Mar
27
2012

How to perform SSH RSA User Authentication

Cisco IOS SSH Version 2 (SSHv2) supports keyboard-interactive and password-based authentication methods. The SSHv2 Enhancements for RSA Keys feature also supports RSA-based public key authentication for the client and the server.

RSA based user authentication uses a private/public key pair associated with each user for authentication. The user must generate a private/public key pair on the client and configure a public key on the Cisco IOS SSH server to complete the authentication.

An SSH user trying to establish the credentials provides an encrypted signature using the private key. The signature and the user’s public key are sent to the SSH server for authentication. The SSH server computes a hash over the public key provided by the user. The hash is used to determine if the server has a matching entry. If a match is found, an RSA-based message verification is performed using the public key. Hence, the user is authenticated or denied access based on the encrypted signature.

What do we need?

  • A SSH client that support RSA authentication (SecureCRT, Putty, …)
  • A private/public key pair for each user
  • An IOS that support this feature (in this example, I use IOS version 15)

How to configure the router?
They are required few steps to implement SSH RSA User authentication feature. For istance, to associate the “ciscozine” username with my pubblic key:

Ciscozine(config)#ip ssh pubkey-chain
Ciscozine(conf-ssh-pubkey)#username ciscozine
Ciscozine(conf-ssh-pubkey-user)#key-string
Ciscozine(conf-ssh-pubkey-data)#$yc2EAAAADAQABAQQQAQC8IV2QIeshErol+zzo4Uh7pvL9vwXXAi1R
Ciscozine(conf-ssh-pubkey-data)#$SrM71X600nAY9TJI6lv0qbRoc3Kw9Utxzc3LR5ZtpRS333zhF7aNX
Ciscozine(conf-ssh-pubkey-data)#$mKvo9k3+5gdVsoy8NXTny5+Q1I2q0xvA666lZNMvujgWynBgBe+gc
Ciscozine(conf-ssh-pubkey-data)#$BVgCu3/Jm2TjeLY+5/9L1T54lfVPKxijAHtZPnV3ToIVZTn7LWgHA
Ciscozine(conf-ssh-pubkey-data)#$qY5RXcIbfxxxdgEjC6iU5mVXN3NcZkigVdadoZGJIo0lVRIcGLLyC
Ciscozine(conf-ssh-pubkey-data)#cvnDvAlQzBSJFhsabcV1E3IVagNHyz/HrH/4fZBAKXuJabcgYi2n
Ciscozine(conf-ssh-pubkey-data)#exit
Ciscozine(conf-ssh-pubkey-user)#exit
Ciscozine(conf-ssh-pubkey)#exit
Ciscozine(config)#exit
Ciscozine#

As you see below, the IOS will save only the public key hash:

ip ssh pubkey-chain
  username ciscozine
   key-hash ssh-rsa A16A82DBBF8B795CC4A807912F114168
  quit

After that, you can log into your router without typing the password.

Below the video that explain how to perform SSH RSA User Authentication:

Remember:
If you copy a “no standard” public key, you will see this warning message:

%SSH: Failed to decode the Key Value

Reference:

  • Alex

    Thanks! Our ISR 2921 was just version 15.0 so now it’s very very convenient to access the Cisco fast

  • Guest

    Is there any way to get this to work with radius authentication?

Email Updates

Enter your email address to receive notifications of new posts.

Ciscozine on Facebook


Partners