December 19, 2010

Password-less ssh login using pki to Cisco IOS

A cool feature in IOS I recently came across was the ability to configure SSH login using PKI. As far as I can see this feture was added in version 15.0

Already assuming the basic SSH server is running on the IOS device here's how we add the ability to securely login without a password :)

moons_router#conf t Enter configuration commands, one per line. End with CNTL/Z. moons_router(config)#ip ssh pubkey-chain moons_router(conf-ssh-pubkey)#username m00nie moons_router(conf-ssh-pubkey-user)#key-string moons_router(conf-ssh-pubkey-data)#ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA@ moons_router(conf-ssh-pubkey-data)#$2M6sGD28ClJ5I5mCwYeU9EUTc9cYgw7eFWsm moons_router(conf-ssh-pubkey-data)#$8fTLTgFpeGVh8VbPuqWW12l9gHoZ6W/Vp4OU moons_router(conf-ssh-pubkey-data)#$uGOpdg2HGbZ9MIupE89n9psY== moon@home moons_router(conf-ssh-pubkey-data)#exit moons_router(conf-ssh-pubkey-user)#^Z moons_router#
Pick the username you want to associate with the key then past your own key in from either putty (See here on how to create a key for putty) or from your ~/.ssh/id_rsa.pub file. you need to copy all the info, including ssh-rsa and user@computer. You need to copy this in by splitting it into lengths that fit into the IOS command buffer.  After you've done this and type exit the key will be verified and will prompt you if it doesnt accept the key. If it does accept the key no prompt will be given, the key will be turned into a key-hash and entered into the running config like the example below.
moons_router#sho run | b ssh pubkey-chain ip ssh pubkey-chain username m00nie key-hash ssh-rsa 94AI9XvtsuPG6T0l8bBVuB0SsLCuGPm1hf moon@home
Now you login securely and execute commands remotely without being prompted for a user/pass. The example below shows a the expected output, login (with no prompt) then executing the commands.
moon@home:~$ ssh moons_router 'sho int fa 4'

-------------
| Some Banner |
-------------

FastEthernet4 is up, line protocol is down
Hardware is FastEthernet, address is 001d.7030.0db9 (bia 001d.7030.0db9)
MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
..
0 output buffer failures, 0 output buffers swapped out
moon@home:~$


Cool!

moonie :D