Using SSH public key authentication to IOS device will
allow login access, from a client (Linux) to a server (Cisco IOS router), without
using password interactive.
Client
side (Linux)
Copy the public key to notepad:
[root@linux
~]# cat .ssh/id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCtyqPcQQLAc5+FcEhfBTpWjr6cGTgU5I/JCMfcA1vxp
root@linux
[root@linux
~]#
|
[OUTPUT_OMITTED]
Pay attention to copy the whole key including ‘ssh-rsa’ and username@hostname.
If there is no public/private key pair you can generate on
by issuing the following command:
[root@linux
~]# ssh-keygen
|
Server side
(Cisco IOS device)
Create RSA key-pair:
RTR(config)#crypto
key generate rsa label KEYPAIR
The name for
the keys will be: KEYPAIR
Choose the
size of the key modulus in the range of 360 to 4096 for your
General Purpose Keys. Choosing a key
modulus greater than 512 may take
a few minutes.
How many
bits in the modulus [512]: 2048
% Generating
2048 bit RSA keys, keys will be non-exportable...
[OK] (elapsed
time was 18 seconds)
|
Verify:
RTR#show
crypto key mypubkey rsa
% Key pair
was generated at: 15:15:23 Feb 25 2015
Key name:
KEYPAIR
Key type:
RSA KEYS
Storage Device: not specified
Usage: General Purpose Key
Key is not exportable.
Key Data:
30820122 300D0609 2A864886 F70D0101
01050003 82010F00 3082010A 02820101
00B8780D C9FE10B7 32182CEA A9C954FE 9FFAAFF7
0068856C 9070FEDD 99C3CA11
C4E6C805 20C8537C DE874299 18E1A55D
E6BD6944 8C78E9A7 00BAC0BB 89279CC6
806AE256 27DAF80D 27CA9FBF C576D075
E305635A 4FE1569E A9DB080E BCE5FAC9
B73C50A2 98989A4B 3C8E10C3 12E492F6
E78CAF67 5889E32F 20835794 C87A9E96
1617F89B DC96CBF4 00635E52 F23A8A95
33C24235 B7DF0BBC 227DA4F9 AB33B19C
B1113661 FFE666D7 DD21097E 8C747FFA
BC0A8F33 8F714E8E D7ADE1EC AF68AF39
13F0855D 5456C539 FAEFCF67 BCDA0424
370264B2 ECA7336D A776225A 00D2A219
E607CA4F C9DB297E 3C7DB9E1 6CC266B3
8245B63F A3E27AB1 919C074C 007B1F2C
CF020301 0001
|
Set SSH to use this key:
RTR(config)#ip
ssh rsa keypair-name KEYPAIR
Feb 25
15:16:55.038 IL: %SSH-5-ENABLED: SSH 2.0 has been enabled
|
Create account with the client RSA public key:
RTR(config)#ip
ssh pubkey-chain
RTR(conf-ssh-pubkey)#username
root
RTR(conf-ssh-pubkey-user)#key-string
RTR(conf-ssh-pubkey-data)#$eWrrMuQxFrXC8fp5zYE54XEtVWEgVQj//gdFHOewADz1/gVRPZMl6dMSOufayLQCUaSGk09iTmNAZXRSWj0kr2VWfbMO
RTR(conf-ssh-pubkey-data)#exit
%SSH: Failed
to decode the Key Value
RTR(conf-ssh-pubkey-user)#exit
RTR(conf-ssh-pubkey)#exit
|
Note the error message “%SSH:
Failed to decode the Key Value”
When you copy the client RSA key to a notepad, t appears in
one line:
Break it into several lines, like this:
Then copy this key to the SSH pubkey-chain:
RTR(config)#ip
ssh pubkey-chain
RTR(conf-ssh-pubkey)#username
root
RTR(conf-ssh-pubkey-user)#key-string
RTR(conf-ssh-pubkey-data)#ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAABAQCtyqPcQQLAc5+FcEhfBTpWjr
RTR(conf-ssh-pubkey-data)#6cGTgU5I/JCNlDLDWBsb1vhy+kvc3TAUMnr1gna9PSXPoGSRH/sqg07r+R66v
