Setting up SSH, and Key-Based Authentication on Cisco Devices

Logging in remotely, and securely is pretty much NetOps 101. Furthermore, adding in secure, password-less login options like RSA Key Based Authentication are almost always a pre-requisite, and most definitely a best practice of Network Device Automation Frameworks. In this post, we're just setting up the basics. We're going to generate keys on a Cisco device, configure SSH, and add my public key for password-less auth.

Note: This assumes a Priv 15 user and secret are already set up.

First up, Cisco devices require us to generate a key pair to enable SSH. Setting up a key pair, requires a hostname other than 'Router' and a domain name to be set. Assuming we're working from a factory default router, our first commands to allow us to generate a key pair are:

hostname rtr
ip domain-name lab.local

Now that the pre-requsites are all set, we can generate our key pair. For best practice, we're also going to define the bit depth, by using the modulus command

crypto key generate rsa modulus 4096

The public key that was generated can be displayed using the following command:

 show crypto key mypubkey rsa

The Key Pair is the pre-requsite to enabling the SSH service. Now that we have a pair created, we can enable the service, and set its parameters. The following config sets the SSH Server Version, enables the service, and relies on the new AAA model to authenticate, authorize, and account for the user.

ip ssh server version 2
aaa new-model

Excellent. Now a public key can be added from any workstation, lab machine, Jekins box, etc. for a preconfigured user. The public key data must first be obtained. On *nix like systems this is usually in ~/.ssh/ The contents of this file is the public key hash. This will be entered into the Cisco device, as a pre-authorized key for the appropriate user. In my case, my username is mcornstubble.

We begin by entering the ip ssh pub-keychain command into Cisco IOS. This will place us into a sub-configuration mode to allow he configuration of a key per user. This process is started by entering the username command, followed by the user, then hitting a carriage return. This drops into another sub-configuration menu where the public key can be entered by first entering the key-string command, followed by carriage return, and finally the public key hash.

ip ssh pub-keychain
username mcornstubble
ssh-rsa 'Key ID'

Now that key authentication is configured and working, we can add a security improvement by disabling password based authentication. This is a preferred security best practice. Disabling password based authentication will prevent login from machines without that do not have their keys permitted in the IOS Public Key Chain.

ip ssh server algorithm authentication publickey

That's it! At this point we have enabled AAA, the SSH Service, added a key to a user, and disabled password based authentication.


© 2019