Connect to a Cisco switch, router, etc… using SSH with key authentication.
- Have putty and puttygen.
- You have already configured your Cisco device to be able to accept SSH logins using usernames and passwords.
Keep your SSH keys in a safe place, treat them like the keys to your house (unless you don’t particularly care about your house). If you suspect your keys have been stolen, make sure no devices will accept your stolen SSH key! Setting a passphrase on your key is a smart idea.
Generating a RSA key with PuTTYgen
Open puttygen.exe and set the parameters: the type of key must be SSH-2 RSA. You can vary the number of bits in the generated key, a higher number is more secure. Click the Generate button to generate a new key, move the mouse around the window to create additional randomness.
Appropriately comment your key.
You may wish to enter a passphrase, this passphrase will be asked every time you connect to a device using that key. It’s like a password.
Save your public key by clicking Save public key. Create a folder to store your keys and name the file publickey.pub. Next, click Save private key, save it under the same folder as privatekey.ppk. Also, copy the “Public key for pasting into OpenSSH authorized_keys file” bit and save it to file.
The end result should look something like this:
Setting up your Cisco device to accept your key
Assuming you have a user called “admin” as which you want to perform key based authentication, we will associate this user with a key he’s allowed to login with.
Enter the following commands:
ip ssh pubkey-chain
Now, you need to copy the bit from authorized_keys. You only need the signature, you must leave away the “ssh-rsa” and the comment at the end bits. So, if you have this authorized_keys:
ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIBztRNLSqzuIDxATAl6zAhLcsTL40XHAANd+7ljTpbgvYX5IDJjYyD4jpDW9x8Qml553k0chDNFuW2ZE0gVL+MetDatI/DrgMIVRVcU9ZJLsVGqv6SuXeQI7UpvkP7ow+HS0hTd7GDw9sJ+OjAEIIcAhlBJ+4CPIeWjs98Z5ube6Q== my-cisco-device-key
You need to paste the
part. (Pasting is right-click in PuTTY). Press enter.
Exit a few times to leave the device’s configuration.
That’s it for configuring the Cisco device. You can add multiple keys per user and you can have multiple users each having their own keys for logging in.
Setting up a PuTTY profile
To make use of your key, you must specifically configure PuTTY to do so. Open PuTTY and go to Connection -> SSH -> Auth. On the Private key file for authentication field, browse to your privatekey.ppk file.
You may also wish PuTTY automatically tries to login with the username. Go to Connection -> Data and fill in the Auto-login username field.
Once you’ve completed your setup, you may wish to save your session in the Session dialogue, so you don’t have to repeat this every time you want to login to your device.
When you login using your key, the result should be like this: