Cisco IOS SSH Version 2 (SSHv2) supports keyboard-interactive and password-based authentication methods. The SSHv2 Enhancements for RSA Keys feature also supports RSA-based public key authentication for the client and the server.
RSA based user authentication uses a private/public key pair associated with each user for authentication. The user must generate a private/public key pair on the client and configure a public key on the Cisco IOS SSH server to complete the authentication.
An SSH user trying to establish the credentials provides an encrypted signature using the private key. The signature and the user’s public key are sent to the SSH server for authentication. The SSH server computes a hash over the public key provided by the user. The hash is used to determine if the server has a matching entry. If a match is found, an RSA-based message verification is performed using the public key. Hence, the user is authenticated or denied access based on the encrypted signature.
What do we need?
- A SSH client that support RSA authentication (SecureCRT, Putty, …)
- A private/public key pair for each user
- An IOS that support this feature (in this example, I use IOS version 15)
How to configure the router?
1. Generate a private/public key pair on the client; for instance:
- SecureCRT: go to “Tools” -> “Create Public Key” key
- Putty: use the “puttygen” software
2. Copy the public key on the Cisco IOS SSH server.
For istance, to associate the “ciscozine” username with the public key:
Ciscozine(config)#ip ssh pubkey-chain Ciscozine(conf-ssh-pubkey)#username ciscozine Ciscozine(conf-ssh-pubkey-user)#key-string Ciscozine(conf-ssh-pubkey-data)#$yc2EAAAADAQABAQQQAQC8IV2QIeshErol+zzo4Uh7pvL9vwXXAi1R Ciscozine(conf-ssh-pubkey-data)#$SrM71X600nAY9TJI6lv0qbRoc3Kw9Utxzc3LR5ZtpRS333zhF7aNX Ciscozine(conf-ssh-pubkey-data)#$mKvo9k3+5gdVsoy8NXTny5+Q1I2q0xvA666lZNMvujgWynBgBe+gc Ciscozine(conf-ssh-pubkey-data)#$BVgCu3/Jm2TjeLY+5/9L1T54lfVPKxijAHtZPnV3ToIVZTn7LWgHA Ciscozine(conf-ssh-pubkey-data)#$qY5RXcIbfxxxdgEjC6iU5mVXN3NcZkigVdadoZGJIo0lVRIcGLLyC Ciscozine(conf-ssh-pubkey-data)#cvnDvAlQzBSJFhsabcV1E3IVagNHyz/HrH/4fZBAKXuJabcgYi2n Ciscozine(conf-ssh-pubkey-data)#exit Ciscozine(conf-ssh-pubkey-user)#exit Ciscozine(conf-ssh-pubkey)#exit Ciscozine(config)#exit Ciscozine#
Note: After typing the “key-string” command, copy the entire public key that you have made before.
As you see below, the IOS will save only the public key hash:
ip ssh pubkey-chain username ciscozine key-hash ssh-rsa A16A82DBBF8B795CC4A807912F114168 quit
Now you can log into your router without typing the password!
Below the video that explain how to perform SSH RSA User Authentication:
Remember:
If you copy a “no standard” public key, you will see this warning message:
%SSH: Failed to decode the Key Value
Reference:
Thanks! Our ISR 2921 was just version 15.0 so now it’s very very convenient to access the Cisco fast
Is there any way to get this to work with radius authentication?