hello everyone. Today I will show you how to login Cisco router using ssh key. We will enable ssh on the router and then generate a key on an Ubuntu Linux server and using that key we will login to our router. The process is easy, lets start.
Change the hostname of the router
Follow the below procedure to change the hostname of the router:
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#
Router(config)#hostname trainigrouter
trainigrouter(config)#
After changing the hostname lets add the domain name:
trainigrouter(config)#ip domain-name training.local
Generate the rsa key
In this tutorial we will use a key which we will generate in a Linux box shortly rather than this one (router key), so why to generate this key in the router? it’s because to enable the ssh in Cisco router a local rsa key is mandatory, without the key you cannot enable ssh. Let’s generate the key:
trainigrouter(config)#crypto key generate rsa
The name for the keys will be: trainigrouter.training.local
Choose the size of the key modulus in the range of360 to 4096for
your General Purpose Keys. Choosing a key modulus greater than
512 may take a few minutes.
You will see a message similar like the above one after “crypto key generate rsa” command. Then it will ask you for the modulus length. The modulus represents the key length. A longer modulus might be more secure, but it takes longer to generate and use. Note the name of the key in the second line. It’s a combination of your host and domain name “trainigrouter.training.local”.
How many bits in the modulus [512]: 2048
I use 2048 bits of the modulus length. press enter:
% Generating 2048 bit RSA keys, keys will be non-exportable... [OK] (elapsed time was 10 seconds) trainigrouter(config)# *Nov 16 07:11:59.495: %SSH-5-ENABLED: SSH 1.99 has been enabled trainigrouter(config)#
After pressing enter you will see a message like above which shows that the ssh is enabled on the router.
SSH connection only
If you want only ssh connection, then mention “ssh” in “transport input” command like below:
trainigrouter(config)#line vty 0 4
trainigrouter(config-line)#login local
trainigrouter(config-line)#transport input ssh
trainigrouter(config-line)#exit
That will allow only ssh access to the router. Any other method like Telnet will be denied. Let’s create a local user cause we mention “login local” here so the router will search a user in its local database.
User creation
trainigrouter(config)#username admin privilege 15 secret mysecret
As you can see that the user admin is created with privilege level 15 means all permissions enable. At this stage you can now login to this router with any ssh client using that user and password. Now lets start the server part. Login to the Linux server and generate the key.
Generate key in Linux box
imtiaz@server1:~$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/imtiaz/.ssh/id_rsa):
Created directory '/home/imtiaz/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Enter password and confirm it. The password will used for the safety of the key. If you don’t want any then you can simply leave this blank. Press enter.
Your identification has been saved in/home/imtiaz/.ssh/id_rsa.
Your public key has been saved in/home/imtiaz/.ssh/id_rsa.pub.
The key fingerprint is:
4e:1f:29:0c:7d:13:d3:07:45:04:58:ff:70:9b:ce:b6 imtiaz@server1
The key's randomart image is:
+--[ RSA 2048]----+
| o++*+ |
| . .o... |
| . . o .o .|
| o . o +o|
| S o o.|
| o o . o |
| . . + |
| . .|
| E |
+-----------------+
imtiaz@server1:~$
The key is saved in /home/imtiaz/.ssh folder. .ssh is a hidden folder. In .ssh folder there is a file call id_rsa.pub which is actually the public key. Copy the content of the key from that file. Cisco CLI can contain maximum 254 characters in one line so it is not possible to pest the entire key in one line so you need to break the key in multiple line.
imtiaz@server1:~$ fold -b -w 72 ~/.ssh/id_rsa.pub
It will break the key in multiple line like below.
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA2z3lT+M0yxauEwmJvVJUz1ZFrRJzL4jgd/zr tEU6Ks6M8aqD/m+tGhSvbf1mQN6OIK5kY9XJmPUjT0ZC4uiFCjp+tHBOMblG4D0K6IENluh4 XBdNUCYUjX+moY3A4fhA2GhJx7zXG4sXuUQXn1V/Eb3S9xuVFedXpJZEFomoWMfOHzmr4/lH m8Fy2soqLdaLNN9gF7HQ33/yOTTF2hzXva1UvuD38YpfDbS7mcFLUkesAOnZhR+dQurZgbvo j4hjnnum2L3cxJT7jc0eRANuf7HxiKDNSYHFhICVOq941GNx9c6Wo3dZEiwCHehl807dYdB4 sn0ct5iFlVqM7TDUBw== imtiaz@server1
Now copy the line and back to the router again. In router perform the following:
Put the key in Cisco router
trainigrouter(config)#ip ssh pubkey-chain
trainigrouter(conf-ssh-pubkey)#username admin
trainigrouter(conf-ssh-pubkey-user)#key-string
Now this is important. After the “key-string” command press enter and then paste the key. After that again, press enter then exit.
Verify the key
To check the key perform the following:
trainigrouter#sh running-config | begin pubkey
ip ssh pubkey-chain
username admin
key-hash ssh-rsa 4E1F290C7D13D307450458FF709BCEB6 imtiaz@server1
The router is actually not showing the actual public key, it’s a fingerprint of that key. If you want to check then perform the following on the server and compare the output.
imtiaz@server1:~$ ssh-keygen -l -f .ssh/id_rsa.pub
4e:1f:29:0c:7d:13:d3:07:45:04:58:ff:70:9b:ce:b6 .ssh/id_rsa.pub (RSA)
For simplicity, I remove some of the output of the above command and only take the key. Now our key is ready. Lets login to the router using that key. You can login from the Linux server.
Login with the key from Linux Box
imtiaz@server1:~$ ssh admin@router_IP_address
Enter passphrase for key '/home/imtiaz/.ssh/id_rsa':
trainigrouter#
As you can see after enter the key password you are login to the router. As we give privileged level 15 to admin user that’s why it’s directly login to privilege mode.
User creation without password
If you want to remove the password and only want to force the user to use the key authentication, then create the user without the password like below:
trainigrouter(config)#username admin privilege 15
This will create a password less user. You can also create a less privilege user here.
More security on the router
Lets make our router more secure by enabling ssh version 2 and Access control list (ACL). To Enable ssh version 2 perform the following:
trainigrouter(config)#ip ssh version 2
Let’s verify our work:
trainigrouter#sh ip ssh
SSH Enabled - version 2.0
......................
.......................
trainigrouter#
As you can see ssh version 2 is enabled in the router. If you have the key you can login to the router from anywhere you like.
Access Control List (ACL)
Let’s add an ACL in VTY port so that only valid IP can ssh to the router. A simple standard ACL can do the job. create the ACL like below:
trainigrouter(config)#access-list 10 permit x.x.x.x log trainigrouter(config)#line vty 0 4 trainigrouter(config-line)#access-class10in
Now the router can be accessible from the IP mention in the ACL.
Login with the key from Windows
If you want to login to the router from windows PC, then you need to export the key from Linux machine with winscp tools (which can download and upload files from Linux to Windows) then convert the key with a utility called puttygen and use putty (an ssh client) to login to the router using that key. Or if you want to generate the key in windows then you can follow one of my tutorial name “How to SSH with key“. Follow that tutorial where I showed how to create the key and convert it to a .ppk file so that putty can understand it.
In this way you can make your router more secure. For perimeter routers you should always try ssh to remote login and of course if you use a rsa key pair then it will be more secure. That’s all for today. take care.
If you enjoyed the post, please share it with your network and let me know your thoughts in the comments.
About the Author: Imtiaz is working in a financial organization in Bangladesh and having experience in system, network and security administration. Feel free to contact with him on LinkedIn or Twitter.