Cisco: Authenticating with SSH public key on Cisco IOS devices

By -

Using SSH public keys to authenticate on a Cisco IOS device

The preferred way to authenticate on a network device is using a SSH key. If you don't have a SSH key already, take a look at the steps to generate a new key here.
After the key is available, you have to connected to your Cisco device and install it.

But, first of all, you need to make sure that SSH is enabled on your device.

1st Step - Enable SSH

To enable SSH on your device, you have to define the domain name and hostname of the device. Also you need to generate the host keys and finally to enable ssh:

Router>ena
Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#ip domain-name johnyc20.blogspot.ro
Router(config)#hostname bucharest
bucharest(config)#crypto key generate rsa
The name for the keys will be: bucharest.johnyc20.blogspot.ro
Choose the size of the key modulus in the range of 360 to 4096 for your
  General Purpose Keys. Choosing a key modulus greater than 512 may take
  a few minutes.

How many bits in the modulus [512]: 2048
% Generating 2048 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 23 seconds)

bucuresti(config)#ip ssh version 2
At this point, the SSH server should run on your device and you can test that by using the following command:
bucuresti#show ip ssh
SSH Enabled - version 2.0
Authentication timeout: 120 secs; Authentication retries: 3

 2st Step - create user(s)

The second step is to create user(s), if they doesn't exist already. You can do that by using the "username" command:
bucuresti#show running-config | include username
bucuresti#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
bucuresti(config)#username smocanu privilege 15 secret 0 Vicfief3
To generate a strong password use a password generator, like 'apg' .

3rd Step - install user public key

The installation of the key is quite simple. The only thing that you should be aware of is that the number of characters of a line is limited. I think a maximum of 256 charactes can be inserted into one line, so you have to split your key into a few parts and insert each part on a line:
bucharest(config)#ip ssh pubkey-chain
bucharest(conf-ssh-pubkey)#username smocanu
bucharest(conf-ssh-pubkey-user)#key-string
bucharest(conf-ssh-pubkey-data)#$+1psZudur5dMoF0nGpG71JMwzIGQ206TW9YAw2
bucharest(conf-ssh-pubkey-data)#$O59TcgxkiiGZ0SARKSRtDBRtuK+wYgrN6zGni9
bucharest(conf-ssh-pubkey-data)#$hoJNRsfIHZlLftJHqnUJRPm5yLRY5e3wBmtUkb
bucharest(conf-ssh-pubkey-data)#$/9oPkwf0BSIWCgowv/Dzz/6H5za3rhlFsFZf+s
bucharest(conf-ssh-pubkey-data)#$F3MQ0di58nQU= smocanu@johnyc20.blogspot.ro
bucharest(conf-ssh-pubkey-data)#exit
bucharest(conf-ssh-pubkey-user)#exit
bucharest(conf-ssh-pubkey)#exit
bucharest(config)#do show runn | begin ip ssh
ip ssh version 2
ip ssh pubkey-chain
  username smocanu
   key-hash ssh-rsa 5464E66EA16FD338E389253F868DAE25 smocanu@johnyc20.blogspot.ro

At this point you should be able to authenticate yourself using your private key but don't forget to make your changes permanent by saving the configuration of the device:
bucharest(config)#end
*Jun 13 07:28:31.207: %SYS-5-CONFIG_I: Configured from console by console
bucharest#write memory
Building configuration...
[OK]
bucharest#

Comments

Post a Comment

Popular posts from this blog

JunOS - mount USB stick

By -
There are times when you have to use a USB stick to copy to or from it files to a Juniper router/switch. Fortunetly it will not be to very frequently, but there will be a time when you will need it. JunOS being a UNIX( FreeBSD ) based OS, you have to identify and mount the device attached. First, you have to check the device name, so you can identify it on /dev: smocanu@j2350> show log messages | match mass May 16 15:25:45  j2350 /kernel: umass0: Kingston DataTraveler SE9, rev 2.00/1.00, addr 2 May 16 15:25:46  j2350 /kernel: da0 at umass-sim0 bus 0 target 0 lun 0 Then you have to verify the partition number, usually it is the first one: smocanu@j2350> start shell % ls -las /dev/da0 /dev/da0 /dev/da0s1 Now you can mount your USB stick: % mkdir /var/tmp/usb % mount_msdosfs /dev/da0s1 /var/tmp/usb Once your USB stick is mounted, you can copy to/from it files, using /var/tmp/usb path. Do not forget that you have to umount the USB storage, before removing it fr
Read more

SSH: Generating and using SSH keys

By -
Image
One of the preferred method of authentication on network devices is using SSH with a SSH public key. In order to be able to authenticate yourself, you have to generate a SSH key pair. A SSH key is composed of two parts, one private key (which should remain "private" and also should be password protected ) and one public key which should be installed on the SSH server in order to authenticate you. SSH client on Linux: In order to generate a SSH key pair on Linux, you will need to use "ssh-keygen" tool, which is a part of the "openssh-client" package on Debian-like operating systems: smocanu@debian7:~$ dpkg -S $(which ssh-keygen) openssh-client: /usr/bin/ssh-keygen or a part of "openssh" package on RedHat-like operating systems: smocanu@centos6 ~$ rpm -qf $(which ssh-keygen) openssh-5.3p1-94.el6.x86_64 The generating process is quite simple, just run the "ssh-keygen" command, and it will ask you the location of the new key
Read more

Linux: Versioning the /etc/ configurations using 'etckeeper'

By -
One of the most important things for an administrator is to keep track of the changes. The preferred  way to do that is to use a configuration management system , like ' cfengine ', ' puppet ', ' chef ', ' ansible ' or you named it. Even so, you should still be able to see what exactly was changed on you system and when. I'm using ' etckeeper '  to do that and I'm thinking that it is very useful. The most important Unix distributions are including this software and you can install it by using your favorite package manager. On CentOS6, you can run: [root@centos6 ~]# yum install etckeeper After installing, at least on CentOS, you have to initialize the repository, by running: [root@centos6 ~]# etckeeper init Initialized empty Git repository in /etc/.git/ The last thing is to commit these changes, that means that you will add the entire /etc directory to the repository: [root@centos6 ~]# etckeeper commit -m "initial com
Read more