RTR(conf-ssh-pubkey-data)#I95Ukeht8MEu5J0e7zrUteHSd2FPkGklFcnwWCeWrrMuQxFrXC8fp5zYE54XE
RTR(conf-ssh-pubkey-data)#tVWEgVQj//gdFHOewADz1/gVRPZMl6dMSOufayLQCUaSGk09iTmNAZXRSWj0k
RTR(conf-ssh-pubkey-data)#r2VWfbMOsfdgXO9kFr2Fjm1s/Ac2QY4aZFlodQ486AUaaJ4t/6RMqOlldgna
RTR(conf-ssh-pubkey-data)#+5rCgELwGlsemR57ohGIcvwzQ7gugvZReaMW8mC7PG/8iyS7Uvu4sbNg73XX
RTR(conf-ssh-pubkey-data)#IOBm/gRMfcA1vxp
root@linux
RTR(conf-ssh-pubkey-data)#exit
RTR(conf-ssh-pubkey-user)#exit
RTR(conf-ssh-pubkey)#exit
|
Client
side (Linux)
Login into the router:
[root@il-linux ~]# ssh -2 -v root@192.168.10.1
OpenSSH_5.9p1
(CentrifyDC build 4.5.4-121) (CentrifyDC build 4.5.4-121), OpenSSL 0.9.8w
(CentrifyDC build 4.5.4-121) 23 Apr 2012
debug1:
Reading configuration data /etc/centrifydc/ssh/ssh_config
debug1:
/etc/centrifydc/ssh/ssh_config line 52: Applying options for *
debug1:
Connecting to 192.168.10.1 [192.168.10.1] port 22.
debug1:
Connection established.
debug1:
permanently_set_uid: 0/0
debug1:
identity file /root/.ssh/id_rsa type 1
debug1:
identity file /root/.ssh/id_rsa-cert type -1
debug1:
identity file /root/.ssh/id_dsa type 2
debug1:
identity file /root/.ssh/id_dsa-cert type -1
debug1:
identity file /root/.ssh/id_ecdsa type -1
debug1:
identity file /root/.ssh/id_ecdsa-cert type -1
debug1:
Remote protocol version 2.0, remote software version Cisco-1.25
debug1: no
match: Cisco-1.25
debug1:
Enabling compatibility mode for protocol 2.0
debug1:
Local version string SSH-2.0-OpenSSH_5.9
debug1:
Miscellaneous failure
No
credentials cache found
debug1:
Miscellaneous failure
No
credentials cache found
debug1:
SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT
received
debug1: kex:
server->client aes128-cbc hmac-md5 none
debug1: kex:
client->server aes128-cbc hmac-md5 none
debug1:
SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1:
expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1:
SSH2_MSG_KEX_DH_GEX_INIT sent
debug1:
expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1:
Server host key: RSA 9a:20:78:fc:6c:27:5d:9e:f1:e2:73:68:a1:4f:7c:d6
debug1: Host
'192.168.10.1' is known and matches the RSA host key.
debug1:
Found key in /root/.ssh/known_hosts:175
debug1:
ssh_rsa_verify: signature correct
debug1:
SSH2_MSG_NEWKEYS sent
debug1:
expecting SSH2_MSG_NEWKEYS
debug1:
SSH2_MSG_NEWKEYS received
debug1:
Roaming not allowed by server
debug1:
SSH2_MSG_SERVICE_REQUEST sent
debug1:
SSH2_MSG_SERVICE_ACCEPT received
debug1:
Authentications that can continue: publickey,keyboard-interactive,password
debug1: Next
authentication method: publickey
debug1:
Offering RSA public key: /root/.ssh/id_rsa
debug1: Server
accepts key: pkalg ssh-rsa blen 279
debug1: read
PEM private key done: type RSA
debug1:
Authentication succeeded (publickey).
Authenticated
to 192.168.10.1 ([192.168.10.1]:22).
debug1:
channel 0: new [client-session]
debug1:
Entering interactive session.
RTR#
|
Super helpful
ReplyDelete