SSH RSA authentication works in IOS release 15.0M
The feature we’ve begged, prayed, sobbed, yelled, screamed for has finally been implemented in Cisco IOS: public key SSH authentication works in IOS release 15.0M (and is surprisingly easy to use).
After configuring SSH server on IOS (see also comments to this post), you have to configure the ssh pubkey-chain, where you can enter the key string (from your SSH public key file) or the key’s hash (which is displayed by the ssh-keygen command).
It’s probably easier to copy/paste the public key from your id_rsa.pub file into the terminal window …
R2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#ip ssh pubkey-chain
R2(conf-ssh-pubkey)#username pipi
R2(conf-ssh-pubkey-user)#key-string
R2(conf-ssh-pubkey-data)#$AAQEA6jYlf9MBskhkWov+ZOUDKun0ExQIRj1zfWA/YciO02VS
R2(conf-ssh-pubkey-data)#$XsxM7SqNkRSQOR7y7HBMoxTHV7o+R/uS6A8/mF0A3P/ScRjct
R2(conf-ssh-pubkey-data)#$JrNGACGaFy1njD9PrrvrU4o4hx6XDr6xVXF4sP4OCSXIn+Cp8
R2(conf-ssh-pubkey-data)#$bCnZLmv908AeDb1Ac4nPdsn1OhCPIg6fxZjB7DvAMB8Dbr+7Y
R2(conf-ssh-pubkey-data)#$apEbGE94luIqnBc61HsMd6JCWbQ== [email protected]
R2(conf-ssh-pubkey-data)#exit
R2(conf-ssh-pubkey-user)#^Z
… and let the router convert it into the key hash, which is stored in the configuration:
R2#show run | section ssh
ip ssh rsa keypair-name SSH
ip ssh version 2
ip ssh pubkey-chain
username pipi
key-hash ssh-rsa C20B739F2645D6850C591C6A11780CB5 [email protected]
After this simple step, you can log into your router without typing the password. Finally we have a manageable way of secure remote command execution.
$ ssh rtr 'show int gig0/1'
public key SSH authentication in IOS ...
- had problems with authentication using some keys generated with
Puttygen/openssh. Some keys work, some not. It sounds too basic,
so it may be my fault.
- had problem with SSH authentication/authorization with 'aaa new-model'
and 'aaa authorization exec default local' until I change the latter to
'aaa authorization exec default none'. Again, maybe it's a problem
with testing scenario ... more tests needed.
- key-hash accepts comments after the hash. It accepts embedded spaces
if quoted, but only till next reload ...
/IOS will also extract the comments from key-string/
key-hash ssh-rsa BD2F5E25A4801D09201503AA6A2CD7FD ops mmm
^
% Invalid input detected at '^' marker.
- I was 'lucky' to see my first 15.0(1)M crash when playing with the
key-hash/key-string due to:
Oct 5 14:39:57.095: %SYS-3-CPUHOG: Task is running for (2004)msecs,
more than (2000)msecs (0/0),process = Check heaps [...]
- and we have some low limits here: http://www.cisco.com/en/US/docs/ios/sec_user_services/configuration/guide/sec_secure_shell_v2.html#wp1062466
"Storing public keys on a server uses memory; therefore, the number of public keys configurable on an SSH server is restricted to 10 users, with a maximum of two public keys per user"
Again, new IOS, just more food for testing and new blog entries :-)
Any thoughts?
For all other things ... open a case with the TAC ;)
It's hinted at in http://www.cisco.com/en/US/tech/tk583/tk617/technologies_tech_note09186a00800949e2.shtml
username user no password
ip ssh pubkey-chain
username user
key-string <here>
exit
And now. If you don't used private key to authentication, user is logged to the CLI without any authentication (nopassword). Priv key is not required for authentication. It is possible force checking priv key during login? Tested on C2901 C2900 Software (C2900-UNIVERSALK9-M), Version 15.0(1)M6</here>
If you'd like to avoid all that, here's how:
Check your public key's type with (later referred to as TYPE) with:
$ awk '{print $1}' .ssh/id_rsa.pub
for RSA it should show 'ssh-rsa'
Get your public key's fingerprint (later referred to as HASH):
$ ssh-keygen -l -f .ssh/id_rsa.pub | tr -d : | tr '[:lower:]' '[:upper:]' | awk '{print $2}'
Apply the config:
conf t
ip ssh pubkey-chain
username root
key-hash TYPE HASH
You're welcome. Martin Orda