Cisco IOS RSA Key

Generate a SSH Key on Linux

Linux Machine:

ssh-keygen -b 2048 -t rsa

default location for the private and public key is: ~/.ssh/

for the next step, SSH needs to be configured and working on the Cisco IOS Router

Cisco IOS only supports a maximum of 254 characters on a single line so you won’t be able to paste this in one go. There’s a useful Linux command you can use to break the public key in multiple parts

Linux Machine:

fold -b -w 72 ~/.ssh/id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC80DsOF4nkk15V0V2U7r4Q2MyAwIbgQX/7
rqdUyNCTulliYZWdxnQHaI0WpvcEHQTrSXCauFOBqUrLZglI2VExOgu0TmmWCajW/vnp8J5b
ArzwIk83ct35IHFozPtl3Rj79U58HwMlJ2JhBTkyTrZYRmsP+r9VF7pYMVcuKgFS+gDvhbux
M8DNLmS1+eHDw9DNHYBA+dIaEIC+ozxDV7kF6wKOx59E/Ni2/dT9TJ5Qge+Rw7zn+O0i1Ib9
5djzNfVdHq+174mchGx3zV6l/6EXvc7G7MyXj89ffLdXIp/Xy/wdWkc1P9Ei8feFBVLTWijX
iilbYWwdLhrk7L2EQv5x ubuntu@HOST1

copy the key only, no need for ssh-rsa or ubuntu@host1, log on to the cisco router and run following commands, in this example I’m adding the public key to a username called JohnDoe.

Cisco Router:

R1(config)#ip ssh pubkey-chain 
R1(conf-ssh-pubkey)#username JohnDoe
R1(conf-ssh-pubkey-user)#key-string
R1(conf-ssh-pubkey-data)#AAAAB3NzaC1yc2EAAAABJQAAAQEAijoMF9oBwyQxwYbVlFprz+fG8oe5uAcCxwMw  
R1(conf-ssh-pubkey-data)AAAAB3NzaC1yc2EAAAADAQABAAABAQC80DsOF4nkk15V0V2U7r4Q2MyAwIbgQX/7
R1(conf-ssh-pubkey-data)rqdUyNCTulliYZWdxnQHaI0WpvcEHQTrSXCauFOBqUrLZglI2VExOgu0TmmWCajW/vnp8J5b
R1(conf-ssh-pubkey-data)ArzwIk83ct35IHFozPtl3Rj79U58HwMlJ2JhBTkyTrZYRmsP+r9VF7pYMVcuKgFS+gDvhbux
R1(conf-ssh-pubkey-data)M8DNLmS1+eHDw9DNHYBA+dIaEIC+ozxDV7kF6wKOx59E/Ni2/dT9TJ5Qge+Rw7zn+O0i1Ib9
R1(conf-ssh-pubkey-data)5djzNfVdHq+174mchGx3zV6l/6EXvc7G7MyXj89ffLdXIp/Xy/wdWkc1P9Ei8feFBVLTWijX
R1(conf-ssh-pubkey-data)iilbYWwdLhrk7L2EQv5x
R1(conf-ssh-pubkey-data)#exit
R1(conf-ssh-pubkey-user)#exit
R1(conf-ssh-pubkey)#exit

you can give the user privilege level 15, when using ssh keys to logon, its not required to add a password/secret to the user

Cisco Router:



R1(config)#username JohnDoe privilege 15

Verification:

Cisco Router:

R1#show running-config | begin pubkey   
ip ssh pubkey-chain
  username WINDOWS_USER
   key-hash ssh-rsa 8FB4F858DD7E5AFB372780EC653DB371
  quit
Linux Machine

ssh-keygen -l -E MD5 -f ~/.ssh/id_rsa.pub | sed 's/.*MD5://' | sed 's/://g' | sed 's/ .*//' | tr '[:lower:]' '[:upper:]'

8FB4F858DD7E5AFB372780EC653DB371

Compare the Hashes/Fingerprint

Logon with your key instead of password

$ ssh JohnDoe@R1


R1#

Leave a Reply

Your email address will not be published. Required fields are marked *