Using an RSA Public/Private key pair instead of a password to authenticate an SSH session is popular on Linux/Unix boxes. Digital Ocean, a Virtual Private Server (VPS) provider, has this advice on how you should log into their Droplets: “you should use public key authentication instead of passwords, if at all possible. This is because SSH keys provide a more secure way of logging in compared to using a password alone. While a password can eventually be cracked with a brute-force attack, SSH keys are nearly impossible to decipher by brute force alone.” Plus, it means you never have to type C!$c0 again!
Cisco IOS now has support for using SSH with RSA keys. https://maxxclever658.weebly.com/blog/generate-a-ssh-key-ubuntu. There are many resources showing how to configure SSH with RSA keys on the Internet and I have included several in the references section to give you more information. In this blog I am going to show how to configure a switch and create the public/private key pair using Puttygen for Windows.
How To Configure SSH Keys Authentication With PuTTY And Linux Server In 5 Quick Steps. This tutorial explains how you can replace password-based SSH authentication with key-based authentication which is more secure because only the people that own the key can log in. Dec 26, 2013 so it looks as if there is no point in the 'crypto key generate rsa' command if i follow it up with the 'crypto key generate rsa usage-keys label sshkeys mod 1024' command, i just wanted to make sure the first wasn't need for the second to work or something screwy like that. The first thing you’ll need to do is make sure you’ve run the keygen command to generate the keys: ssh-keygen -t rsa Then use this command to push the key to the remote server, modifying it to match your server name. Cat /.ssh/idrsa.pub ssh user@hostname 'cat.ssh/authorizedkeys'.
Jul 22, 2015 Cisco IOS now has support for using SSH with RSA keys. There are many resources showing how to configure SSH with RSA keys on the Internet and I have included several in the references section to give you more information. In this blog I am going to show how to configure a switch and create the public/private key pair using Puttygen for Windows. Oct 24, 2006 First, you will need to generate the local RSA key: # ssh-keygen -t rsa. (The password you enter here will need to be entered every time you use the RSA key but fortunately, you can set NO.
OpenSSH ships with most *nix OS’s like Mac OSX and Ubuntu so you don’t need a separate program to generate the key pair. There are resources in the reference section on how to create the keys using OpenSSH. As a side note, Microsoft announced that it is going to build OpenSSH support into Powershell so you may be able to log into the next release of Windows server using SSH.
Download Puttygen
Generate public and private keys sample codes. Recently there was some malware floating around using the name putty.exe. Make sure that you download putty and puttygen from http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html
Using Rsa Keys Generated From 4500 Switch Diagram
The MD5 check sums are at this link – checksums. On Windows you can use the official MS tool FCIV to check the MD5 sums. If you prefer a GUI Hashtab is a nice tool that integrates into the right click menu. It’s free but does require registration and an email address.
Once you have Puttygen double click to start it up. Enter a description for your key and a passphrase. I recommend storing your passphrase in a password manager so that you don’t for get it. Select SSH-2 RSA and enter 2048 for bits. Enter a comment for your key pair and click Generate. You will be asked to move the mouse around to generate some entropy.
Once the key is done you can select it and paste it into the switch. You should also save the public and private keys to a file.
Open Putty and create a session. Click on Auth under the SSH menu. Under Authentication parameters click Browse and select your private key. Click on Session and save your session.
You can also click on Data under Connection and set up an Auto-login username:
I’m using a 3750X-48P-L running IOS Version 15.2(3)E1 for this example.
Configure a time server
While this isn’t absolutely necessary it’s the first thing I do on any production device. 3750x(config)#ntp server 129.6.15.29 prefer 3750x(config)#clock timezone PST -8 0 3750x(config)#clock summer-time PDT recurring
Configure an IP domain name, create the RSA private key and enable SSH
Note the “exportable” parameter. This isn’t required but I wanted to point that out that you can make the keys exportable. It’s not so important in this case but if you have setup GetVPN on a router you absolutely want to export the keys used for the tunnels. If you don’t and the router fails you will have to touch EVERY tunnel once you replace the hardware. If you have exported the keys you just reload them on the new hardware and call it a day.
