Configuring SSH public key authentication on Cisco IOS Device

Posted by Blog - uTIcARdI on November 8, 2013

SSH public Key types:

  • RSA key use with SSH1 and SSH2 protocol
  • DSA key use with SSH2 protocol

    Note: DSA is weak than RSA

The Key pairs:

  • Public key: SSH.com使用的RFC 4716指定的公钥格式,而OpenSSH使用了另外的格式
  • Private Key: SSH v1私钥只有一种标准格式,但SSH v2私钥格式很多,OpenSSH、ssh.com、puty、winscp格式不同且不兼容

Generate the Key

  1. SecureCRT

    SecureCRT-PublicKey-1
    SecureCRT-PublicKey-1
    SecureCRT-PublicKey-2
    SecureCRT-PublicKey-2
    SecureCRT-PublicKey-3
    SecureCRT-PublicKey-3
    密钥类型有两种: DSA、RSA. Secure CRT提示多种服务器不支持RSA, Cisco IOS supports RSA only.
    SecureCRT-PublicKey-4
    SecureCRT-PublicKey-4
    通行短语为对私钥加密的密码,注释为提示输入密码时的提示,两项均为可为空
    SecureCRT-PublicKey-5
    SecureCRT-PublicKey-5
    SecureCRT-PublicKey-6
    SecureCRT-PublicKey-6
    SecureCRT-PublicKey-7
    SecureCRT-PublicKey-7
    为了更好的兼容性和适用性,OpenSSH format is prefered,Choose the location to save the key files:
    SecureCRT-PublicKey-8
    SecureCRT-PublicKey-8
    点击’Finish’后会弹出对话框:
    SecureCRT-PublicKey-9
    SecureCRT-PublicKey-9
    如果选择’Yes’,会影响’快速连接’中的公钥指向保存的文件:
    SecureCRT-PublicKey-10
    SecureCRT-PublicKey-10

  2. Putty

    Putty-PublicKey-1
    Putty-PublicKey-1
    Putty-PublicKey-2
    Putty-PublicKey-2
    Putty-PublicKey-3
    Putty-PublicKey-3
    key passphrase: 输入对密钥加密的密码

    key comment: 提示输入密码时的提示

    Note:默认生成的是PuTTY’s native format (*.PPK), 通过Conversions菜单保存为ssh.com或openssh格式的private key

Configure Cisco IOS Device

  1. Enable SSH

    ip domain-name publickey.com  #配置domain name
    crypto key generate rsa  #通过配置生成SSH key
    line vty 0 4  #设置vty的login mode
    transport input ssh  #Cisco与3com的认证方式差异,3com可以设置telnet或ssh用户,而Cisco是基于session的
    
  2. IOS 15, SSH使用Public-Key (similar with 12.4T)

     1
     2
     3
     4
     5
     6
     7
     8
     9
    10
    11
    12
    13
    14
    
        ip domain-name publickey.com
        ip ssh version 2
        crypto key generate rsa label ssh module 1024
        ip ssh rsa keypair-name ssh
        line vty 0 4
        transport input ssh
        exit
    
        ip ssh pubkey-chain
        username kzhang  #配置使用证书的登陆的用户名
        key-string  #回车后,是类似banner的配置方式,直到输入exit才结束key配置
        xxxxxx
        exit  #通过exit退出public key设置
        

Notes About line12
- Key不能被误时会有提示: %SSH: Failed to decode the Key Value’ .
- CRT:直接将整个文本内容复制过来即可,PuTTY:只copy文本的一部分

Putty-PublicKey-text
Putty-PublicKey-text

Verification

  1. ‘show ip ssh’

    1
    2
    3
    4
    5
    6
    7
    8
    9
    
        R2#show ip ssh
        SSH Enabled – version 2.0
        Authentication timeout: 120 secs; Authentication retries: 3
        Minimum expected Diffie Hellman key size : 1024 bits
        IOS Keys in SECSH format(ssh-rsa, base64 encoded):
        ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQCkhc93+j/D2RdJFhRn9NWkfoW+LE8WvERSX9wnygVp
        bVMxjlov+PP6Fe4OlppueLtRtdrAVIwROeyE4hxf/bCMf8efUylIqMGx4aI64m+V/l2rbFKEECdDXUHU
        LI/cNkdwu12h1C0fw4asGuhq4RQkjH53AgVgdQvk3yi37Rf4fQ==
        
  2. SecureCRT

    以SSH的’快速连接’为例:

    SecureCRT
    SecureCRT

    1. 设置username
    2. 设置’公钥’项为高优先级
    3. 点击’属性’配置登陆的公钥
    4. 点击’使用会话公钥设置’
    5. 点击 … 指定私钥文件,CRT支持openssh格式,不支持ssh.com格式
    6. 点击连接
  3. Putty

    Session页面指定device IP:

    Putty-Setting1
    Putty-Setting1
    Connection -> SSH -> Auth项指定私钥
    Putty-Seeting2
    Putty-Seeting2
    Note: PuTTY只支持ppk格式,不支持openssh和ssh.com格式

Others

  • IOS 15.0,使用putty登录时出现ErrorServer refused our key,在设备执行 Debug ip ssh detail, 有error: invalid old access type configured – 0x01

    Resolution:

    configure terminal
    line vty 0 4
    login local
    exit
    

Configuring SSH public key authentication on Cisco IOS Device


donation

Scan the QR code using WeChat

comments powered by Disqus