SSH key auth for IOS

SSH key authentication is awesome.

 

If you don’t already have a key, generate one using ‘ssh-keygen’. These details are for OpenSSH on OSX. Google for PuttyGen if you’re on Windows.

You must protect the key with a passphrase. If you don’t want to enter this passphrase every time you connect, you can use an SSH agent. Thats another post.

ianh@bloodshot:~$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/Users/ianh/.ssh/id_rsa):      Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /Users/ianh/.ssh/id_rsa.
Your public key has been saved in /Users/ianh/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:ClvUzv0VhbNifvVO4J+yC9/teCTJ7W2z8LIANFaRoTM ianh@bloodshot.ianh.net.au
The key's randomart image is:
+---[RSA 2048]----+
|           ++  ..|
|       .  o.  o. |
|      . .E    .o |
|     . oo.+ o o..|
|    . . S..o +.=.|
|     + .  ....* =|
|    . .    o.o Bo|
|            +o++O|
|             =BB=|
+----[SHA256]-----+
ianh@bloodshot:~$

Once you’ve generated your key, you need to add the public side to the router. To paste the public key in, you need it to wrap on smaller lines, otherwise IOS will truncate the end. Use ‘fold’ for this.

ianh@bloodshot:~$ cat .ssh/id_rsa.pub | fold
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDgctwEQjbFfIQ0W0F7f2e/zPo8Xkd5++Jol6RTFLQM
wlaCDJFCrQoMjmkNvPzdjIKD63DjQSoM6W6y7OuFV9g6BiXaRgWATLPbxa3mXHLNee06ZesOQblscmxC
tUZMfCwLlRtYYQXEmBximtxk4b5rHKpTS6ft2aUiQbDtDMak1phRdkYI2RtHAZpJ6f+L0a65vEY1nRdz
VRw7VA2WWdBTOXPJrUeLVx9O/rYkKS25o7v4YuNVK3t3PIgysVX12rppq5t9m1VH+/zd1thozr0gR84U
lzCeZ32jvqPeN0/eW0Y8ChkN7d6w+hoeU5ix4okD6oozLH5ltIT9ijY9htCH ianh@bloodshot.ianh
.net.au
ianh@bloodshot:~$

Now add it to the router, pasting in the folded public key from above. Note the prompt doesn’t indicate this is multi-line data very well (like it would for a switchport macro or MOTD).

rt1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
rt1(config)#ip ssh pubkey-chain
rt1(conf-ssh-pubkey)#username ianh
rt1(conf-ssh-pubkey-user)#key-string
rt1(conf-ssh-pubkey-data)#ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDgctwEQjbFfIQ0W0F7f2e/zPo8Xkd5++Jol6RTFLQM
rt1(conf-ssh-pubkey-data)#wlaCDJFCrQoMjmkNvPzdjIKD63DjQSoM6W6y7OuFV9g6BiXaRgWATLPbxa3mXHLNee06ZesOQblscmxC
rt1(conf-ssh-pubkey-data)#tUZMfCwLlRtYYQXEmBximtxk4b5rHKpTS6ft2aUiQbDtDMak1phRdkYI2RtHAZpJ6f+L0a65vEY1nRdz
rt1(conf-ssh-pubkey-data)#VRw7VA2WWdBTOXPJrUeLVx9O/rYkKS25o7v4YuNVK3t3PIgysVX12rppq5t9m1VH+/zd1thozr0gR84U
rt1(conf-ssh-pubkey-data)#lzCeZ32jvqPeN0/eW0Y8ChkN7d6w+hoeU5ix4okD6oozLH5ltIT9ijY9htCH ianh@bloodshot.ianh
rt1(conf-ssh-pubkey-data)#.net.au
rt1(conf-ssh-pubkey-data)#exit
rt1(conf-ssh-pubkey-user)#exit
rt1(conf-ssh-pubkey)#exit
rt1(config)#exit
rt1#

Now lets test! Because I’m using OSX, I get asked for the passphrase using a GUI window. Other OSes will ask on the CLI.

 

ianh@bloodshot:~$ ssh rt1
rt1#

Warning! If you are creating a user that will exclusively use public key authentication, you still need to configure a password on the IOS device. Otherwise, the user can simply connect without offering pubkey as an option. i.e. Don’t use ‘username ianh privilege 15’ on its own, you must use ‘username ianh privilege 15 secret stuff’.

ianh@bloodshot:~$ ssh -o pubkeyauthentication=no rt1
Password: <press enter>
rt1#

Unfortunately you can’t store the public key in TACACS or RADIUS, but you can still use them as the basis of the account existing or not.