SSH RSA authentication works in IOS release 15.0M

The feature we’ve begged, prayed, sobbed, yelled, screamed for has finally been implemented in Cisco IOS: public key SSH authentication works in IOS release 15.0M (and is surprisingly easy to use).

After configuring SSH server on IOS (see also comments to this post), you have to configure the ssh pubkey-chain, where you can enter the key string (from your SSH public key file) or the key’s hash (which is displayed by the ssh-keygen command).

It’s probably easier to copy/paste the public key from your id_rsa.pub file into the terminal window …

R2#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R2(config)#ip ssh pubkey-chain
R2(conf-ssh-pubkey)#username pipi
R2(conf-ssh-pubkey-user)#key-string
R2(conf-ssh-pubkey-data)#$AAQEA6jYlf9MBskhkWov+ZOUDKun0ExQIRj1zfWA/YciO02VS  
R2(conf-ssh-pubkey-data)#$XsxM7SqNkRSQOR7y7HBMoxTHV7o+R/uS6A8/mF0A3P/ScRjct  
R2(conf-ssh-pubkey-data)#$JrNGACGaFy1njD9PrrvrU4o4hx6XDr6xVXF4sP4OCSXIn+Cp8  
R2(conf-ssh-pubkey-data)#$bCnZLmv908AeDb1Ac4nPdsn1OhCPIg6fxZjB7DvAMB8Dbr+7Y  
R2(conf-ssh-pubkey-data)#$apEbGE94luIqnBc61HsMd6JCWbQ== pipi@fedi.nil.si     
R2(conf-ssh-pubkey-data)#exit
R2(conf-ssh-pubkey-user)#^Z

… and let the router convert it into the key hash, which is stored in the configuration:

R2#show run | section ssh
ip ssh rsa keypair-name SSH
ip ssh version 2
ip ssh pubkey-chain
 username pipi
  key-hash ssh-rsa C20B739F2645D6850C591C6A11780CB5 pipi@fedi.nil.si

After this simple step, you can log into your router without typing the password. Finally we have a manageable way of secure remote command execution.

18 comments:

  1. Wish I could use mine Aladdin etoken to store these keys, putty still have no support to get them from hardware tokens and you have to fine third party software to get token understand these keys.

    ReplyDelete
  2. Finally. Maybe next they'll step up to super-advanced features like entering IP addresses in CIDR notation.

    ReplyDelete
  3. thanks for posting the latest updates.

    ReplyDelete
  4. Does it also work if you do something like

    $ ssh rtr 'show int gig0/1'

    ReplyDelete
  5. That's awesome! Any idea how this interacts with TACACS? It'd be nice to have my TACACS server serve up the public keys rather than going around to every router and reconfiguring it.

    ReplyDelete
  6. Sure. That's the beauty of it 8-)

    ReplyDelete
  7. As far as I understand, the keys have to be configured on the router(s).

    ReplyDelete
  8. After short testing I've many questions to be answered regarding
    public key SSH authentication in IOS ...

    - had problems with authentication using some keys generated with
    Puttygen/openssh. Some keys work, some not. It sounds too basic,
    so it may be my fault.
    - had problem with SSH authentication/authorization with 'aaa new-model'
    and 'aaa authorization exec default local' until I change the latter to
    'aaa authorization exec default none'. Again, maybe it's a problem
    with testing scenario ... more tests needed.
    - key-hash accepts comments after the hash. It accepts embedded spaces
    if quoted, but only till next reload ...
    /IOS will also extract the comments from key-string/

    key-hash ssh-rsa BD2F5E25A4801D09201503AA6A2CD7FD ops mmm
    ^
    % Invalid input detected at '^' marker.

    - I was 'lucky' to see my first 15.0(1)M crash when playing with the
    key-hash/key-string due to:

    Oct 5 14:39:57.095: %SYS-3-CPUHOG: Task is running for (2004)msecs,
    more than (2000)msecs (0/0),process = Check heaps [...]

    - and we have some low limits here: http://www.cisco.com/en/US/docs/ios/sec_user_services/configuration/guide/sec_secure_shell_v2.html#wp1062466

    "Storing public keys on a server uses memory; therefore, the number of public keys configurable on an SSH server is restricted to 10 users, with a maximum of two public keys per user"

    Again, new IOS, just more food for testing and new blog entries :-)

    ReplyDelete
  9. Hmm, configuring this as per the examples above and in the newly updated Cisco sec_secure_shell_v2 documentation, but it won't allow an interactive session. With debug on (both sides) I can see it authenticate with the keys correctly, but then it just freezes for a moment and logs me out. It looks in the logs like a normal session, no errors given at all.

    Any thoughts?

    ReplyDelete
  10. Just found out that 'no ip ssh pubkey-chain' also causes a reload, at least on my 877 test router.

    ReplyDelete
  11. using 'aaa new-model' as reported in my comment above ?

    ReplyDelete
  12. If you use "aaa authorization exec default local", you have to define local users with the "username" command.

    For all other things ... open a case with the TAC ;)

    ReplyDelete
  13. Has somebody tested it with keys higher than 1024??? I think it doesn't accept them...

    ReplyDelete
  14. Doesn't look like this works with 2048 bit keys *DONT_KNOW*

    ReplyDelete
  15. Has anybody gottent his work with 'aaa authorization exec default local' and with a relevant username entry? it doesn't seem to use this for auth level. Only 'aaa authorization exec default none' seem to let me in.

    ReplyDelete
  16. Had the same problem as Chris K. and others, where I got logged out immediately: it does work if you "no aaa new-model", and "login local" on "line vty 0 4" instead.

    It's hinted at in http://www.cisco.com/en/US/tech/tk583/tk617/technologies_tech_note09186a00800949e2.shtml

    ReplyDelete
  17. But I'm think there is serious issu, or maybe I do something wrong? If is created user like:

    username user no password
    ip ssh pubkey-chain
    username user
    key-string <here>
    exit

    And now. If you don't used private key to authentication, user is logged to the CLI without any authentication (nopassword). Priv key is not required for authentication. It is possible force checking priv key during login? Tested on C2901 C2900 Software (C2900-UNIVERSALK9-M), Version 15.0(1)M6</here>

    ReplyDelete
    Replies
    1. I think I'm just going to say the errors I've received from IOS while trying to paste my ssh-keygen generated public key string made me use more expletives than usual.

      If you'd like to avoid all that, here's how:

      Check your public key's type with (later referred to as TYPE) with:
      $ awk '{print $1}' .ssh/id_rsa.pub

      for RSA it should show 'ssh-rsa'

      Get your public key's fingerprint (later referred to as HASH):
      $ ssh-keygen -l -f .ssh/id_rsa.pub | tr -d : | tr '[:lower:]' '[:upper:]' | awk '{print $2}'

      Apply the config:

      conf t
      ip ssh pubkey-chain
      username root
      key-hash TYPE HASH

      You're welcome. Martin Orda

      Delete

You don't have to log in to post a comment, but please do provide your real name/URL. Anonymous comments might get deleted.

Ivan Pepelnjak, CCIE#1354, is the chief technology advisor for NIL Data Communications. He has been designing and implementing large-scale data communications networks as well as teaching and writing books about advanced technologies since 1990. See his full profile, contact him or follow @ioshints on Twitter.