I have a link to a Cisco TAC podcast on GetVPN and DMVPN in the references that does a great job of explaining how to use RSA key pairs and why you MUST export them. If you don’t want to listen to the entire podcast jump to minute 40 or so and listen from there. I highly recommend listening to all the TAC Security podcasts.
The aaa new-model command causes the local username and password on the router to be used in the absence of other AAA statements. Microsoft office professional plus 2013 activation key generator free. Once you enter “aaa new-model” you will not be able to enter “login local” on vty line configuration. If you had login local configured it will be removed.
When you create the username be sure to include a secret. I you don’t anyone will be able to login with just the username. As always, create a strong secret and use a password manager to store it.
3750x(config)#username cisco privilege 15 secret ^8(nn-!#who 3750x(config)#aaa new-model 3750x(config)#aaa authentication login default local 3750x(config)#aaa authorization exec default local
(Authentication through the line password is not possible with SSH)
Configure the line
3750x(config)#line vty 0 4 3750x(config-line)#transport input ssh 3750x(config-line)#logging sync (prevents console messages from interfering with your inputs)
Add your PUBLIC key to the device.
Open the public key file you created in puttygen. Copy the text between the comments. If you generated a 2048 bit key you will need to paste it into notepad and break it into smaller pieces or you may see “%SSH: Failed to decode the Key Value” when you exit: 3750x(config)#ip ssh pubkey-chain 3750x(conf-ssh-pubkey)#username hubbard 3750x(conf-ssh-pubkey-user)#key-string 3750x(conf-ssh-pubkey-data)#$QAAAQEAkp2EDdpi86+h2aygSIYLt6DvoeFVKYJ1S/Zr 3750x(conf-ssh-pubkey-data)#$ylIDAzWA+G9TolxvWTLzTcUR/+Ykk74mqQbuGTxpteP 3750x(conf-ssh-pubkey-data)#$IStVVjycGYHRSJv9H2C8OQYMcHCR7yM/36TTFRIjLfV 3750x(conf-ssh-pubkey-data)#$PaWM45mr8DI2/sJkwESLWWGJKYiaSxEG6h+gLA5DePj 3750x(conf-ssh-pubkey-data)#$SP4zpktK7KD51NQDy8vx3jVVhkkANGbFfz/uWk2Uhno 3750x(conf-ssh-pubkey-data)#$DQeBxtZbxEGU4tXDZmRbPGVmk8DtFh9LVRCxUTQ 3750x(conf-ssh-pubkey-data)#exit
3750x#sh run | sec ssh ip ssh version 2 ip ssh pubkey-chain username hubbard key-hash ssh-rsa 0C029272CF23E61C4315A0D59E565B76 transport input telnet ssh 3750x# 3750x#sh run | b 0 4 line vty 0 4 transport input ssh line vty 5 15
Note – You can use the HASH instead of the key for the next devices you setup. Instead of using “Key-string” in the ip ssh pubkey-chain statement use “key-hash ssh-rsa 0C029272CF23E61C4315A0D59E565B76”.
Login using your SSH Keys!
References
SSH RSA authentication works in IOS release 15.0M Secure Shell Version 2 Support in IOS 15 TAC Security Podcast Episode #25 – GETVPN and DMVPN SSH/OpenSSH/Keys – A good Ubuntu article on OpenSSH How to create ssh keys with putty to connect to a virtual private server (VPS) – The Digital Ocean Tutorial. They have a lot of good tutorials. Using SSH/SCP on Mac OS X in the Terminal app Kali Linux remote SSH – How to configure openSSH server – A great tutorial. SSH using public key authentication to IOS and big outputs – A Cisco Support Forum article. It includes a Bash script for remotely executing commands.
Using Rsa Keys Generated From 4500 Switch To Computer
SSH with key authentication on Cisco IOS devices – A good blog for Windows users How To Protect SSH with fail2ban on Ubuntu 12.04 Synchronise remote SSH authorised_keys