Cisco has a feature for the importation of ssh pub-keys within the 15.x codeset
This helps greatly if you have scripts that perform backups or automatic tasks and you don't want to be challenge for passwords.
What I found out by accident and just recently, you don't really need a local account define if your using ssh pub-key and have defined the users within this pub-key configuration.
To implement ssh pub-keys access is quite simple.
1st
You must have a ssh pub-key created.
You have a host of tools from putty for generating ssh keys. Most unixes have a means for generation of the keys also. I will demonstrate this via Unix and with the cli cmd ssh-keygen
The ssh-keygen command generates 2 files;
The id_rsa ( the larger sized file ) is your private key. It stays private and you never share it out with anybody.
The id_rsa.pub ( the smaller of the key pair ) is your public-key
2nd
Next with the key we can now add this to our cisco configuration via the following command;
ip ssh pub-key
username kfelix
key-string
( paste your key in here starting at the ssh-rsa to the end of the key as shown in your pub filename )
exit
3rd
The cisco will decode and hash the pub-key into a string for security purpose.
NOTE: the public-key is never stored in the raw
Now we can login with no challenges. This is great for backup scripts of scripts that are executed via cron jobs.
The disadvantage of using the pre-installed ssh pub-key approach ;
- if your pub-key is compromised that person has access to all devices that has your pub key installed
- if a machine has multiple users and multiple super-users, they can acquire access on your behalf using your ssh pubkey
- if you need to change installed pub-keys, you have to touch X amount of devices which could be a hassle in a big enterprise network and multiple devices
- I have not been successful with installing a rsa pubkey and with a size greater than 1298 bits YMMV
- you can't use “dsa” of “ecdsa” types
NOTE2: A single defined user can have upto 2 pub-key installed. Great if you have redundant soc/noc operations centers.
e.g
Ken Felix
Freelance Network/Security Engineer
kfelix -a-t socpuppets-d-o-t- com
No comments:
Post a Comment