsa keypair-name SSH ip ssh version 2 ip ssh pubkey-chain username pipi key-hash ssh-rsa C20B739F2645D6850C591C6A11780CB5 pipi@fedi.nil.si
After this simple step, you can log into your router without typing the password. Finally we have a manageable way of secure remote command execution.
Posts
16 comments:
Wish I could use mine Aladdin etoken to store these keys, putty still have no support to get them from hardware tokens and you have to fine third party software to get token understand these keys.
Finally. Maybe next they'll step up to super-advanced features like entering IP addresses in CIDR notation.
thanks for posting the latest updates.
Does it also work if you do something like
$ ssh rtr 'show int gig0/1'
That's awesome! Any idea how this interacts with TACACS? It'd be nice to have my TACACS server serve up the public keys rather than going around to every router and reconfiguring it.
Sure. That's the beauty of it 8-)
As far as I understand, the keys have to be configured on the router(s).
After short testing I've many questions to be answered regarding
public key SSH authentication in IOS ...
- had problems with authentication using some keys generated with
Puttygen/openssh. Some keys work, some not. It sounds too basic,
so it may be my fault.
- had problem with SSH authentication/authorization with 'aaa new-model'
and 'aaa authorization exec default local' until I change the latter to
'aaa authorization exec default none'. Again, maybe it's a problem
with testing scenario ... more tests needed.
- key-hash accepts comments after the hash. It accepts embedded spaces
if quoted, but only till next reload ...
/IOS will also extract the comments from key-string/
key-hash ssh-rsa BD2F5E25A4801D09201503AA6A2CD7FD ops mmm
^
% Invalid input detected at '^' marker.
- I was 'lucky' to see my first 15.0(1)M crash when playing with the
key-hash/key-string due to:
Oct 5 14:39:57.095: %SYS-3-CPUHOG: Task is running for (2004)msecs,
more than (2000)msecs (0/0),process = Check heaps [...]
- and we have some low limits here: http://www.cisco.com/en/US/docs/ios/sec_user_services/configuration/guide/sec_secure_shell_v2.html#wp1062466
"Storing public keys on a server uses memory; therefore, the number of public keys configurable on an SSH server is restricted to 10 users, with a maximum of two public keys per user"
Again, new IOS, just more food for testing and new blog entries :-)
Hmm, configuring this as per the examples above and in the newly updated Cisco sec_secure_shell_v2 documentation, but it won't allow an interactive session. With debug on (both sides) I can see it authenticate with the keys correctly, but then it just freezes for a moment and logs me out. It looks in the logs like a normal session, no errors given at all.
Any thoughts?
Just found out that 'no ip ssh pubkey-chain' also causes a reload, at least on my 877 test router.
using 'aaa new-model' as reported in my comment above ?
If you use "aaa authorization exec default local", you have to define local users with the "username" command.
For all other things ... open a case with the TAC ;)
Has somebody tested it with keys higher than 1024??? I think it doesn't accept them...
Doesn't look like this works with 2048 bit keys *DONT_KNOW*
Has anybody gottent his work with 'aaa authorization exec default local' and with a relevant username entry? it doesn't seem to use this for auth level. Only 'aaa authorization exec default none' seem to let me in.
Had the same problem as Chris K. and others, where I got logged out immediately: it does work if you "no aaa new-model", and "login local" on "line vty 0 4" instead.
It's hinted at in http://www.cisco.com/en/US/tech/tk583/tk617/technologies_tech_note09186a00800949e2.shtml
This blog is using JS-Kit comments. You have to enable JavaScript if you want to post a comment.