Friday, March 28, 2014

ssh pub-key on cisco 15.x

Cisco has a feature for the importation of  ssh pub-keys within the 15.x codeset

This helps greatly if you have scripts that perform backups or  automatic tasks and you don't want to  be challenge for passwords.

What I found out by accident and just recently, you don't really need a local account define if your using ssh  pub-key and have defined the users within this pub-key configuration.

To implement ssh pub-keys access is quite simple.


1st 

You  must have a ssh pub-key created.

You have a host of tools from putty for  generating ssh keys. Most unixes have a means for generation of the keys also. I will demonstrate this via  Unix  and with the cli cmd  ssh-keygen




The ssh-keygen command generates  2 files;


The id_rsa ( the larger sized file ) is your private key. It stays private and you never share it out with anybody.

The id_rsa.pub  ( the smaller  of the key pair ) is your public-key

2nd 

Next with the key we can now add this to our  cisco configuration via the following command;

ip ssh pub-key
   username  kfelix 
      key-string 
          ( paste your key in here starting at the ssh-rsa to the end of the key as shown in your pub filename )
exit

3rd

The cisco will decode and hash the pub-key into a string for security purpose.

NOTE: the public-key is never stored in the raw




Now we can login with no challenges. This is great for backup scripts of scripts that are executed via cron jobs.


The disadvantage of using the pre-installed ssh pub-key approach ;

  •      if your pub-key is compromised that person has access to all devices that has your pub key installed
  •      if a machine has multiple users and multiple super-users, they can acquire access on your behalf using your ssh pubkey
  •      if you need to change installed pub-keys, you have to touch X amount of devices which could be a hassle in a big enterprise network and multiple devices

  •     I have not been successful with installing a  rsa pubkey and with a size greater than 1298 bits YMMV

  •     you can't use “dsa” of  “ecdsa”  types

NOTE2: A single defined user can have upto 2 pub-key  installed. Great if you have redundant soc/noc operations centers.

e.g





Ken Felix
Freelance Network/Security Engineer
kfelix -a-t  socpuppets-d-o-t- com

No comments:

Post a Comment