How to perform SSH RSA User Authentication

Cisco IOS SSH Version 2 (SSHv2) supports keyboard-interactive and password-based authentication methods. The SSHv2 Enhancements for RSA Keys feature also supports RSA-based public key authentication for the client and the server.

RSA based user authentication uses a private/public key pair associated with each user for authentication. The user must generate a private/public key pair on the client and configure a public key on the Cisco IOS SSH server to complete the authentication.

An SSH user trying to establish the credentials provides an encrypted signature using the private key. The signature and the user’s public key are sent to the SSH server for authentication. The SSH server computes a hash over the public key provided by the user. The hash is used to determine if the server has a matching entry. If a match is found, an RSA-based message verification is performed using the public key. Hence, the user is authenticated or denied access based on the encrypted signature.

What do we need?

  • A SSH client that support RSA authentication (SecureCRT, Putty, …)
  • A private/public key pair for each user
  • An IOS that support this feature (in this example, I use IOS version 15)

How to configure the router?
1. Generate a private/public key pair on the client; for instance:

  • SecureCRT: go to “Tools” -> “Create Public Key” key
  • Putty: use the “puttygen” software

2. Copy the public key on the Cisco IOS SSH server.

For istance, to associate the “ciscozine” username with the public key:

Ciscozine(config)#ip ssh pubkey-chain
Ciscozine(conf-ssh-pubkey)#username ciscozine

Note: After typing the “key-string” command, copy the entire public key that you have made before.

As you see below, the IOS will save only the public key hash:

ip ssh pubkey-chain
  username ciscozine
   key-hash ssh-rsa A16A82DBBF8B795CC4A807912F114168

Now you can log into your router without typing the password!

Below the video that explain how to perform SSH RSA User Authentication:

If you copy a “no standard” public key, you will see this warning message:

%SSH: Failed to decode the Key Value