SSH key auth for IOS

SSH key authentication is awesome.

 

If you don’t already have a key, generate one using ‘ssh-keygen’. These details are for OpenSSH on OSX. Google for PuttyGen if you’re on Windows.

You must protect the key with a passphrase. If you don’t want to enter this passphrase every time you connect, you can use an SSH agent. Thats another post.

ianh@bloodshot:~$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/Users/ianh/.ssh/id_rsa):      Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /Users/ianh/.ssh/id_rsa.
Your public key has been saved in /Users/ianh/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:ClvUzv0VhbNifvVO4J+yC9/teCTJ7W2z8LIANFaRoTM ianh@bloodshot.ianh.net.au
The key's randomart image is:
+---[RSA 2048]----+
|           ++  ..|
|       .  o.  o. |
|      . .E    .o |
|     . oo.+ o o..|
|    . . S..o +.=.|
|     + .  ....* =|
|    . .    o.o Bo|
|            +o++O|
|             =BB=|
+----[SHA256]-----+
ianh@bloodshot:~$

Once you’ve generated your key, you need to add the public side to the router. To paste the public key in, you need it to wrap on smaller lines, otherwise IOS will truncate the end. Use ‘fold’ for this.

ianh@bloodshot:~$ cat .ssh/id_rsa.pub | fold
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDgctwEQjbFfIQ0W0F7f2e/zPo8Xkd5++Jol6RTFLQM
wlaCDJFCrQoMjmkNvPzdjIKD63DjQSoM6W6y7OuFV9g6BiXaRgWATLPbxa3mXHLNee06ZesOQblscmxC
tUZMfCwLlRtYYQXEmBximtxk4b5rHKpTS6ft2aUiQbDtDMak1phRdkYI2RtHAZpJ6f+L0a65vEY1nRdz
VRw7VA2WWdBTOXPJrUeLVx9O/rYkKS25o7v4YuNVK3t3PIgysVX12rppq5t9m1VH+/zd1thozr0gR84U
lzCeZ32jvqPeN0/eW0Y8ChkN7d6w+hoeU5ix4okD6oozLH5ltIT9ijY9htCH ianh@bloodshot.ianh
.net.au
ianh@bloodshot:~$

Now add it to the router, pasting in the folded public key from above. Note the prompt doesn’t indicate this is multi-line data very well (like it would for a switchport macro or MOTD).

rt1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
rt1(config)#ip ssh pubkey-chain
rt1(conf-ssh-pubkey)#username ianh
rt1(conf-ssh-pubkey-user)#key-string
rt1(conf-ssh-pubkey-data)#ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDgctwEQjbFfIQ0W0F7f2e/zPo8Xkd5++Jol6RTFLQM
rt1(conf-ssh-pubkey-data)#wlaCDJFCrQoMjmkNvPzdjIKD63DjQSoM6W6y7OuFV9g6BiXaRgWATLPbxa3mXHLNee06ZesOQblscmxC
rt1(conf-ssh-pubkey-data)#tUZMfCwLlRtYYQXEmBximtxk4b5rHKpTS6ft2aUiQbDtDMak1phRdkYI2RtHAZpJ6f+L0a65vEY1nRdz
rt1(conf-ssh-pubkey-data)#VRw7VA2WWdBTOXPJrUeLVx9O/rYkKS25o7v4YuNVK3t3PIgysVX12rppq5t9m1VH+/zd1thozr0gR84U
rt1(conf-ssh-pubkey-data)#lzCeZ32jvqPeN0/eW0Y8ChkN7d6w+hoeU5ix4okD6oozLH5ltIT9ijY9htCH ianh@bloodshot.ianh
rt1(conf-ssh-pubkey-data)#.net.au
rt1(conf-ssh-pubkey-data)#exit
rt1(conf-ssh-pubkey-user)#exit
rt1(conf-ssh-pubkey)#exit
rt1(config)#exit
rt1#

Now lets test! Because I’m using OSX, I get asked for the passphrase using a GUI window. Other OSes will ask on the CLI.

