SSH with key authentication on Cisco IOS devices

Goal

Connect to a Cisco switch, router, etc… using SSH with key authentication.

Prerequisites

  • Have putty and puttygen.
  • You have already configured your Cisco device to be able to accept SSH logins using usernames and passwords.

Caveats

Keep your SSH keys in a safe place, treat them like the keys to your house (unless you don’t particularly care about your house). If you suspect your keys have been stolen, make sure no devices will accept your stolen SSH key! Setting a passphrase on your key is a smart idea.

Generating a RSA key with PuTTYgen

Open puttygen.exe and set the parameters: the type of key must be SSH-2 RSA. You can vary the number of bits in the generated key, a higher number is more secure. Click the Generate button to generate a new key, move the mouse around the window to create additional randomness.

Appropriately comment your key.

You may wish to enter a passphrase, this passphrase will be asked every time you connect to a device using that key. It’s like a password.

Save your public key by clicking Save public key.  Create a folder to store your keys and name the file publickey.pub. Next, click Save private key, save it under the same folder as privatekey.ppk. Also, copy the “Public key for pasting into OpenSSH authorized_keys file” bit and save it to file.

The end result should look something like this:

Setting up your Cisco device to accept your key

Assuming you have a user called “admin” as which you want to perform key based authentication, we will associate this user with a key he’s allowed to login with.

Enter the following commands:

ip ssh pubkey-chain
 username admin
  key-string

Now, you need to copy the bit from authorized_keys. You only need the signature, you must leave away the “ssh-rsa” and the comment at the end bits. So, if you have this authorized_keys:

ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIBztRNLSqzuIDxATAl6zAhLcsTL40XHAANd+7ljTpbgvYX5IDJjYyD4jpDW9x8Qml553k0chDNFuW2ZE0gVL+MetDatI/DrgMIVRVcU9ZJLsVGqv6SuXeQI7UpvkP7ow+HS0hTd7GDw9sJ+OjAEIIcAhlBJ+4CPIeWjs98Z5ube6Q== my-cisco-device-key

You need to paste the

AAAAB3NzaC1yc2EAAAABJQAAAIBztRNLSqzuIDxATAl6zAhLcsTL40XHAANd+7ljTpbgvYX5IDJjYyD4jpDW9x8Qml553k0chDNFuW2ZE0gVL+MetDatI/DrgMIVRVcU9ZJLsVGqv6SuXeQI7UpvkP7ow+HS0hTd7GDw9sJ+OjAEIIcAhlBJ+4CPIeWjs98Z5ube6Q==

part. (Pasting is right-click in PuTTY). Press enter.

Exit a few times to leave the device’s configuration.

That’s it for configuring the Cisco device. You can add multiple keys per user and you can have multiple users each having their own keys for logging in.

Setting up a PuTTY profile

To make use of your key, you must specifically configure PuTTY to do so. Open PuTTY and go to Connection -> SSH -> Auth. On the Private key file for authentication field, browse to your privatekey.ppk file.

You may also wish PuTTY automatically tries to login with the username. Go to Connection -> Data and fill in the Auto-login username field.

Once you’ve completed your setup, you may wish to save your session in the Session dialogue, so you don’t have to repeat this every time you want to login to your device.

Testing

When you login using your key, the result should be like this:

Advertisements

14 thoughts on “SSH with key authentication on Cisco IOS devices

  1. Hello,
    great manual, bud I have a little problem. If i want to paste to the cisco RSA key 2048 bits, it doesnt paste whole. The part of key isnt possible paste.
    I have tried paste via console but the same problem.
    1024 bits key works great.
    Please, could you advised me someting?

    Thank, Jiri

    • Split up your key and copy/paste in in two/three/four different parts as needed. As long as you’re in the “conf-ssh-pubkey-data” submenu, you can keep on pasting new data.

      So paste a bit of data, press enter, do the next bit, etc… until your entire key has been entered. Then just type “exit” as normal. Pay attention you don’t paste any extra spaces.

      • This indeed works, but it’s worth to mention that 4096 key-strings do work, however 8192 does not, it feels like it hits some buffer length.

  2. Hello,

    How do you remove the public key from cisco ios once it is on there? After many tries, I still see it using “show ip ssh”

    Thanks!

  3. If I am not mistaken, that is the RSA key generated when enabling ssh on the switch itself, not the imported public key for client authentication. This is the device’s public key.

      • Hi Izz,

        Then what is the command to show the user’s imported public key? I see a hash of it in show run, but not the full key.

      • @Patrick, you can’t show the original user imported public key as IOS only stores the hash. Like Izz says, “show ip ssh” displays the router’s public key.

  4. I know this is old, and my question maybe overkill. Is there a way to set it up for radius? The commands all include username for local accounts.

  5. Pingback: Cisco SSH Authenication | Journey OF THE WSS FOR ACD

  6. Pingback: Cisco- SSH Authenication – ASC Learning Experience

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s