Cisco configure SSH
Prerequisites
The Cisco IOS image used must be a k9(crypto) image in order to support SSH.
Configure using aaa new-model
!--- The aaa new-model command causes the local username and password on the router !--- to be used in the absence of other AAA statements. aaa new-model username cisco password 0 cisco !--- Instead of aaa new-model, you can use the login local command. !--- assign domain name to the router/switch, this will be used to sign off SSH key ip domain-name rtp.cisco.com ip ssh version 2 ip ssh port 22 !--- Generate an SSH key to be used with SSH here 1024bit long crypto key generate rsa 1024 ip ssh time-out 60 ip ssh authentication-retries 2 line vty 0 4 !--- Prevent non-SSH Telnets. transport input ssh
Configuring the Cisco IOS SSH Server to Perform RSA-Based User Authentication
This feature is only supported in IOS 15.0(1)M and later versions.
The below need to be reworked..........WIP.........
Paste your public key
R2#conf t Enter configuration commands, one per line. End with CNTL/Z. R2(config)#ip ssh pubkey-chain R2(conf-ssh-pubkey)#username tech R2(conf-ssh-pubkey-user)#key-string R2(conf-ssh-pubkey-data)#$AAQEA6jYlf9MBskhkWov+ZOUDKun0ExQIRj1zfWA/YciO02VS R2(conf-ssh-pubkey-data)#$XsxM7SqNkRSQOR7y7HBMoxTHV7o+R/uS6A8/mF0A3P/ScRjct R2(conf-ssh-pubkey-data)#$JrNGACGaFy1njD9PrrvrU4o4hx6XDr6xVXF4sP4OCSXIn+Cp8 R2(conf-ssh-pubkey-data)#$bCnZLmv908AeDb1Ac4nPdsn1OhCPIg6fxZjB7DvAMB8Dbr+7Y R2(conf-ssh-pubkey-data)#$apEbGE94luIqnBc61HsMd6JCWbQ== tech@admin.us R2(conf-ssh-pubkey-data)#exit R2(conf-ssh-pubkey-user)#^Z
- Verify
R2#show run | section ssh ip ssh rsa keypair-name SSH ip ssh version 2 ip ssh pubkey-chain username pipi key-hash ssh-rsa C20B739F2645D6850C591C6A11780CB5 tech@admin.us
- Disable authentication (not tested)
You can actually use the below listed command. It basically disables authentication and won't prompt for username and password. Remember, we are using default and not any method list so it will disable authentication on all lines including console.
r1(config)#aaa authentication login default none
If you would only like to disable authentication on a specific line then create a method list and apply it on that line.
r1(config)#aaa authentication login SSH none r1(config)# line vty 0 15 r1(config-line)#login authentication SSH r1(config-line)#exit
References
- Configuring Secure Shell on Routers and Switches Running Cisco IOS
- Secure Shell Version 2 Support Last Updated: March 31st 2011, Sections: Secure Shell Version 2 Enhancements for RSA Keys & Configuring the Cisco IOS SSH Server to Perform RSA-Based User Authentication
- SSH with key authentication on Cisco IOS devices
- SSH access without password Cisco forum
- SSH Publickey accepted but still prompted for username/password? Cisco forum
- Network Management Configuration Guide Library, Cisco IOS Release 15M&T Last Updated: November 29, 2012