SSH key auth for IOS

SSH key authentication is awesome.


If you don’t already have a key, generate one using ‘ssh-keygen’. These details are for OpenSSH on OSX. Google for PuttyGen if you’re on Windows.

You must protect the key with a passphrase. If you don’t want to enter this passphrase every time you connect, you can use an SSH agent. Thats another post.

ianh@bloodshot:~$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/Users/ianh/.ssh/id_rsa):      Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /Users/ianh/.ssh/id_rsa.
Your public key has been saved in /Users/ianh/.ssh/
The key fingerprint is:
The key's randomart image is:
+---[RSA 2048]----+
|           ++  ..|
|       .  o.  o. |
|      . .E    .o |
|     . oo.+ o o..|
|    . . S..o +.=.|
|     + .  ....* =|
|    . .    o.o Bo|
|            +o++O|
|             =BB=|

Once you’ve generated your key, you need to add the public side to the router. To paste the public key in, you need it to wrap on smaller lines, otherwise IOS will truncate the end. Use ‘fold’ for this.

ianh@bloodshot:~$ cat .ssh/ | fold
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDgctwEQjbFfIQ0W0F7f2e/zPo8Xkd5++Jol6RTFLQM
lzCeZ32jvqPeN0/eW0Y8ChkN7d6w+hoeU5ix4okD6oozLH5ltIT9ijY9htCH ianh@bloodshot.ianh

Now add it to the router, pasting in the folded public key from above. Note the prompt doesn’t indicate this is multi-line data very well (like it would for a switchport macro or MOTD).

rt1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
rt1(config)#ip ssh pubkey-chain
rt1(conf-ssh-pubkey)#username ianh
rt1(conf-ssh-pubkey-data)#ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDgctwEQjbFfIQ0W0F7f2e/zPo8Xkd5++Jol6RTFLQM
rt1(conf-ssh-pubkey-data)#lzCeZ32jvqPeN0/eW0Y8ChkN7d6w+hoeU5ix4okD6oozLH5ltIT9ijY9htCH ianh@bloodshot.ianh

Now lets test! Because I’m using OSX, I get asked for the passphrase using a GUI window. Other OSes will ask on the CLI.


ianh@bloodshot:~$ ssh rt1

Warning! If you are creating a user that will exclusively use public key authentication, you still need to configure a password on the IOS device. Otherwise, the user can simply connect without offering pubkey as an option. i.e. Don’t use ‘username ianh privilege 15’ on its own, you must use ‘username ianh privilege 15 secret stuff’.

ianh@bloodshot:~$ ssh -o pubkeyauthentication=no rt1
Password: <press enter>

Unfortunately you can’t store the public key in TACACS or RADIUS, but you can still use them as the basis of the account existing or not.

Certificates for ASA SSL VPN

How do you setup a Cisco ASA SSL VPN using a CA supplied cert?

You need three things here.

  1. The new certificate –
  2. The new certificate’s key –
  3. The new certificate’s CA bundle, including any intermediate certificates –

First we combine the certificate and key into a base 64 encoded PKCS12 file, with a password of ‘areallystrongpassword’. This password is only required during the import process, we delete the file once the import is complete.

ianh@linux:~/cert$ openssl pkcs12 -CAfile -in -inkey -nodes -export -out

Enter Export Password: areallystrongpassword

Verifying - Enter Export Password: areallystrongpassword

ianh@linux:~/cert$ openssl base64 -in -out

ianh@linux:~/cert$ cat 
***lots of cert, copy this output to clipboard for next step***

Then we create a new trust point on the ASA pasting in the base 64 armoured PKCS12 certificate file.

asa(config)# cry ca trustpoint VPN
asa(config-ca-trustpoint)# en term
asa(config-ca-trustpoint)# cry ca import VPN pass areallstrongpasword 
Enter the base 64 encoded pkcs12.
End with the word "quit" on a line by itself:
***paste cert here***
INFO: Import PKCS12 operation completed successfully

Then we add the CA bundle (yes, you do have to do ‘en term’ again):

asa(config)# cry ca trustpoint VPN
asa(config-ca-trustpoint)# en term
asa(config-ca-trustpoint)# cry ca authenticate VPN
Enter the base 64 encoded CA certificate.
End with the word "quit" on a line by itself
***Paste CA bundle here***
INFO: Certificate has the following attributes:
Fingerprint:     83ea0465 b722ed33 ff0b4f53 5e1d396b 
Do you accept this certificate? [yes/no]: yes
Trustpoint 'VPN' is a subordinate CA and holds a non self-signed certificate.
Trustpoint CA certificate accepted.
% Certificate successfully imported
asa(config)# exit

If this is a replacement certificate, you may need to point wevpn/DTLS to the new trust point.

asa(config-webvpn)#no ssl trust-point VPN outside  
asa(config-webvpn)#ssl trust-point VPN outside

Then you need to save the config to force the DTLS process to look at the new certificate.

asa# wr
Building configuration...
Cryptochecksum: 1c43aaba fbb00b48 2b771bef e5a3598d 
154662 bytes copied in 0.890 secs

Don’t forget to delete the certificate files from your workspace to keep them secure.

ianh@linux:~/cert$ rm

Come down to the lab and see whats on the slab…

Hi folks,

First blog post, please be kind. My aim for this blog is to post neat things I’ve found in the networking universe. My current focus is on the Cisco datacentre ecosystem (Nexus, UCS and friends), with a smattering of VMWare, NetApp and Linux.