Search This Blog

Wednesday, February 25, 2015

Cisco IOS RSA authentication

Using SSH public key authentication to IOS device will allow login access, from a client (Linux) to a server (Cisco IOS router), without using password interactive.

Client side (Linux)

Copy the public key to notepad:

[root@linux ~]# cat .ssh/id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCtyqPcQQLAc5+FcEhfBTpWjr6cGTgU5I/JCMfcA1vxp root@linux
[root@linux ~]#
[OUTPUT_OMITTED]

Pay attention to copy the whole key including ‘ssh-rsa’ and username@hostname.

If there is no public/private key pair you can generate on by issuing the following command:

[root@linux ~]# ssh-keygen

Server side (Cisco IOS device)

Create RSA key-pair:

RTR(config)#crypto key generate rsa label KEYPAIR
The name for the keys will be: KEYPAIR
Choose the size of the key modulus in the range of 360 to 4096 for your
  General Purpose Keys. Choosing a key modulus greater than 512 may take
  a few minutes.

How many bits in the modulus [512]: 2048
% Generating 2048 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 18 seconds)

Verify:

RTR#show crypto key mypubkey rsa
% Key pair was generated at: 15:15:23 Feb 25 2015
Key name: KEYPAIR
Key type: RSA KEYS
 Storage Device: not specified
 Usage: General Purpose Key
 Key is not exportable.
 Key Data:
  30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101
  00B8780D C9FE10B7 32182CEA A9C954FE 9FFAAFF7 0068856C 9070FEDD 99C3CA11
  C4E6C805 20C8537C DE874299 18E1A55D E6BD6944 8C78E9A7 00BAC0BB 89279CC6
  806AE256 27DAF80D 27CA9FBF C576D075 E305635A 4FE1569E A9DB080E BCE5FAC9
  B73C50A2 98989A4B 3C8E10C3 12E492F6 E78CAF67 5889E32F 20835794 C87A9E96
  1617F89B DC96CBF4 00635E52 F23A8A95 33C24235 B7DF0BBC 227DA4F9 AB33B19C
  B1113661 FFE666D7 DD21097E 8C747FFA BC0A8F33 8F714E8E D7ADE1EC AF68AF39
  13F0855D 5456C539 FAEFCF67 BCDA0424 370264B2 ECA7336D A776225A 00D2A219
  E607CA4F C9DB297E 3C7DB9E1 6CC266B3 8245B63F A3E27AB1 919C074C 007B1F2C
  CF020301 0001

Set SSH to use this key:

RTR(config)#ip ssh rsa keypair-name KEYPAIR
Feb 25 15:16:55.038 IL: %SSH-5-ENABLED: SSH 2.0 has been enabled

Create account with the client RSA public key:

RTR(config)#ip ssh pubkey-chain
RTR(conf-ssh-pubkey)#username root
RTR(conf-ssh-pubkey-user)#key-string
RTR(conf-ssh-pubkey-data)#$eWrrMuQxFrXC8fp5zYE54XEtVWEgVQj//gdFHOewADz1/gVRPZMl6dMSOufayLQCUaSGk09iTmNAZXRSWj0kr2VWfbMO    
RTR(conf-ssh-pubkey-data)#exit
%SSH: Failed to decode the Key Value
RTR(conf-ssh-pubkey-user)#exit
RTR(conf-ssh-pubkey)#exit

Note the error message %SSH: Failed to decode the Key Value”
When you copy the client RSA key to a notepad, t appears in one line:


Break it into several lines, like this:



Then copy this key to the SSH pubkey-chain:

RTR(config)#ip ssh pubkey-chain
RTR(conf-ssh-pubkey)#username root
RTR(conf-ssh-pubkey-user)#key-string
RTR(conf-ssh-pubkey-data)#ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCtyqPcQQLAc5+FcEhfBTpWjr
RTR(conf-ssh-pubkey-data)#6cGTgU5I/JCNlDLDWBsb1vhy+kvc3TAUMnr1gna9PSXPoGSRH/sqg07r+R66v
RTR(conf-ssh-pubkey-data)#I95Ukeht8MEu5J0e7zrUteHSd2FPkGklFcnwWCeWrrMuQxFrXC8fp5zYE54XE
RTR(conf-ssh-pubkey-data)#tVWEgVQj//gdFHOewADz1/gVRPZMl6dMSOufayLQCUaSGk09iTmNAZXRSWj0k
RTR(conf-ssh-pubkey-data)#r2VWfbMOsfdgXO9kFr2Fjm1s/Ac2QY4aZFlodQ486AUaaJ4t/6RMqOlldgna
RTR(conf-ssh-pubkey-data)#+5rCgELwGlsemR57ohGIcvwzQ7gugvZReaMW8mC7PG/8iyS7Uvu4sbNg73XX
RTR(conf-ssh-pubkey-data)#IOBm/gRMfcA1vxp root@linux
RTR(conf-ssh-pubkey-data)#exit
RTR(conf-ssh-pubkey-user)#exit
RTR(conf-ssh-pubkey)#exit


