HowTo: Log into Cisco IOS without a password using SSH/PKI
I needed the ability to automatically log into a Cisco Router and create site to site VPN tunnels through a script running on a web server. In order to do this, I had to setup PKI on the router which would then allow me to log in without having to type in a password.
- SSH already configured on the Cisco device
Make sure you keep your SSH keys in a safe and secure place. These are the keys to the house!
Generating a RSA key with PuTTYgen
- Open puttygen.exe and set the parameters: the type of key must be SSH-2 RSA. You can vary the number of bits in the generated key, a higher number is more secure.
- Click the Generate button to generate a new key, move the mouse around the window to create additional randomness.
- Appropriately comment your key.
- You may wish to enter a passphrase, this passphrase will be asked every time you connect to a device using that key. It’s like a password.
- Save your public key by clicking Save Public Key. Create a folder to store your keys and name the file publickey.pub.
- Next, click Save Private Key, save it under the same folder as privatekey.ppk. Copy the “Public key for pasting into OpenSSH authorized_keys file” and save it to a file.
Cisco Device Configuration Summary
Router(config)#ip ssh pubkey-chain
Router(conf-ssh-pubkey-data)#ssh-rsa [email protected]
Router(conf-ssh-pubkey-data)#$uGOpdg2HGbZ9MIupE89n9psY== [email protected]
Create a username that you want to associate with the key and then paste your own key in from putty. You will need to copy all of the information, including ssh-rsa and [email protected] You need to copy this in by splitting it into lengths that fit into the IOS command buffer. The key will be verified and it will prompt you if there is a problem. If everything is successful the key will be turned into a key-hash and entered into the running config like this example:
Router#sho run | b ssh pubkey-chain
ip ssh pubkey-chain
key-hash ssh-rsa 94AI9XvtsuPG6T0l8bBVuB0SsLCuGPm1hf [email protected]
From the computer called MyLaptop, I can now log into the router by typing in:
[email protected]:~$ ssh router ‘show interface g1/1′