Difference between revisions of "Cisco configure SSH"
Jump to navigation
Jump to search
| (6 intermediate revisions by the same user not shown) | |||
| Line 6: | Line 6: | ||
*<span style="color: black">black - basic configuration</span> | *<span style="color: black">black - basic configuration</span> | ||
*<span style="color: green">green - enhanced config</span> | *<span style="color: green">green - enhanced config</span> | ||
*<span style="color: blue">blue - comments</span> | |||
<span style="color: blue">!--- The aaa new-model command causes the local username and password on the router | <span style="color: blue">!--- The aaa new-model command causes the local username and password on the router | ||
| Line 13: | Line 14: | ||
<span style="color: blue">!--- Instead of aaa new-model, you can use the login local command.</span> | <span style="color: blue">!--- Instead of aaa new-model, you can use the login local command.</span> | ||
<span style="color: blue">!--- assign domain name to the router/switch, this will be used to sign | <span style="color: blue">!--- assign domain name to the router/switch, this will be used to sign SSH key, also called 'keypair-name' or 'label'</span> | ||
ip domain-name rtp.cisco.com | ip domain-name rtp.cisco.com | ||
ip ssh version 2 | ip ssh version 2 | ||
| Line 21: | Line 22: | ||
<span style="color: green">source-interface Loopback0</span> | <span style="color: green">source-interface Loopback0</span> | ||
<span style="color: blue">!--- Generate an | <span style="color: blue">!--- Generate an server authentication key - 1024 bit long, domain name will be used as key-pair-label</span> | ||
crypto key generate rsa modulus 1024 | crypto key generate rsa modulus 1024 | ||
<span style="color: blue">!--- Generate ssh key, giving label to distinguishes different key-pairs</span> | |||
<span style="color: green">crypto key generate rsa label ''key-pair-label'' general-keys modulus 1024</span> | |||
<span style="color: blue">!--- choose which key use for server authentication</span> | |||
<span style="color: green">ip ssh rsa keypair-name ''key-pair-label''</span> | |||
ip ssh time-out 60 | ip ssh time-out 60 | ||
ip ssh authentication-retries 2 | ip ssh authentication-retries 2 | ||
| Line 33: | Line 38: | ||
;Verify | ;Verify | ||
show ip ssh | # '''show ip ssh''' !version and configuration data | ||
SSH Enabled - version 2.0 | SSH Enabled - version 2.0 | ||
Authentication timeout: 120 secs; Authentication retries: 2 | Authentication timeout: 120 secs; Authentication retries: 2 | ||
| Line 41: | Line 46: | ||
SRTM94dJkXScrSXoT4dlqBHY+r7H+g25y5Rq7Dqv8AewNR0DKrGaYkIlO3A0O4s6wyK4KM71tdKia+Rc | SRTM94dJkXScrSXoT4dlqBHY+r7H+g25y5Rq7Dqv8AewNR0DKrGaYkIlO3A0O4s6wyK4KM71tdKia+Rc | ||
darPOEZKcJiFotegARWiWKS87UX0qD5XFYqGPNQZZWhIefp+aw== | darPOEZKcJiFotegARWiWKS87UX0qD5XFYqGPNQZZWhIefp+aw== | ||
# '''show ssh''' !shows current ssh connections | |||
Connection Version Mode Encryption Hmac State Username | |||
0 2.0 IN aes256-cbc hmac-sha1 Session started admin | |||
0 2.0 OUT aes256-cbc hmac-sha1 Session started admin | |||
%No SSHv1 server connections running. | |||
= Configure ssh server to perform RSA-Based user authentication = | = Configure ssh server to perform RSA-Based user authentication = | ||
| Line 48: | Line 59: | ||
R2#conf t | R2#conf t | ||
Enter configuration commands, one per line. End with CNTL/Z. | Enter configuration commands, one per line. End with CNTL/Z. | ||
R2(config)#ip ssh pubkey-chain | R2(config)#'''ip ssh pubkey-chain''' | ||
R2(conf-ssh-pubkey)#username admin | R2(conf-ssh-pubkey)#'''username admin''' | ||
R2(conf-ssh-pubkey-user)#key-string | R2(conf-ssh-pubkey-user)#'''key-string''' | ||
R2(conf-ssh-pubkey-data)#$AAQEA6jYlf9MBskhkWov+ZOUDKun0ExQIRj1zfWA/YciO02VS | R2(conf-ssh-pubkey-data)#$AAQEA6jYlf9MBskhkWov+ZOUDKun0ExQIRj1zfWA/YciO02VS | ||
R2(conf-ssh-pubkey-data)#$ | R2(conf-ssh-pubkey-data)#$Xsx123456789012345678901234567uS6A8/mF0A3P/ScRjct | ||
R2(conf-ssh-pubkey-data)#$ | R2(conf-ssh-pubkey-data)#$JrN1234567890123456789012345676xVXF4sP4OCSXIn+Cp8 | ||
R2(conf-ssh-pubkey-data)#$bCnZLmv908AeDb1Ac4nPdsn1OhCPIg6fxZjB7DvAMB8Dbr+7Y | R2(conf-ssh-pubkey-data)#$bCnZLmv908AeDb1Ac4nPdsn1OhCPIg6fxZjB7DvAMB8Dbr+7Y | ||
R2(conf-ssh-pubkey-data)#$apEbGE94luIqnBc61HsMd6JCWbQ== key@comment.us | R2(conf-ssh-pubkey-data)#$apEbGE94luIqnBc61HsMd6JCWbQ== key@comment.us | ||