Client side (Linux)

Login into the router:

 [root@il-linux ~]# ssh -2 -v root@192.168.10.1
OpenSSH_5.9p1 (CentrifyDC build 4.5.4-121) (CentrifyDC build 4.5.4-121), OpenSSL 0.9.8w (CentrifyDC build 4.5.4-121) 23 Apr 2012
debug1: Reading configuration data /etc/centrifydc/ssh/ssh_config
debug1: /etc/centrifydc/ssh/ssh_config line 52: Applying options for *
debug1: Connecting to 192.168.10.1 [192.168.10.1] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/id_rsa type 1
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: identity file /root/.ssh/id_dsa type 2
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version Cisco-1.25
debug1: no match: Cisco-1.25
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.9
debug1: Miscellaneous failure
No credentials cache found

debug1: Miscellaneous failure
No credentials cache found

debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA 9a:20:78:fc:6c:27:5d:9e:f1:e2:73:68:a1:4f:7c:d6
debug1: Host '192.168.10.1' is known and matches the RSA host key.
debug1: Found key in /root/.ssh/known_hosts:175
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,keyboard-interactive,password
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /root/.ssh/id_rsa
debug1: Server accepts key: pkalg ssh-rsa blen 279
debug1: read PEM private key done: type RSA
debug1: Authentication succeeded (publickey).
Authenticated to 192.168.10.1 ([192.168.10.1]:22).
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
RTR#



Posted by at 1 comment:
Labels: ,

Friday, February 20, 2015

SNMP v3 Configuration



Security model for SNMP protocol

Three security models can be used in SNMPv3:

Model
Level
Authentication
Encryption
v3
NoAuthNoPriv
Username
None
v3
AuthNoPriv
MD5 or SHA
None
v3
AuthPriv
MD5 or SHA
DES, 3DES, AES

Note that noAuthNoPriv is essentially the same as a v2 community string.

Configuration

      1.       Define view
      2.       Setup group
      3.       Setup user account

Sample configuration:

snmp-server view VIEW3 1.3.6.1.4.1.9.2.2.1.1.8.* included
snmp-server group ReadGrp v3 priv read VIEW3
snmp-server user User2 ReadGrp v3 auth sha cisco priv des cisco

Define View

snmp-server view <VIEW_NAME> <MIB> [include|exclude]

<VIEW_NAME> - the name for the view set
<MIB> - the MIB/OID which are include/exclude from this view set

In order to determine what the MIB/OID, for the specific device is, we can use these two freeware tools-

SNMP MIB browser from ManageEngine:
http://www.manageengine.com/products/mibbrowser-free-tool/

And SNMP Tester from Paessler:
http://www.paessler.com/tools

The SNMP MIB browser allow us to browse specific MIB and see the specific OID for each entry, for example here is Cisco MIB:


The whole MIB is structured as a tree where you can select specific leaf, so if we want to allow specific group for reading only output bits value we will configure the following view:

snmp-server view VIEW3 1.3.6.1.4.1.9.2.2.1.1.8.* included

Note that this tool doesn’t support SNMPv3 so in order to do walk we will need to configure SNMPv2.

Setup Group

Then we will setup a group which allow to use this view:

snmp-server group ReadGrp v3 priv read VIEW3

The group name is ReadGrp and it’s using authentication and encryption security level (priv) with read privilege for view set VIEW3.

Note that the asterisk wildcard in the OID.

Setup User Account

And last setup a user account:

R1(config)#snmp-server user User2 ReadGrp v3 auth sha cisco priv des cisco

The user User2 belongs to ReadGrp using SHA authentication and DES encryption.
Note that SNMPv3 user accounts are not stored in the running-config nor the flash, they are stored in the NVRAM. 

Use ‘show snmp users’ to see those user accounts:

R1#show snmp user

User name: User2
Engine ID: 800000090300CA012AD00008
storage-type: nonvolatile        active
Authentication Protocol: SHA
Privacy Protocol: DES
Group-name: ReadGrp

Cisco devices support most of the protocols (MD5, SHA, DES, 3DES and AES 128/192/256) while not all NMS programs supports these protocols so pay attention which  protocol you use for authentication and for encryption.

Verification

Now let’s test it using SNMP tester:


In the first part we configure the device IP (192.168.198.2) along with snmp version 3 account, in the second part we do SNMP walk for the specific OID (1.3.6.1.4.9.2.2.1.1.8) and we can see the results in the left pane.

Trying to do it on some other OID, which we didn’t include in the SNMP view set, will lead to no result:


One final note - SNMPv3 authentication and encryption keys are generated based on the associated passwords and the engine ID. If you configure or change the engine ID, you must commit the new engine ID before you configure SNMPv3 users. Otherwise the keys generated from the configured passwords are based on the previous engine ID.

Posted by at 1 comment:
Labels: ,
Subscribe to: Posts (Atom)