 

ianh@bloodshot:~$ ssh rt1
rt1#

Warning! If you are creating a user that will exclusively use public key authentication, you still need to configure a password on the IOS device. Otherwise, the user can simply connect without offering pubkey as an option. i.e. Don’t use ‘username ianh privilege 15’ on its own, you must use ‘username ianh privilege 15 secret stuff’.

ianh@bloodshot:~$ ssh -o pubkeyauthentication=no rt1
Password: <press enter>
rt1#

Unfortunately you can’t store the public key in TACACS or RADIUS, but you can still use them as the basis of the account existing or not.

Certificates for ASA SSL VPN

How do you setup a Cisco ASA SSL VPN using a CA supplied cert?

You need three things here.

  1. The new certificate – vpn.ianh.net.au.crt.
  2. The new certificate’s key – vpn.ianh.net.au.key.
  3. The new certificate’s CA bundle, including any intermediate certificates – vpn.ianh.net.au.ca-bundle.

First we combine the certificate and key into a base 64 encoded PKCS12 file, with a password of ‘areallystrongpassword’. This password is only required during the import process, we delete the file once the import is complete.

ianh@linux:~/cert$ openssl pkcs12 -CAfile vpn.ianh.net.au.ca-bundle -in vpn.ianh.net.au.crt -inkey vpn.ianh.net.au.key -nodes -export -out vpn.ianh.net.au.p12

Enter Export Password: areallystrongpassword

Verifying - Enter Export Password: areallystrongpassword

ianh@linux:~/cert$ openssl base64 -in vpn.ianh.net.au.p12 -out vpn.ianh.net.au.b64p12

ianh@linux:~/cert$ cat vpn.ianh.net.au.b64p12 
***lots of cert, copy this output to clipboard for next step***

Then we create a new trust point on the ASA pasting in the base 64 armoured PKCS12 certificate file.

asa(config)# cry ca trustpoint VPN
asa(config-ca-trustpoint)# en term
asa(config-ca-trustpoint)# cry ca import VPN pass areallstrongpasword 
Enter the base 64 encoded pkcs12.
End with the word "quit" on a line by itself:
***paste cert here***
quit
INFO: Import PKCS12 operation completed successfully

Then we add the CA bundle (yes, you do have to do ‘en term’ again):

asa(config)# cry ca trustpoint VPN
asa(config-ca-trustpoint)# en term
asa(config-ca-trustpoint)# cry ca authenticate VPN
Enter the base 64 encoded CA certificate.
End with the word "quit" on a line by itself
***Paste CA bundle here***
quit
INFO: Certificate has the following attributes:
Fingerprint:     83ea0465 b722ed33 ff0b4f53 5e1d396b 
Do you accept this certificate? [yes/no]: yes
Trustpoint 'VPN' is a subordinate CA and holds a non self-signed certificate.
Trustpoint CA certificate accepted.
% Certificate successfully imported
asa(config)# exit
asa#

If this is a replacement certificate, you may need to point wevpn/DTLS to the new trust point.

asa(config-webvpn)#no ssl trust-point VPN outside  
asa(config-webvpn)#ssl trust-point VPN outside

Then you need to save the config to force the DTLS process to look at the new certificate.

asa# wr
Building configuration...
Cryptochecksum: 1c43aaba fbb00b48 2b771bef e5a3598d 
154662 bytes copied in 0.890 secs
[OK]
asa#

Don’t forget to delete the certificate files from your workspace to keep them secure.

ianh@linux:~/cert$ rm vpn.ianh.net.au.crt vpn.ianh.net.au.key vpn.ianh.net.au.ca-bundle vpn.ianh.net.au.p12 vpn.ianh.net.au.b64p12

Come down to the lab and see whats on the slab…

Hi folks,

First blog post, please be kind. My aim for this blog is to post neat things I’ve found in the networking universe. My current focus is on the Cisco datacentre ecosystem (Nexus, UCS and friends), with a smattering of VMWare, NetApp and Linux.