R2(conf-ssh-pubkey-data)#exit | R2(conf-ssh-pubkey-data)#'''exit''' | ||
R2(conf-ssh-pubkey-user)#exit | R2(conf-ssh-pubkey-user)#'''exit''' | ||
;Copy & paste version | |||
conf terminal | |||
ip ssh pubkey-chain | |||
username $username | |||
key-string | |||
%Censored - Public lines from putty gen % | |||
%Censored - Public lines from putty gen % | |||
%Censored - Public lines from putty gen % | |||
%Censored - Public lines from putty gen % | |||
%Censored - Public lines from putty gen % | |||
%Censored - Public lines from putty gen ==% | |||
exit | |||
exit | |||
exit | |||
end | |||
;Verify | ;Verify | ||
| Line 65: | Line 92: | ||
ip ssh pubkey-chain | ip ssh pubkey-chain | ||
username admin | username admin | ||
key-hash ssh-rsa | key-hash ssh-rsa C20B739F2641234567891C6A11000111 key@comment.us | ||
;Remove user's public key | ;Remove user's public key | ||
| Line 104: | Line 131: | ||
*[http://www.cisco.com/en/US/docs/ios-xml/ios/net_mgmt/config_library/15-mt/netmgmt-15-mt-library.html Network Management Configuration Guide Library, Cisco IOS Release 15M&T] Last Updated: November 29, 2012 | *[http://www.cisco.com/en/US/docs/ios-xml/ios/net_mgmt/config_library/15-mt/netmgmt-15-mt-library.html Network Management Configuration Guide Library, Cisco IOS Release 15M&T] Last Updated: November 29, 2012 | ||
*[http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_ssh/configuration/15-mt/sec-ssh-config-auth.html#reference_9181864E7E0C4FB2B6123473D0A6EAF3 Secure Shell—Configuring User Authentication Methods] Feature is supported on IOS 15.3(3)M | *[http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_ssh/configuration/15-mt/sec-ssh-config-auth.html#reference_9181864E7E0C4FB2B6123473D0A6EAF3 Secure Shell—Configuring User Authentication Methods] Feature is supported on IOS 15.3(3)M | ||
*[http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_ssh/configuration/xe-3s/sec-usr-ssh-xe-3s-book/sec-ssh-config-auth.html#reference_D19E50574B0F4E0FA72704C873343C45 Example: Disabling User Authentication Methods] Cisco Systems, Inc. Secure Shell Configuration Guide Cisco IOS XE Release 3S | |||
Latest revision as of 22:35, 2 January 2015
Prerequisites
The Cisco IOS image used must be a k9(crypto) image in order to support SSH.
Configure ssh server using aaa new-model
Color code explained:
- black - basic configuration
- green - enhanced config
- blue - comments
!--- The aaa new-model command causes the local username and password on the router !--- to be used in the absence of other AAA statements. aaa new-model username cisco password 0 cisco !--- Instead of aaa new-model, you can use the login local command. !--- assign domain name to the router/switch, this will be used to sign SSH key, also called 'keypair-name' or 'label' ip domain-name rtp.cisco.com ip ssh version 2 !--- Starting (or only) Port number to listen on ip ssh port 22 !--- Specify interface for source address in SSH connections when connecting from the router to another device source-interface Loopback0 !--- Generate an server authentication key - 1024 bit long, domain name will be used as key-pair-label crypto key generate rsa modulus 1024 !--- Generate ssh key, giving label to distinguishes different key-pairs crypto key generate rsa label key-pair-label general-keys modulus 1024 !--- choose which key use for server authentication ip ssh rsa keypair-name key-pair-label ip ssh time-out 60 ip ssh authentication-retries 2 ip ssh time-out 120 ip ssh logging events line vty 0 4 !--- Prevent non-SSH Telnets. transport input ssh
- Verify
# show ip ssh !version and configuration data SSH Enabled - version 2.0 Authentication timeout: 120 secs; Authentication retries: 2 Minimum expected Diffie Hellman key size : 1024 bits IOS Keys in SECSH format(ssh-rsa, base64 encoded): ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDzA0tV5uStSgpEcDCCFIdaIlG7/VRhe7lwmpD3nATp SRTM94dJkXScrSXoT4dlqBHY+r7H+g25y5Rq7Dqv8AewNR0DKrGaYkIlO3A0O4s6wyK4KM71tdKia+Rc darPOEZKcJiFotegARWiWKS87UX0qD5XFYqGPNQZZWhIefp+aw==
# show ssh !shows current ssh connections Connection Version Mode Encryption Hmac State Username 0 2.0 IN aes256-cbc hmac-sha1 Session started admin 0 2.0 OUT aes256-cbc hmac-sha1 Session started admin %No SSHv1 server connections running.
