Search This Blog

Wednesday, February 25, 2015

Cisco IOS RSA authentication

Using SSH public key authentication to IOS device will allow login access, from a client (Linux) to a server (Cisco IOS router), without using password interactive.

Client side (Linux)

Copy the public key to notepad:

[root@linux ~]# cat .ssh/id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCtyqPcQQLAc5+FcEhfBTpWjr6cGTgU5I/JCMfcA1vxp root@linux
[root@linux ~]#
[OUTPUT_OMITTED]

Pay attention to copy the whole key including ‘ssh-rsa’ and username@hostname.

If there is no public/private key pair you can generate on by issuing the following command:

[root@linux ~]# ssh-keygen

Server side (Cisco IOS device)

Create RSA key-pair:

RTR(config)#crypto key generate rsa label KEYPAIR
The name for the keys will be: KEYPAIR
Choose the size of the key modulus in the range of 360 to 4096 for your
  General Purpose Keys. Choosing a key modulus greater than 512 may take
  a few minutes.

How many bits in the modulus [512]: 2048
% Generating 2048 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 18 seconds)

Verify:

RTR#show crypto key mypubkey rsa
% Key pair was generated at: 15:15:23 Feb 25 2015
Key name: KEYPAIR
Key type: RSA KEYS
 Storage Device: not specified
 Usage: General Purpose Key
 Key is not exportable.
 Key Data:
  30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101
  00B8780D C9FE10B7 32182CEA A9C954FE 9FFAAFF7 0068856C 9070FEDD 99C3CA11
  C4E6C805 20C8537C DE874299 18E1A55D E6BD6944 8C78E9A7 00BAC0BB 89279CC6
  806AE256 27DAF80D 27CA9FBF C576D075 E305635A 4FE1569E A9DB080E BCE5FAC9
  B73C50A2 98989A4B 3C8E10C3 12E492F6 E78CAF67 5889E32F 20835794 C87A9E96
  1617F89B DC96CBF4 00635E52 F23A8A95 33C24235 B7DF0BBC 227DA4F9 AB33B19C
  B1113661 FFE666D7 DD21097E 8C747FFA BC0A8F33 8F714E8E D7ADE1EC AF68AF39
  13F0855D 5456C539 FAEFCF67 BCDA0424 370264B2 ECA7336D A776225A 00D2A219
  E607CA4F C9DB297E 3C7DB9E1 6CC266B3 8245B63F A3E27AB1 919C074C 007B1F2C
  CF020301 0001

Set SSH to use this key:

RTR(config)#ip ssh rsa keypair-name KEYPAIR
Feb 25 15:16:55.038 IL: %SSH-5-ENABLED: SSH 2.0 has been enabled

Create account with the client RSA public key:

RTR(config)#ip ssh pubkey-chain
RTR(conf-ssh-pubkey)#username root
RTR(conf-ssh-pubkey-user)#key-string
RTR(conf-ssh-pubkey-data)#$eWrrMuQxFrXC8fp5zYE54XEtVWEgVQj//gdFHOewADz1/gVRPZMl6dMSOufayLQCUaSGk09iTmNAZXRSWj0kr2VWfbMO    
RTR(conf-ssh-pubkey-data)#exit
%SSH: Failed to decode the Key Value
RTR(conf-ssh-pubkey-user)#exit
RTR(conf-ssh-pubkey)#exit

Note the error message %SSH: Failed to decode the Key Value”
When you copy the client RSA key to a notepad, t appears in one line:


Break it into several lines, like this:



Then copy this key to the SSH pubkey-chain:

RTR(config)#ip ssh pubkey-chain
RTR(conf-ssh-pubkey)#username root
RTR(conf-ssh-pubkey-user)#key-string
RTR(conf-ssh-pubkey-data)#ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCtyqPcQQLAc5+FcEhfBTpWjr
RTR(conf-ssh-pubkey-data)#6cGTgU5I/JCNlDLDWBsb1vhy+kvc3TAUMnr1gna9PSXPoGSRH/sqg07r+R66v
RTR(conf-ssh-pubkey-data)#I95Ukeht8MEu5J0e7zrUteHSd2FPkGklFcnwWCeWrrMuQxFrXC8fp5zYE54XE
RTR(conf-ssh-pubkey-data)#tVWEgVQj//gdFHOewADz1/gVRPZMl6dMSOufayLQCUaSGk09iTmNAZXRSWj0k
RTR(conf-ssh-pubkey-data)#r2VWfbMOsfdgXO9kFr2Fjm1s/Ac2QY4aZFlodQ486AUaaJ4t/6RMqOlldgna
RTR(conf-ssh-pubkey-data)#+5rCgELwGlsemR57ohGIcvwzQ7gugvZReaMW8mC7PG/8iyS7Uvu4sbNg73XX
RTR(conf-ssh-pubkey-data)#IOBm/gRMfcA1vxp root@linux
RTR(conf-ssh-pubkey-data)#exit
RTR(conf-ssh-pubkey-user)#exit
RTR(conf-ssh-pubkey)#exit


Client side (Linux)

Login into the router:

 [root@il-linux ~]# ssh -2 -v root@192.168.10.1
OpenSSH_5.9p1 (CentrifyDC build 4.5.4-121) (CentrifyDC build 4.5.4-121), OpenSSL 0.9.8w (CentrifyDC build 4.5.4-121) 23 Apr 2012
debug1: Reading configuration data /etc/centrifydc/ssh/ssh_config
debug1: /etc/centrifydc/ssh/ssh_config line 52: Applying options for *
debug1: Connecting to 192.168.10.1 [192.168.10.1] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/id_rsa type 1
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: identity file /root/.ssh/id_dsa type 2
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version Cisco-1.25
debug1: no match: Cisco-1.25
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.9
debug1: Miscellaneous failure
No credentials cache found

debug1: Miscellaneous failure
No credentials cache found

debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA 9a:20:78:fc:6c:27:5d:9e:f1:e2:73:68:a1:4f:7c:d6
debug1: Host '192.168.10.1' is known and matches the RSA host key.
debug1: Found key in /root/.ssh/known_hosts:175
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,keyboard-interactive,password
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /root/.ssh/id_rsa
debug1: Server accepts key: pkalg ssh-rsa blen 279
debug1: read PEM private key done: type RSA
debug1: Authentication succeeded (publickey).
Authenticated to 192.168.10.1 ([192.168.10.1]:22).
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
RTR#



1 comment: