Password-less ssh login using pki to Cisco IOS

Password-less ssh login using pki to Cisco IOS

A cool feature in IOS I recently came across was the ability to configure SSH login using PKI. As far as I can see this feture was added in version 15.0

Already assuming the basic SSH server is running on the IOS device here's how we add the ability to securely login without a password :)

moons_router#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
moons_router(config)#ip ssh pubkey-chain
moons_router(conf-ssh-pubkey)#username m00nie
moons_router(conf-ssh-pubkey-user)#key-string
moons_router(conf-ssh-pubkey-data)#ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA@
moons_router(conf-ssh-pubkey-data)#$2M6sGD28ClJ5I5mCwYeU9EUTc9cYgw7eFWsm
moons_router(conf-ssh-pubkey-data)#$8fTLTgFpeGVh8VbPuqWW12l9gHoZ6W/Vp4OU
moons_router(conf-ssh-pubkey-data)#$uGOpdg2HGbZ9MIupE89n9psY== moon@home
moons_router(conf-ssh-pubkey-data)#exit
moons_router(conf-ssh-pubkey-user)#^Z
moons_router#

Pick the username you want to associate with the key then past your own key in from either putty (See here on how to create a key for putty) or from your ~/.ssh/id_rsa.pub file. you need to copy all the info, including ssh-rsa and user@computer. You need to copy this in by splitting it into lengths that fit into the IOS command buffer.  After you've done this and type exit the key will be verified and will prompt you if it doesnt accept the key. If it does accept the key no prompt will be given, the key will be turned into a key-hash and entered into the running config like the example below.

moons_router#sho run | b ssh pubkey-chain
ip ssh pubkey-chain
username m00nie
key-hash ssh-rsa 94AI9XvtsuPG6T0l8bBVuB0SsLCuGPm1hf moon@home

Now you login securely and execute commands remotely without being prompted for a user/pass. The example below shows a the expected output, login (with no prompt) then executing the commands.

moon@home:~$ ssh moons_router 'sho int fa 4'

*-------------*
| Some Banner |
*-------------*

FastEthernet4 is up, line protocol is down
Hardware is FastEthernet, address is 001d.7030.0db9 (bia 001d.7030.0db9)
MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
..
0 output buffer failures, 0 output buffers swapped out
moon@home:~$

Cool!

moonie :D