Password-less ssh login using pki to Cisco IOS

A cool feature in IOS I recently came across was the ability to configure SSH login using PKI. As far as I can see this feture was added in version 15.0

Already assuming the basic SSH server is running on the IOS device here’s how we add the ability to securely login without a password 🙂

moons_router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
moons_router(config)#ip ssh pubkey-chain
moons_router(conf-ssh-pubkey)#username m00nie
moons_router(conf-ssh-pubkey-user)#key-string
moons_router(conf-ssh-pubkey-data)#ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA@
moons_router(conf-ssh-pubkey-data)#$2M6sGD28ClJ5I5mCwYeU9EUTc9cYgw7eFWsm
moons_router(conf-ssh-pubkey-data)#$8fTLTgFpeGVh8VbPuqWW12l9gHoZ6W/Vp4OU
moons_router(conf-ssh-pubkey-data)#$uGOpdg2HGbZ9MIupE89n9psY== moon@home
moons_router(conf-ssh-pubkey-data)#exit
moons_router(conf-ssh-pubkey-user)#^Z
moons_router#

Pick the username you want to associate with the key then past your own key in from either putty (See here on how to create a key for putty) or from your ~/.ssh/id_rsa.pub file. you need to copy all the info, including ssh-rsa and user@computer. You need to copy this in by splitting it into lengths that fit into the IOS command buffer.  After you’ve done this and type exit the key will be verified and will prompt you if it doesnt accept the key. If it does accept the key no prompt will be given, the key will be turned into a key-hash and entered into the running config like the example below.

moons_router#sho run | b ssh pubkey-chain
ip ssh pubkey-chain
username m00nie
key-hash ssh-rsa 94AI9XvtsuPG6T0l8bBVuB0SsLCuGPm1hf moon@home

Now you login securely and execute commands remotely without being prompted for a user/pass. The example below shows a the expected output, login (with no prompt) then executing the commands.

moon@home:~$ ssh moons_router ‘sho int fa 4’

*————-*
| Some Banner |
*————-*

FastEthernet4 is up, line protocol is down
Hardware is FastEthernet, address is 001d.7030.0db9 (bia 001d.7030.0db9)
MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
..
0 output buffer failures, 0 output buffers swapped out
moon@home:~$

Cool!

moonie 😀

Comments

  • Thanks for the brilliant post.

    I’d like my passwordless user to only have “sh int” privileges, yet it seem intent on giving me full “enable” privileges… any ideas, please?

  • Hi Keith

    When I try this on my own equipment the successful login level me in user EXEC mode rather than privileged EXEC mode (no “enable” privileges).

    moon@home:~$ ssh moons_router

    *————-*
    | Some Banner |
    *————-*

    moons_routerr>show priv
    Current privilege level is 1
    moons_router>

  • To change user privilege level, use this command:

    Router(config)# username [WORD] privilege [0-15]

    Level 15 is full exec mode automatically (no need to type “enable”) and Level 0 is the lowest level you can go.

    Note: You can assign the lowest level to any user and they will still be able to enter enable mode if they know the password.

  • I just want to add to the comment that Brandon R
    made.

    “To change user privilege level, use this command:

    Router(config)# username [WORD] privilege [0-15]”

    Make sure you set a password for the user otherwise if you attempt to login with that user and simply press enter at the prompt, you will gain access to the device.