27
2012
How to perform SSH RSA User Authentication
Cisco IOS SSH Version 2 (SSHv2) supports keyboard-interactive and password-based authentication methods. The SSHv2 Enhancements for RSA Keys feature also supports RSA-based public key authentication for the client and the server.
RSA based user authentication uses a private/public key pair associated with each user for authentication. The user must generate a private/public key pair on the client and configure a public key on the Cisco IOS SSH server to complete the authentication.
An SSH user trying to establish the credentials provides an encrypted signature using the private key. The signature and the user’s public key are sent to the SSH server for authentication. The SSH server computes a hash over the public key provided by the user. The hash is used to determine if the server has a matching entry. If a match is found, an RSA-based message verification is performed using the public key. Hence, the user is authenticated or denied access based on the encrypted signature.
What do we need?
- A SSH client that support RSA authentication (SecureCRT, Putty, …)
- A private/public key pair for each user
- An IOS that support this feature (in this example, I use IOS version 15)
How to configure the router?
They are required few steps to implement SSH RSA User authentication feature. For istance, to associate the “ciscozine” username with my pubblic key:
Ciscozine(config)#ip ssh pubkey-chain Ciscozine(conf-ssh-pubkey)#username ciscozine Ciscozine(conf-ssh-pubkey-user)#key-string Ciscozine(conf-ssh-pubkey-data)#$yc2EAAAADAQABAQQQAQC8IV2QIeshErol+zzo4Uh7pvL9vwXXAi1R Ciscozine(conf-ssh-pubkey-data)#$SrM71X600nAY9TJI6lv0qbRoc3Kw9Utxzc3LR5ZtpRS333zhF7aNX Ciscozine(conf-ssh-pubkey-data)#$mKvo9k3+5gdVsoy8NXTny5+Q1I2q0xvA666lZNMvujgWynBgBe+gc Ciscozine(conf-ssh-pubkey-data)#$BVgCu3/Jm2TjeLY+5/9L1T54lfVPKxijAHtZPnV3ToIVZTn7LWgHA Ciscozine(conf-ssh-pubkey-data)#$qY5RXcIbfxxxdgEjC6iU5mVXN3NcZkigVdadoZGJIo0lVRIcGLLyC Ciscozine(conf-ssh-pubkey-data)#cvnDvAlQzBSJFhsabcV1E3IVagNHyz/HrH/4fZBAKXuJabcgYi2n Ciscozine(conf-ssh-pubkey-data)#exit Ciscozine(conf-ssh-pubkey-user)#exit Ciscozine(conf-ssh-pubkey)#exit Ciscozine(config)#exit Ciscozine#
As you see below, the IOS will save only the public key hash:
ip ssh pubkey-chain username ciscozine key-hash ssh-rsa A16A82DBBF8B795CC4A807912F114168 quit
After that, you can log into your router without typing the password.
Below the video that explain how to perform SSH RSA User Authentication:
Remember:
If you copy a “no standard” public key, you will see this warning message:
%SSH: Failed to decode the Key Value
Reference:
Related Posts
- Telefonica and Cisco Complete 4,000 kilometer 100Gbps IPoDWDM Trial http://t.co/7c0uqzH6bG
- Mozilla Releases Multiple Updates http://t.co/Kqldpe1MZ7
- Cisco Reports Third Quarter Earnings http://t.co/bE5q0Lu9uB
Email Updates
Archives
- May 2013
- April 2013
- March 2013
- February 2013
- December 2012
- November 2012
- October 2012
- September 2012
- August 2012
- July 2012
- June 2012
- May 2012
- April 2012
- March 2012
- February 2012
- December 2011
- November 2011
- October 2011
- September 2011
- August 2011
- July 2011
- June 2011
- May 2011
- April 2011
- March 2011
- February 2011
- January 2011
- December 2010
- November 2010
- October 2010
- September 2010
- July 2010
- June 2010
- May 2010
- April 2010
- March 2010
- February 2010
- January 2010
- December 2009
- November 2009
- October 2009
- September 2009
- August 2009
- July 2009
- June 2009
- May 2009
- April 2009
- March 2009
- February 2009
- January 2009
- December 2008
- November 2008
- October 2008
- September 2008