https://community.cisco.com/t5/network-security/is-ssh-with-pki-possible/m-p/2026064#M921111 <P>Hi,</P><P></P><P>I found documentation that ssh login should be able using x509 certificates. At least in NX-OS. But I did not find any documentation HOW this can be configured. Does anybody has a hint for me, where I can find more documentation about this? Is it possible in IOS 15?</P><P></P><P>Thanks for any hint.</P><P></P><P>Greetings,</P><P></P><P>Michael Schwartzkopff</P> Fri, 21 Feb 2020 12:46:02 GMT misch1942 2020-02-21T12:46:02Z https://community.cisco.com/t5/network-security/is-ssh-with-pki-possible/m-p/2026064#M921111 <P>Hi,</P><P></P><P>I found documentation that ssh login should be able using x509 certificates. At least in NX-OS. But I did not find any documentation HOW this can be configured. Does anybody has a hint for me, where I can find more documentation about this? Is it possible in IOS 15?</P><P></P><P>Thanks for any hint.</P><P></P><P>Greetings,</P><P></P><P>Michael Schwartzkopff</P> Fri, 21 Feb 2020 12:46:02 GMT https://community.cisco.com/t5/network-security/is-ssh-with-pki-possible/m-p/2026064#M921111 misch1942 2020-02-21T12:46:02Z https://community.cisco.com/t5/network-security/is-ssh-with-pki-possible/m-p/2026065#M921112 <HTML><HEAD></HEAD><BODY><P>It is possible, please refer to following document by Ivan Pepelnjak on his blog regarding SSH with PKI on IOS v15.0.</P><P><A href="http://blog.ioshints.info/2009/10/ssh-rsa-authentication-works-in-ios.html" rel="nofollow">ssh-rsa-authentication-works-in-ios</A></P></BODY></HTML> Mon, 22 Oct 2012 13:10:20 GMT https://community.cisco.com/t5/network-security/is-ssh-with-pki-possible/m-p/2026065#M921112 Rudy Sanjoko 2012-10-22T13:10:20Z https://community.cisco.com/t5/network-security/is-ssh-with-pki-possible/m-p/2026066#M921113 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>I thought my qustion was clear enough. I asked about x509 certificates, not about RSA key pairs. For RSA keys I would have to extract the keys from the certificate and configure it on all 1000+ switches.</P></BODY></HTML> Mon, 22 Oct 2012 13:20:20 GMT https://community.cisco.com/t5/network-security/is-ssh-with-pki-possible/m-p/2026066#M921113 misch1942 2012-10-22T13:20:20Z https://community.cisco.com/t5/network-security/is-ssh-with-pki-possible/m-p/2026067#M921114 <HTML><HEAD></HEAD><BODY><P>my mistake, kinda missed that part.</P></BODY></HTML> Mon, 22 Oct 2012 15:28:27 GMT https://community.cisco.com/t5/network-security/is-ssh-with-pki-possible/m-p/2026067#M921114 Rudy Sanjoko 2012-10-22T15:28:27Z https://community.cisco.com/t5/network-security/is-ssh-with-pki-possible/m-p/2026068#M921115 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>I think I finally found the answer. The ssh service on a cisco device can extract the keypair from the certificate on the PKI. But it cannot authenticate the user certificate against the CA on the PKI.</P><P></P><P>At least that is what I found after long experiments.</P><P></P><P>Greetings,</P><P></P><P>Michael Schwartzkopff</P></BODY></HTML> Tue, 23 Oct 2012 07:56:36 GMT https://community.cisco.com/t5/network-security/is-ssh-with-pki-possible/m-p/2026068#M921115 misch1942 2012-10-23T07:56:36Z https://community.cisco.com/t5/network-security/is-ssh-with-pki-possible/m-p/3819141#M921116 <P>Ths document says that you can:</P> <P>&nbsp;</P> <P><A href="https://www.cisco.com/c/en/us/support/docs/security-vpn/secure-shell-ssh/212178-Configuring-SSH-with-x509-authentication.html" target="_blank">https://www.cisco.com/c/en/us/support/docs/security-vpn/secure-shell-ssh/212178-Configuring-SSH-with-x509-authentication.html</A></P> <P>&nbsp;</P> <P>also&nbsp;</P> <P>&nbsp;</P> <H1 id="fw-pagetitle" class="" data-owner="ID"><A href="https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_pki/configuration/15-mt/sec-pki-15-mt-book/sec-deploy-rsa-pki.html#GUID-44796FDC-72A0-4240-895A-CCA9DB62CAE6" target="_blank">Public Key Infrastructure Configuration Guide, Cisco IOS Release 15MT</A></H1> Wed, 13 Mar 2019 23:05:10 GMT https://community.cisco.com/t5/network-security/is-ssh-with-pki-possible/m-p/3819141#M921116 chad patterson 2019-03-13T23:05:10Z https://community.cisco.com/t5/network-security/is-ssh-with-pki-possible/m-p/3819514#M921117 I strongly suggest checking this out:<BR /><A href="https://www.pragmasys.com/products/support/cisco-2-factor" target="_blank">https://www.pragmasys.com/products/support/cisco-2-factor</A><BR /><BR />This is how I have seen 2FA implemented with Cisco devices for pki ssh login.<BR /><BR />Is it possible in IOS 15?<BR />Yes. As long as you are running 15.2.4 or higher you can utilize the solution provided above. If you have IOS devices running something lower than 15.2.4 you can still do pki ssh login. The process is a bit different. You have to create local user profiles and store their public key on your device. Regardless you can definitely accomplish this.<BR /><BR />HTH! Thu, 14 Mar 2019 12:47:07 GMT https://community.cisco.com/t5/network-security/is-ssh-with-pki-possible/m-p/3819514#M921117 Mike.Cifelli 2019-03-14T12:47:07Z