Cisco IOS SSH Key Authentication

Sep 1, 2022

· 3 mins read

#### In the video below, we show you how to configure Cisco IOS routers or switches to support key pair authentication

As well as username/password authentication, a Cisco IOS device can be configured so that you can login using SSH keys

With a passphrase assigned to the private key, this follows the security model of something you have and something you know to make the process more secure

NOTE: The Cisco IOS version used in this video only supports RSA and SHA1, which is not ideal

Steps Taken

Create user account

conf t
username david privilege 15
end

We don’t need a password for this account

Create a key chain for the user

conf t
ip ssh pubkey-chain
username david
key-string

We now need to paste in the public key but creating that depends on the OS for your computer

Linux

Create an SSH keypair on the computer using OpenSSH

cd .ssh
ssh-keygen -b 4096 -t rsa -f ciscolab -C "david@ciscolab.lan"

Apply a passphrase to protect the private key

This will create a key pair using RSA, 4096 bits in size, named ciscolab and with a comment to help identify the owner

We now need to paste in the contents of the public key for this user

In Linux, we need to split up the lines because the output is on a single line and Cisco IOS can’t accept so many characters

fold -b -w 72 ciscolab.pub

We don’t need to include the algorithm details at the beginning or the comment at the end, so copy and paste the rest

Then finish the configuration

exit  
end

To verify this, you can compare the hash for this key which is stored using MD5

On the Cisco device

sh run | b pubkey

On the Linux computer

ssh-keygen -l -E md5 -f ciscolab.pub

To reduce latency during login you can edit the config file on the computer and specify the key rather than let the client try different ones until it exhausts all possibilities

At the time of recording, OpenSSH has deprecated SHA1 but that’s all the Cisco IOS version supports, however, the SSH config file for the computer can be configured to allow this

nano .ssh/config

Host * IdentitiesOnly yes

Host uklon01wan01 IdentityFile "/home/david/.ssh/ciscolab" PubKeyAcceptedAlgorithms=ssh-rsa

Windows

Use Putygen to create the keys and copy and paste in the public key

Then finish the configuration

exit  
end

To verify this, you can compare the hash for this key which is stored using MD5

On the Cisco device

sh run | b pubkey

On the Windows computer, use Putygen and set the fingerprint to display in MD5

Key Authentication only

The IOS device is still accepting username/password logins but this can be changed to allow SSH keys only

conf t
ip ssh server algorithm authentication publickey
end

By only specifying publickey, all other methods are disabled

Sharing is caring!_

Please enable JavaScript to view the comments powered by Disqus.

Cisco IOS SSH Key Authentication

Sep 1, 2022

· 3 mins read

#### In the video below, we show you how to configure Cisco IOS routers or switches to support key pair authentication

As well as username/password authentication, a Cisco IOS device can be configured so that you can login using SSH keys

With a passphrase assigned to the private key, this follows the security model of something you have and something you know to make the process more secure

NOTE: The Cisco IOS version used in this video only supports RSA and SHA1, which is not ideal

Steps Taken

Create user account

conf t
username david privilege 15
end

We don’t need a password for this account

Create a key chain for the user

conf t
ip ssh pubkey-chain
username david
key-string

We now need to paste in the public key but creating that depends on the OS for your computer

Linux

Create an SSH keypair on the computer using OpenSSH

cd .ssh
ssh-keygen -b 4096 -t rsa -f ciscolab -C "david@ciscolab.lan"

Apply a passphrase to protect the private key

This will create a key pair using RSA, 4096 bits in size, named ciscolab and with a comment to help identify the owner

We now need to paste in the contents of the public key for this user

In Linux, we need to split up the lines because the output is on a single line and Cisco IOS can’t accept so many characters

fold -b -w 72 ciscolab.pub

We don’t need to include the algorithm details at the beginning or the comment at the end, so copy and paste the rest

Then finish the configuration

exit  
end

To verify this, you can compare the hash for this key which is stored using MD5

On the Cisco device

sh run | b pubkey

On the Linux computer

ssh-keygen -l -E md5 -f ciscolab.pub

To reduce latency during login you can edit the config file on the computer and specify the key rather than let the client try different ones until it exhausts all possibilities

At the time of recording, OpenSSH has deprecated SHA1 but that’s all the Cisco IOS version supports, however, the SSH config file for the computer can be configured to allow this

nano .ssh/config

Host * IdentitiesOnly yes

Host uklon01wan01 IdentityFile "/home/david/.ssh/ciscolab" PubKeyAcceptedAlgorithms=ssh-rsa

Windows

Use Putygen to create the keys and copy and paste in the public key

Then finish the configuration

exit  
end

To verify this, you can compare the hash for this key which is stored using MD5

On the Cisco device

sh run | b pubkey

On the Windows computer, use Putygen and set the fingerprint to display in MD5

Key Authentication only

The IOS device is still accepting username/password logins but this can be changed to allow SSH keys only

conf t
ip ssh server algorithm authentication publickey
end

By only specifying publickey, all other methods are disabled

Sharing is caring!_

Please enable JavaScript to view the comments powered by Disqus.

Cisco IOS SSH Key Authentication

Prerequisites

What You'll Learn

Cisco IOS Networking

Cisco IOS SSH Key Authentication

Cisco IOS SSH Key Authentication

Prerequisites

What You'll Learn

Cisco IOS Networking

Cisco IOS SSH Key Authentication