If you have been around Cisco devices for a while you probably know how to enable them for SSH access and log in using a username/password. Yesterday however I ran into a situation while deploying Ansible where i needed to enable logging in to the router using an RSA key instead of a password and had to try few things to get it to work.
Why would you want to use RSA based user authentication for SSH instead of a password based authentication?
1- RSA keys are much more secure than passwords. Passwords (even when they are stronger than your dog’s name) are susceptible to brute-force attacks and can be compromised
2- Using RSA key is easier as you don’t have to enter or remember your password every time
3- You might need to use RSA authentication if you are using management or automation tools (such as Ansible) to manage the devices via SSH.
Here is what you need to do to enable SSH RSA authentication on a Cisco router:
Step 1: Enable the router for SSH server by entering the following commands:
ip domain name example.com
!generate the RSA key for SSH
crypto key generate rsa
username bob password 0 smith
line vty 0 98
At this point you should be able to SSH to the router using the username/password defined in the configs above. Fix any issues you may have before you move on to the next step. A good debug command to use for troubleshooting is: debug ip ssh
Step 2: Enable Public/RSA Key Authentication
First make sure that you generate a public/private key pair on the machine you are trying to SSH from if you don’t already have one. SecureCRT and Putty for Windows have a built-in program to generate the key pair. If you are on a Mac or a Linux/Unix machine, you can use the command ssh-keygen to generate the key pair.
Next enter the following commands on the router:
R_Ent(config)#ip ssh pubkey-chain
R_Ent(conf-ssh-pubkey-data)#!ENTER YOUR PUBLIC KEY HERE
At this point you should be able to SSH to the router without entering a password:
MacBook-Pro$ ssh [email protected] -i MyPrivateKey
If you need to allow only SSH and disable telnet and other type of access on the router, you can do so by entering:
line vty 0 98
transport input ssh