SSH Public Key Authentication on Cisco IOS
We will add our public key to a Cisco IOS router and use it for SSH authentication instead of a password.
Cisco IOS basic SSH configuration
First, we will need to set up a basic SSH configuration on our router.
Our router will need a domain name
R1(config)#ip domain-name example.localGenerate a 2048-bit RSA key pair
R1(config)#crypto key generate rsa modulus 2048
The name for the keys will be: R1.example.local
% The key modulus size is 2048 bits
% Generating 2048 bit RSA keys, keys will be non-exportable…
[OK] (elapsed time was 27 seconds)
%SSH-5-ENABLED: SSH 1.99 has been enabledEnable SSH version 2
R1(config)#ip ssh version 2Configure the VTY lines to accept SSH and use local authentication
R1(config)#line vty 0 4
R1(config-line)#transport input ssh
R1(config-line)#login localImport Public keys to the router
On Linux and macOS, the public key is printed on a single line, which exceeds the maximum single-line length of 254 characters that Cisco IOS supports. We can use the fold command to break the key over multiple lines. We can remove the “ssh-rsa” at the beginning and the comment at the end.
fold -b -w100 .ssh/id_rsa.pubOn Windows, the public key is already split over multiple lines. We can remove the “begin” and “end” lines, as well as any comments.
— — -BEGIN PUBLIC KEY — — -
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDMc4/ju5lQOouBQKN+DcGNyJ0v
fv+lLdeCyPPpaLsdL3r3yw2hs/L+hAPemMSUoxb0w9MyEyhrrur7poyQbKmdonX8
5PUMmIXv+BiFlUO11pWU9iYo6kKAfahqhoEooNsy9s0CrqJzcghiFaHLVCN/WdDt
— — -END PUBLIC KEY — — -Enter public key chain configuration mode
ip ssh pubkey-chainSelect the username, then enter the key-string command.
username example
key-stringWe can now test connecting using our SSH Key
ssh [email protected]If our private key is protected by a passphrase, we will be prompted for it before we can connect.
Disable password authentication
Now that we can authenticate using our public key, we can disable password authentication on the router.
R1(config)#no ip ssh server algorithm authentication password
R1(config)#no ip ssh server algorithm authentication keyboard
