IT Knowledge Base

Technical Repository

HowTo: Log into Cisco IOS without a password using SSH/PKI

I needed the ability to automatically log into a Cisco Router and create site to site VPN tunnels through a script running on a web server. In order to do this, I had to setup PKI on the router which would then allow me to log in without having to type in a password.

Prerequisites

      • Putty
      • PuttyGen
      • SSH already configured on the Cisco device

Make sure you keep your SSH keys in a safe and secure place. These are the keys to the house!

Generating a RSA key with PuTTYgen

  1. Open puttygen.exe and set the parameters: the type of key must be SSH-2 RSA. You can vary the number of bits in the generated key, a higher number is more secure.
  2. Click the Generate button to generate a new key, move the mouse around the window to create additional randomness.
  3. Appropriately comment your key.
  4. You may wish to enter a passphrase, this passphrase will be asked every time you connect to a device using that key. It’s like a password.
  5. Save your public key by clicking Save Public Key. Create a folder to store your keys and name the file publickey.pub.
  6. Next, click Save Private Key, save it under the same folder as privatekey.ppk. Copy the “Public key for pasting into OpenSSH authorized_keys file” and save it to a file.

PuttyGen01

Cisco Device Configuration Summary

Router#conf t
Router(config)#ip ssh pubkey-chain
Router(conf-ssh-pubkey)#username gmatteson
Router(conf-ssh-pubkey-user)#key-string
Router(conf-ssh-pubkey-data)#ssh-rsa [email protected]
Router(conf-ssh-pubkey-data)#$2M6sGD28ClJ5I5mCwYeU9EUTc9cYgw7eFWsm
Router(conf-ssh-pubkey-data)#$8fTLTgFpeGVh8VbPuqWW12l9gHoZ6W/Vp4OU
Router(conf-ssh-pubkey-data)#$uGOpdg2HGbZ9MIupE89n9psY== [email protected]
Router(conf-ssh-pubkey-data)#exit
Router#write

Create a username that you want to associate with the key and then paste your own key in from putty. You will need to copy all of the information, including ssh-rsa and [email protected] You need to copy this in by splitting it into lengths that fit into the IOS command buffer. The key will be verified and it will prompt you if there is a problem. If everything is successful the key will be turned into a key-hash and entered into the running config like this example:

Router#sho run | b ssh pubkey-chain
ip ssh pubkey-chain
username gmatteson
key-hash ssh-rsa 94AI9XvtsuPG6T0l8bBVuB0SsLCuGPm1hf [email protected]

From the computer called MyLaptop, I can now log into the router by typing in:

[email protected]:~$ ssh router ‘show interface g1/1′



Leave a Reply