SSH Public Key Authentication on Cisco IOS

This topic is to discuss the following lesson:

This is a GREAT walkthrough , however I see in the url that it sits in “uncatagorized”, do you have a quick way to browse to this location to locate this walkthrough? I only happened across it via a link in another comment.

Hello Edgar

Thanks for pointing that out, I’ll give a shout out to Rene to see if it can be located somewhere more accessible.

Thanks again!

Laz

Hi Rene and staff,
i was doing a basic lab ipv6 with GNS3 and SSH came in front of the scene (no matter ipv4 or ipv6 in this post)
This is the lab
image
and opening SSH session from HostA to R1 led me to review crypto keys with cisco (just to remind)
R1 configuration is


Host A is toolbox

I opened the ssh session


Sorry, i failed the password twice
And exit the session

At this step, my question is about to find the public key of R1 in hostA

Going to hostA here is what i found
(vi /root/.ssh/known_hosts)

Going to R1 here is what i found

Key data on R1 seems not to match with the content of the file known_hosts in the client hostA: that is what i want to understand
If i am in a wrong way please tell me so i could understand
Regards

Hello Dominique

The key data in the router and that found within the known_hosts file do appear different, and this is simply because of the method of encoding. Within the router, the key data is displayed in Hexadecimal while in the known_hosts file, in what is known as Base64 encoding which represents binary data in ASCII (and this is why you see all the letters of the alphabet as well as many symbols). This Ubuntu man page includes a description of the format of the known_hosts file format.

I hope this has been helpful!

Laz

Hi!

This is a great walkthrough but I have an older 3560 in my lab and the ip ssh pubkey-chain command doesn’t exist. Is there a different method to accomplish this on older switches? Here’s the image it’s running:

c3560-ipservicesk9-mz.122-55.SE9.bin

Second question: How can we setup authorization so that successfully authenticating with radius puts you in priv exec mode?

Hello Aaron

If you take a look at this Cisco command line reference, you’ll see that this command was introduced in version IOS 15.0

It seems that the 3560 platform doesn’t support public key authentication for SSH. The following documentation however describes how to secure SSH communication:

Yes, it is possible. Take a look at this Cisco documentation:

I hope this has been helpful!

Laz

Hi,
As far as i understand, in the procedure a local username is used (WINDOWS_USER) and added to the configuration of the IOS device

R1#show running-config | begin pubkey   
ip ssh pubkey-chain
  username WINDOWS_USER
   key-hash ssh-rsa 8FB4F858DD7E5AFB372780EC653DB371
  quit

But this is still a local username which has to be added to the switch/router/ASA… . Is it possible to use ssh keys while authenticating with a Tacacs+ username ?

Thanks a lot,
Olli

Hello Oliver

It seems that SSH Public Key Authentication is only available for local username authentication. This can be seen in the following Cisco documentation:


As I don’t have personal experience with SSH Public Key Authentication in combination with an AAA system, doing a bit of research online, there seems to be the consensus in general on other sites focusing on RADIUS and TACACs that this is not possible. Although it is not stated clearly anywhere official, the general experience of users seems to indicate that it is not possible.

I hope this has been helpful!

Laz

So I’ve been experimenting with FreeRadius and have a radius working with a “Cleartext-Password” (still researching what other versions I can use) however if I create a public key for myself on the router, it will begin logging me in, show me the motd, then disconnect me. I’d like my ssh public key in free radius and not on the router (to begin with) and of course would like the login to complete.

Still trying to debug why it boots me after doing the pubkey handshake.

! note that my radius server is on the VRF-lite “relay_admin” network

aaa group server radius RADIUS_SERVERS
 server name RADIUS1_IPv4
 ip vrf forwarding relay_admin
 ip radius source-interface Loopback102
 load-balance method least-outstanding ignore-preferred-server
!
aaa authentication login default group RADIUS_SERVERS local
aaa authorization exec default group RADIUS_SERVERS if-authenticated 
aaa accounting exec default start-stop group RADIUS_SERVERS
!
radius server RADIUS1_IPv4
 address ipv4 172.16.1.10 auth-port 1812 acct-port 1813
 key SECRET_KEY
!
ip ssh pubkey-chain
  username my-test-acct
   key-hash ssh-rsa E40E01E464A9C15EEE76DDB7A10C5B8E my-test-key

Radius server has radcheck table entry:

null,"my-test-acct","Cleartest-Password",":=","my-test-password"

Radius server has radreply table entries:

  null,'my-test-acct','Service-Type','+=','NAS-Prompt-User'
  null,'my-test-acct','cisco-avpair','+=','shell:priv-lvl=15'

Don’t know where to put the ssh key or if there is a table entry for it in the radcheck?

Marcos

Hello Marcos

If you look at some of the above posts you’ll find that an ssh public key on a non-local AAA system such as free radius is not supported :frowning:.

Looking through some of the posts and links above may help you in further understanding this approach. If you have any further questions, just let us know!

I hope this has been helpful!

Laz