Day: August 9, 2014

If you have been around Cisco devices for a while you probably know how to enable them for SSH access and log in using a username/password. Yesterday however I ran into a situation while deploying Ansible where i needed to enable logging in to the router using an RSA key instead of a password and had to try few things to get it to work.

Why would you want to use RSA based user authentication for SSH instead of a password based authentication?

1- RSA keys are much more secure than passwords. Passwords (even when they are stronger than your dog’s name) are susceptible to brute-force attacks and can be compromised

2- Using RSA key is easier as you don’t have to enter or remember your password every time

3- You might need to use RSA authentication if you are using management or automation tools (such as Ansible) to manage the devices via SSH.

Here is what you need to do to enable SSH RSA authentication on a Cisco router:

Step 1: Enable the router for SSH server by entering the following commands:

ip domain name example.com

!

!generate the RSA key for SSH

crypto key generate rsa

!

username bob password 0 smith

!

line vty 0 98

 login local

At this point you should be able to SSH to the router using the username/password defined in the configs above. Fix any issues you may have before you move on to the next step. A good debug command to use for troubleshooting is: debug ip ssh  

Step 2: Enable Public/RSA Key Authentication

First make sure that you generate a public/private key pair on the machine you are trying to SSH from if you don’t already have one. SecureCRT and Putty for Windows have a built-in program to generate the key pair. If you are on a Mac or a Linux/Unix machine, you can use the command ssh-keygen to generate the key pair.

Next enter the following commands on the router:

R_Ent(config)#ip ssh pubkey-chain

R_Ent(conf-ssh-pubkey)#username bob

R_Ent(conf-ssh-pubkey-user)#key-string

R_Ent(conf-ssh-pubkey-data)#!ENTER YOUR PUBLIC KEY HERE

R_Ent(conf-ssh-pubkey-data)#exit

R_Ent(conf-ssh-pubkey-user)#end

 At this point you should be able to SSH to the router without entering a password:

MacBook-Pro$ ssh [email protected] -i MyPrivateKey

R_Ent#

Bonus:

If you need to allow only SSH and disable telnet and other type of access on the router, you can do so by entering:

line vty 0 98

 transport input ssh

Anas

Twitter: @anastarsha