How to log into a Cisco router without using a password is a question as old as time or at least it is something I thought might make a neat topic!
In the Linux world it is possible to SSH to a trusted server by using public key authentication rather than by using the standard username/password and as it happens Cisco IOS devices also allow this neat trick.
First lets look at how to get prep a Linux host to connect to a router. I’ll be using Centos 7 for this but the steps are pretty much the same across the board.
Log onto the Linux box using the username you want to connect to the router with and run the ssh-keygen command, I included some extra switches to force it to be a 2048 bit key but that is default on Centos 7 anyway.
[the-packet-thrower@centos7-1 ~]$ ssh-keygen -t rsa -b 2048 Generating public/private rsa key pair. Enter file in which to save the key (/home/the-packet-thrower/.ssh/id_rsa): Created directory '/home/the-packet-thrower/.ssh'. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/the-packet-thrower/.ssh/id_rsa. Your public key has been saved in /home/the-packet-thrower/.ssh/id_rsa.pub. The key fingerprint is: 54:64:5e:f8:ab:26:ef:be:7f:3c:ba:49:df:51:f6:8b email@example.com The key's randomart image is: +--[ RSA 2048]----+ | .+.. | | +.. | | . .. | | . . | | S . o| | . .o| | ... ..| | . o. o=.o| | *=o=E.o.| +-----------------+
Now if look under the user’s .ssh folder in their home directory there should be some rsa files if there wasn’t any before.
[the-packet-thrower@centos7-1 ~]$ ls .ssh/ id_rsa id_rsa.pub
Have a look at the id_rsa.pub file, we will need to add this to the Cisco router in a little bit so keep it handy.
[the-packet-thrower@centos7-1 ~]$ cat .ssh/id_rsa.pub ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD12ova0R9sMotadxOtlaguKnNozhNTABX8lXRtwfDufmZt3HZk5Zk3K8BFSg6H3dcW/L3qShfTMge7KgiBxWiMh/E9JdGPAp7H6rzX4bFbZ9ESnWGafcRZM3ENDiZC5SAzyc/9rfpK7zupp//cSIS9H6HX4z47xcvCZeVQqLOBnRLwtexuVvl+GpEw5e1JDVNeroA/z6S8/ujsv2wgHq4S+u8KEcZe2QV+2bG1eimSzOLgi9wjQClfOmI+JpkOY+xUMj9ZbCTtYJ3/1KOMHRK5lfKajK6ulJZYlxN+qbOFHy3PUUeTHfTUfhUFED8nEiz6mJGaxsFE0ySn021ahPoh firstname.lastname@example.org
On the Cisco router we want to create a user and make sure the router has SSH enabled so I’m going to regenerate its keys while I’m at it.
Cisco-R01(config)#ip ssh version 2 Cisco-R01(config)#crypto key generate rsa modulus 2048
% You already have RSA keys defined named Cisco-R01.prodnet.ca. % They will be replaced.
% The key modulus size is 2048 bits % Generating 2048 bit RSA keys, keys will be non-exportable... [OK] (elapsed time was 0 seconds)
This will actually work without adding the username to the router but you may with to do so in case something goes wrong.
Cisco-R01(config)#username the-packet-thrower secret 5 $1$oUIV$p3rmC/HYhQVKx1I7LSuC87
In the Linux world normally you would run the ssh-copy-id command to automatically copy your id_rsa.pub to the remote system’s .ssh/authorized_keys file but…IOS doesn’t work exactly the same way.
Instead you type ip ssh pubkey-chain to enter the public key info for our Linux host, specify the username your connecting as and finally paste the contents of the id_rsa.pub file. The catch is that IOS has a character input limit of 256 characters so you’ll need to paste the key a few pieces at a time (it can be multiple lines)
Cisco-R01(config)#ip ssh pubkey-chain Cisco-R01(conf-ssh-pubkey)#username the-packet-thrower Cisco-R01(conf-ssh-pubkey-user)#key-string Cisco-R01(conf-ssh-pubkey-data)#$2EAAAADAQABAAABAQD12ova0R9sMotadxOtlaguKnNozhNTABX8lXRtwfDufmZt3HZk5Zk3K8BFSg6H3dcW/L3qShfTMge7KgiBxWiMh/E9JdGPAp7H6rzX4bFbZ9ESnWGafcRZM3ENDiZC5SAzyc/9rfpK7zupp/ Cisco-R01(conf-ssh-pubkey-data)#$u8KEcZe2QV+2bG1eimSzOLgi9wjQClfOmI+JpkOY+xUMj9ZbCTtYJ3/1KOMHRK5lfKajK6ulJZYlxN+qbOFHy3PUUeTHfTUfhUFED8nEiz6mJGaxsFE0ySn021ahPoh email@example.com Cisco-R01(conf-ssh-pubkey-data)#exit Cisco-R01(conf-ssh-pubkey-user)#exit Cisco-R01(conf-ssh-pubkey)#exit Cisco-R01(config)#
Now you should be able to connect directly to the Cisco device from the Linux host!
One caveat is that if the SSH fails and you get a log message on your router that looks like this:
*Jan 18 04:28:08.167: %SSH-3-DH_RANGE_FAIL: Client DH key range mismatch with maximum configured DH key on server
Then your Linux host is having problems negotiating with the router to see what DH group to use since the Linux currently supports higher encryption at the moment.
You can use specify the host uses a lower DH with the -o switch.
[the-packet-thrower@centos7-1 ~]$ ssh -o KexAlgorithms=diffie-hellman-group1-sha1 10.10.2.141 Cisco-R01>
Last but not least we also use our favorite SSH client on Windows to do the same thing and my favorite SSH client happens to be SecureCRT.
If you open SecureCRT and go Tools -> Create Public Key and run through the wizard it will create a public key for you to use. From there you simply add the key to ip ssh pubkey-chain and connect like above.
One thought on “Who needs a password anyway? – SSH Public Key authentication”
Can this be done with TACACs accounts?