Configure ssh server to perform RSA-Based user authentication
This feature is only supported in IOS 15.0(1)M and later versions.
- Add public-key for user authentication
Paste your public key generated by PuTTYgen from private-key *.PPK file. Delimited by 65 characters.
R2#conf t Enter configuration commands, one per line. End with CNTL/Z. R2(config)#ip ssh pubkey-chain R2(conf-ssh-pubkey)#username admin R2(conf-ssh-pubkey-user)#key-string R2(conf-ssh-pubkey-data)#$AAQEA6jYlf9MBskhkWov+ZOUDKun0ExQIRj1zfWA/YciO02VS R2(conf-ssh-pubkey-data)#$Xsx123456789012345678901234567uS6A8/mF0A3P/ScRjct R2(conf-ssh-pubkey-data)#$JrN1234567890123456789012345676xVXF4sP4OCSXIn+Cp8 R2(conf-ssh-pubkey-data)#$bCnZLmv908AeDb1Ac4nPdsn1OhCPIg6fxZjB7DvAMB8Dbr+7Y R2(conf-ssh-pubkey-data)#$apEbGE94luIqnBc61HsMd6JCWbQ== key@comment.us R2(conf-ssh-pubkey-data)#exit R2(conf-ssh-pubkey-user)#exit
- Copy & paste version
conf terminal ip ssh pubkey-chain username $username key-string %Censored - Public lines from putty gen % %Censored - Public lines from putty gen % %Censored - Public lines from putty gen % %Censored - Public lines from putty gen % %Censored - Public lines from putty gen % %Censored - Public lines from putty gen ==% exit exit exit end
- Verify
R2#show run | section ssh ip ssh rsa keypair-name SSH ip ssh version 2 ip ssh pubkey-chain username admin key-hash ssh-rsa C20B739F2641234567891C6A11000111 key@comment.us
- Remove user's public key
R2(config)#ip ssh pubkey-chain R2(conf-ssh-pubkey)#no username tech R2(conf-ssh-pubkey)#end
User Authentication Methods
- Disabling User Authentication Methods ( supported on IOS 15.3(3)M )
This feature is not supported on IOS 15.2 loaded on Cisco 1941 ISR G2 platform. Using features navigator http://tools.cisco.com/ITDIT/CFN/ it is only available on IOS 15.3(3)M onwards.
The following example shows how to disable the public-key-based authentication and keyboard-based authentication methods, allowing the SSH client to connect to the SSH server using the password-based authentication method:
r1(config)#no ip ssh server authenticate user {publickey | keyboard | pasword}
r1(config)# no ip ssh server authenticate user publickey %SSH:Publickey disabled.Overriding RFC r1(config)# no ip ssh server authenticate user keyboard r1(config)# exit
- Disable authentication - supported on all IOS versions (insecure)
You can actually use the below listed command. It basically disables authentication and won't prompt for username and password. Remember, we are using default and not any method list so it will disable authentication on all lines including console.
r1(config)#aaa authentication login default none
If you would only like to disable authentication on a specific line then create a method list and apply it on that line.
r1(config)#aaa authentication login SSH none r1(config)# line vty 0 15 r1(config-line)#login authentication SSH r1(config-line)#exit
References
- Configuring Secure Shell on Routers and Switches Running Cisco IOS
- Secure Shell Version 2 Support Last Updated: March 31st 2011, Sections: Secure Shell Version 2 Enhancements for RSA Keys & Configuring the Cisco IOS SSH Server to Perform RSA-Based User Authentication
- SSH with key authentication on Cisco IOS devices
- SSH access without password Cisco forum
- SSH Publickey accepted but still prompted for username/password? Cisco forum
- Network Management Configuration Guide Library, Cisco IOS Release 15M&T Last Updated: November 29, 2012
- Secure Shell—Configuring User Authentication Methods Feature is supported on IOS 15.3(3)M
- Example: Disabling User Authentication Methods Cisco Systems, Inc. Secure Shell Configuration Guide Cisco IOS XE Release 3S