SSH Public Key Authentication on Cisco IOS
We will add our public key to a Cisco IOS router and use it for SSH authentication instead of a password.
Cisco IOS basic SSH configuration
First, we will need to set up a basic SSH configuration on our router.
Our router will need a domain name
R1(config)#ip domain-name example.localGenerate a 2048 bit RSA key pair
R1(config)#crypto key generate rsa modulus 2048
The name for the keys will be: R1.example.local% The key modulus size is 2048 bits
% Generating 2048 bit RSA keys, keys will be non-exportable…
[OK] (elapsed time was 27 seconds)%SSH-5-ENABLED: SSH 1.99 has been enabled
Enable SSH version 2
R1(config)#ip ssh version 2Configure the VTY lines to accept SSH and use local authentication
R1(config)#line vty 0 4
R1(config-line)#transport input ssh
R1(config-line)#login localImport Public keys to the router
On Linux and macOS the public key is printed on a single line which exceeds the maximum single line length of 254 characters that Cisco IOS supports, we can use the fold command to break the key over multiple lines. We can remove the “ssh-rsa” at the beginning and the comment at the end.
fold -b -w100 .ssh/id_rsa.pubon Windows, the public key is already split over multiple lines. We can remove the “begin” and “end” lines, as well as any comments.
— — -BEGIN PUBLIC KEY — — -
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDMc4/ju5lQOouBQKN+DcGNyJ0v
fv+lLdeCyPPpaLsdL3r3yw2hs/L+hAPemMSUoxb0w9MyEyhrrur7poyQbKmdonX8
5PUMmIXv+BiFlUO11pWU9iYo6kKAfahqhoEooNsy9s0CrqJzcghiFaHLVCN/WdDt
— — -END PUBLIC KEY — — -Enter public key chain configuration mode
ip ssh pubkey-chainSelect the username, then enter the key-string command
username example
key-stringPaste the lines of the public key, then type exit
We can now test connecting using our SSH Key
ssh example@192.168.1.1If our private key is protected by a passphrase, we will be prompted for it before we can connect.
Now that we can authenticate using our public key we can disable password authentication on the router.
R1(config)#no ip ssh server algorithm authentication password
R1(config)#no ip ssh server algorithm authentication keyboard
