Cisco IOS SSH Key Authentication

Sep 1, 2022 · 3 mins read
cisco ios ssh
Cisco IOS SSH Key Authentication

In the video below, we show you how to configure Cisco IOS routers or switches to support key pair authentication

As well as username/password authentication, a Cisco IOS device can be configured so that you can login using SSH keys

With a passphrase assigned to the private key, this follows the security model of something you have and something you know to make the process more secure

NOTE: The Cisco IOS version used in this video only supports RSA and SHA1, which is not ideal

Steps Taken

  1. Create user account 

    conf t
username david privilege 15
end
    We don’t need a password for this account

  2. Create a key chain for the user 

    conf t
ip ssh pubkey-chain
username david
key-string
    We now need to paste in the public key but creating that depends on the OS for your computer

  3. Linux
    Create an SSH keypair on the computer using OpenSSH 

    cd .ssh
ssh-keygen -b 4096 -t rsa -f ciscolab -C "david@ciscolab.lan"
    Apply a passphrase to protect the private key

    This will create a key pair using RSA, 4096 bits in size, named ciscolab and with a comment to help identify the owner

    We now need to paste in the contents of the public key for this user

    In Linux, we need to split up the lines because the output is on a single line and Cisco IOS can’t accept so many characters
    fold -b -w 72 ciscolab.pub
    We don’t need to include the algorithm details at the beginning or the comment at the end, so copy and paste the rest

    Then finish the configuration 
    exit  
end
    To verify this, you can compare the hash for this key which is stored using MD5
    On the Cisco device 
    sh run | b pubkey
    On the Linux computer 
    ssh-keygen -l -E md5 -f ciscolab.pub
    To reduce latency during login you can edit the config file on the computer and specify the key rather than let the client try different ones until it exhausts all possibilities

    At the time of recording, OpenSSH has deprecated SHA1 but that’s all the Cisco IOS version supports, however, the SSH config file for the computer can be configured to allow this
    nano .ssh/config
    Host *  
	IdentitiesOnly yes  

Host uklon01wan01  
	IdentityFile "/home/david/.ssh/ciscolab"
	PubKeyAcceptedAlgorithms=ssh-rsa

  4. Windows
    Use Putygen to create the keys and copy and paste in the public key

    Then finish the configuration 

    exit  
end
    To verify this, you can compare the hash for this key which is stored using MD5
    On the Cisco device 
      
sh run | b pubkey
    On the Windows computer, use Putygen and set the fingerprint to display in MD5

  5. Key Authentication only
    The IOS device is still accepting username/password logins but this can be changed to allow SSH keys only

    conf t
ip ssh server algorithm authentication publickey
end
    By only specifying publickey, all other methods are disabled

Sharing is caring!