Authenticating to Cisco devices using SSH and your RSA Public Key

Using an RSA Public/Private key pair instead of a password to authenticate an SSH session is popular on Linux/Unix boxes. Digital Ocean, a Virtual Private Server (VPS) provider, has this advice on how you should log into their Droplets:  "you should use public key authentication instead of passwords, if at all possible. This is because SSH keys provide a more secure way of logging in compared to using a password alone. While a password can eventually be cracked with a brute-force attack, SSH keys are nearly impossible to decipher by brute force alone." Plus, it means you never have to type C!$c0 again!

Cisco IOS now has support for using SSH with RSA keys. There are many resources showing how to configure SSH with RSA keys on the Internet and I have included several in the references section to give you more information. In this blog I am going to show how to configure a switch and create the public/private key pair using Puttygen for Windows.

OpenSSH ships with most *nix OS's like Mac OSX and Ubuntu so you don't need a separate program to generate the key pair. There are resources in the reference section on how to create the keys using OpenSSH. As a side note, Microsoft announced that it is going to build OpenSSH support into Powershell so you may be able to log into the next release of Windows server using SSH.

Download Puttygen

Recently there was some malware floating around using the name putty.exe. Make sure that you download putty and puttygen from

The MD5 check sums are at this link - checksums.  On Windows you can use the official MS tool FCIV to check the MD5 sums. If you prefer a GUI Hashtab is a nice tool that integrates into the right click menu. It's free but does require registration and an email address.

Once you have Puttygen double click to start it up. Enter a description for your key and a passphrase. I recommend storing your passphrase in a password manager so that you don't for get it. Select SSH-2 RSA and enter 2048 for bits. Enter a comment for your key pair and click Generate. You will be asked to move the mouse around to generate some entropy.

Once the key is done you can select it and paste it into the switch. You should also save the public and private keys to a file.

Open Putty and create a session. Click on Auth under the SSH menu. Under Authentication parameters click Browse and select your private key. Click on Session and save your session.

You can also click on Data under Connection and set up an Auto-login username:

Don't forget to save your session. If you always log in using the same settings you can set all of them and then save the session as the default session.

Setup the Cisco Device

I'm using a 3750X-48P-L running IOS Version 15.2(3)E1 for this example.

Configure a time server

While this isn't absolutely necessary it's the first thing I do on any production device.
3750x(config)#ntp server prefer
3750x(config)#clock timezone PST -8 0
3750x(config)#clock summer-time PDT recurring

Configure an IP domain name, create the RSA private key and enable SSH

3750x(config)ip domain-name pu.pri
3750x(config)crypto key generate rsa modulus 2048 exportable
3750x(config)ip ssh version 2

Note the "exportable" parameter. This isn't required but I wanted to point that out that you can make the keys exportable. It's not so important in this case but if you have setup GetVPN on a router you absolutely want to export the keys used for the tunnels. If you don't and the router fails you will have to touch EVERY tunnel once you replace the hardware. If you have exported the keys you just reload them on the new hardware and call it a day.

I have a link to a Cisco TAC podcast on GetVPN and DMVPN in the references that does a great job of explaining how to use RSA key pairs and why you MUST export them. If you don't want to listen to the entire podcast jump to minute 40 or so and listen from there. I highly recommend listening to all the TAC Security podcasts.

View the key

3750x#sh crypto key mypubkey rsa
% Key pair was generated at: 22:53:25 PDT Jul 16 2015
Key name: 3750x.pu.pri
Key type: RSA KEYS
 Storage Device: not specified
 Usage: General Purpose Key
 Key is exportable. Redundancy enabled.
 Key Data:
  30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101
  00ABDBCC B2C31B8F 264A92D0 8C56D9F2 B5B2E8E3 354BDA0E A3C6F287 5D5A66D4
  5BDF9E25 A866E5CA 3B6641CB 375410E9 4F142169 8334C1DC 88F8BC34 80129A62
  F59E0B90 B329A728 93F96C32 EE2AF78A DFF692A0 1649D911 F8DA728B 108B2790
  4954B60D 62999C52 2F832900 61A654A3 938EF6FB EB85F88F 2A3740D6 BE57B4C8
  C55EE8A0 4F6A23AB 416CB6F3 9F211B2E 2640ED4E 7AB03B6F 4B982F91 4965B834
  DB00254F F00E5D4D D3C102AA 75A78903 862D22AF 290D85B2 09D1D8A6 4A5D66C4
  4B7A2E0F 437A4566 864130ED 82411160 4198AFC1 AC0C8946 2FE181A5 6AFBD4AF
  20E8D5A5 83BA182F A5FA8352 48E55CF5 1A5C2F38 B61A57A1 DC7229F8 994C87B2
  C5020301 0001

Export the key

3750x(config)#crypto key export rsa 3750x.pu.pri pem terminal 3des SecurePassPhrase
% Key name: 3750x.pu.pri
   Usage: General Purpose Key
   Key data:
-----END PUBLIC KEY-----
Proc-Type: 4,ENCRYPTED


Configure AAA authentication

The aaa new-model command causes the local username and password on the router to be used in the absence of other AAA statements. Once you enter "aaa new-model" you will not be able to enter "login local" on vty line configuration. If you had login local configured it will be removed.

When you create the username be sure to include a secret. I you don't anyone will be able to login with just the username. As always, create a strong secret and use a password manager to store it.

3750x(config)#username cisco privilege 15 secret ^8(nn-!#who
3750x(config)#aaa new-model
3750x(config)#aaa authentication login default local
3750x(config)#aaa authorization exec default local

(Authentication through the line password is not possible with SSH)

Configure the line

3750x(config)#line vty 0 4
3750x(config-line)#transport input ssh
3750x(config-line)#logging sync (prevents console messages from interfering with your inputs)

Add your PUBLIC key to the device.

Open the public key file you created in puttygen. Copy the text between the comments. If you generated a 2048 bit key you will need to paste it into notepad and break it into smaller pieces or you may see "%SSH: Failed to decode the Key Value" when you exit:
3750x(config)#ip ssh pubkey-chain
3750x(conf-ssh-pubkey)#username hubbard

3750x#sh run | sec ssh
ip ssh version 2
ip ssh pubkey-chain
  username hubbard
   key-hash ssh-rsa 0C029272CF23E61C4315A0D59E565B76
 transport input telnet ssh
3750x#sh run | b 0 4
line vty 0 4
 transport input ssh
line vty 5 15

Note - You can use the HASH instead of the key for the next devices you setup. Instead of using "Key-string" in the ip ssh pubkey-chain statement use "key-hash ssh-rsa 0C029272CF23E61C4315A0D59E565B76".

Login using your SSH Keys!

SSH with key authentication on Cisco IOS devices - A good blog for Windows users
How To Protect SSH with fail2ban on Ubuntu 12.04
Synchronise remote SSH authorised_keys

Add new comment

Restricted HTML

  • Allowed HTML tags: <a href hreflang> <em> <strong> <cite> <blockquote cite> <code> <ul type> <ol start type> <li> <dl> <dt> <dd> <h2 id> <h3 id> <h4 id> <h5 id> <h6 id>
  • Lines and paragraphs break automatically.
  • Web page addresses and email addresses turn into links automatically.