BGP.guru

BGP.guru

Nerd blog.

31 May 2015

SSH Pubkeys with Cisco IOS 15

One of the new features of IOS 15 that I’m most excited about is the ability to use RSA public key authentication. This works on both switches and routers.

Configuring public key authentication is pretty straight forward, in configuration mode create a user, and then associate the key to the user.

username test priv x secret supers3cr3tn0bdyw1llgue55
 
#You need to make sure this public key is trusted by our router.

ip ssh pubkey-chain
  username test
    key-string
      copy the entire public key as appears in id_rsa.pub 
      including ssh-rsa and username@hostname.
      please note that some IOS versions will accept 
      maximum 254 characters. You can paste multiple lines.
    exit
  exit
# Please also make sure that you generate 
# RSA keys on Server larger than 768 bits.
# You can also set SSHv2 on server side (although strictly 
# speaking it's not required if you're using SSH 1.99)
ip ssh version 2

The only gotcha really is that some devices (2960, 3560 switches, not ASR1000X’s) have a maximum line length and you need to split the public key string data into multiple lines no longer than 254 characters.

External References


Theodore Baschak - Theo is a network engineer with experience operating core internet technologies like HTTP, HTTPS and DNS. He has extensive experience running service provider networks with OSPF, MPLS, and BGP.