Prerequisites

The Cisco IOS image used must be a k9(crypto) image in order to support SSH.

Configure using aaa new-model

!--- The aaa new-model command causes the local username and password on the router
!--- to be used in the absence of other AAA statements.
aaa new-model
username cisco password 0 cisco
!--- Instead of aaa new-model, you can use the login local command.

!--- assign domain name to the router/switch, this will be used to sign off SSH key
ip domain-name rtp.cisco.com
ip ssh version 2

!--- Generate an SSH key to be used with SSH here 1024bit long
crypto key generate rsa 1024
ip ssh time-out 60
ip ssh authentication-retries 2

line vty 0 4 
!--- Prevent non-SSH Telnets.
transport input ssh

SSH with public and private RSA key pair authentication

Paste your public key

R2#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R2(config)#ip ssh pubkey-chain
R2(conf-ssh-pubkey)#username tech
R2(conf-ssh-pubkey-user)#key-string
R2(conf-ssh-pubkey-data)#$AAQEA6jYlf9MBskhkWov+ZOUDKun0ExQIRj1zfWA/YciO02VS  
R2(conf-ssh-pubkey-data)#$XsxM7SqNkRSQOR7y7HBMoxTHV7o+R/uS6A8/mF0A3P/ScRjct  
R2(conf-ssh-pubkey-data)#$JrNGACGaFy1njD9PrrvrU4o4hx6XDr6xVXF4sP4OCSXIn+Cp8  
R2(conf-ssh-pubkey-data)#$bCnZLmv908AeDb1Ac4nPdsn1OhCPIg6fxZjB7DvAMB8Dbr+7Y  
R2(conf-ssh-pubkey-data)#$apEbGE94luIqnBc61HsMd6JCWbQ== tech@admin.us     
R2(conf-ssh-pubkey-data)#exit
R2(conf-ssh-pubkey-user)#^Z

Verify

R2#show run | section ssh
ip ssh rsa keypair-name SSH
ip ssh version 2
ip ssh pubkey-chain
 username pipi
  key-hash ssh-rsa C20B739F2645D6850C591C6A11780CB5 tech@admin.us

References

• Configuring Secure Shell on Routers and Switches Running Cisco IOS
• Secure Shell Version 2 Support Last Updated: March 31, 2011
• SSH with key authentication on Cisco IOS devices