Ok, the goal here is to use PKI (Public Key Infrastructure) to log in to my Cisco Routers and Switches in my lab. I was using my Synology as a RADIUS server which was cool but it is not that fast, it would take a good few seconds to authenticate the session. So, after sorting out access to my web hosting servers via the PKI method (which is very fast) earlier this week, I decided to do the same thing for my network lab.
Right, the first thing we need to do is to create a public/private key pair. There are a number of ways of doing this but I have settled on using PuTTYgen to create the key pair. Open up PuTTYgen and click on Generate, you then have to waggle your mouse around on the blank area of the window to generate your keys.
Once you have waggled enough you will have created your keys.
You will now want to save your keys somewhere convenient, I stored mine on my Cloudstation drive so I am less likely to delete it inadvertently (I hope). You will want to save them with sensible names so you know what they are:
Before you save the keys, it is a good idea to put a relevant Key Comment on the key, as you will see the comment when you are logging in to the device.
You probably should put a key passphrase on the private key so that it is protected from just anyone opening it up and connecting in to your equipment.
Ok, excellent. Now we have our keys we can put them on to the devices. We are going to put the Public key in to the Cisco device and the Private key is going to be used by the SSH session to authenticate the session with the public key on the Cisco device. So you need to go to your Public key ciscoDevices.pub and open it up in an editor, in my case this is Notepad++. When you open it up, it will look something like this:
---- BEGIN SSH2 PUBLIC KEY ----
---- END SSH2 PUBLIC KEY ----
This is great because it is in a format that will be usable in the Cisco IOS. If you tried to paste the entire key in to one line it will not work as there is a 254 character limit. This key is over a few lines which means it will make its way on to the device without any issues. However, we do want to make some changes as there is a fair bit of stuff that we don't need in the above key so if we take the top and tail off of the key so it looks like something like this:
Now we have something that we can work with.
The next step for me was to stop my lab kit authenticating via RADIUS, I would imagine this would not be a step that most people will need to take as why would they want to move over to PKI Authentication when their RADIUS is working fine already (because I want to and I can).
Enter configuration commands, one per line. End with CNTL/Z.
router(config)#no aaa new-model
router(config)#line vty 0 15
router(config-line)#transport input ssh
Now that I have disabled aaa on my Cisco device I can add in my new user. After that we add in the key, I just copied and pasted mine in. Once the key is in you will exit out.
router(config)#username PKIuser privilege 15 secret $up£r$£cr!t
router(config)#ip ssh pubkey-chain
You shouldn't have any problems but if you saw an error message come up on the first
exit then something went wrong with they key-string and it didn't take.
I am a little bit torn nowadays. I do love PuTTY as it is a brilliant tool but there are more than a few features that are available in MobaXterm that mean that I am using this more and more than I am using good old reliable PuTTY. If - on the off chance - you have never seen it before then check it out here MobaXterm.
Once in MobaXterm you will want to create a new session, obviously we are going to want to create an SSH session so choose that one and click on OK.
On the 'Basic SSH settings' you will need to fill in the hostname or IP address of your Cisco device that you want to log in to.
Check 'Specify username' and put in the username that you created on the Cisco device, in my case it is 'PKIuser'.
On the 'Advanced SSH settings' tab you are going to check the 'Use private key' box and browse to you private key file (i.e. ciscoDevices.ppk). This tells the session to log in using the private key file as it's authentication.
Lastly, on the 'Bookmark settings' section, you will want to change the 'Session name' to something that actually bears a bit more relevance to your situation, by default it will populate the session name with the 'Remote host' information and the username (if specified). Once you are done hit 'OK' and you will be able to open the session from the saved sessions pane on the left-hand side of the program.
First off you will need to put in the hostname or IP of the device that you want to connect to (that you installed the public key-string on to).
Next you need to specify what user the session will be connecting as. This will be the same as the user that you connected the key-string to in the Cisco device. You do this under the 'Connection' category and fill in the 'Auto-login username' as highlighted.
Finally you will need to go to the 'SSH' submenu with the 'Connections' category then you need to click on the 'Auth' sub-submenu where you will see the option to provide a Private key file for authentication. Browse to and select you file and you are done.
At this point it would probably be wise to save this session as that is going to be much simpler than going through this rigmarole every time you want to connect.
Once you open the session you will automatically be logged in to an SSH session on your intended device.
You will see something similar to this as you log in:
Authenticating with public key "ciscoDevice"
Whatever shows up here will be determined by what you had as your Key Comment when you created the key. You are able to change this before you save the keys so you can make it something a little more relevant.
You will be passed through to user exec level as you specified a privilege level of 15 when you created your user on the Cisco device.