topic Re: SSH access without password in Network Security

SSH access without password

mjtabbara — Fri, 21 Feb 2020 12:07:59 GMT

Hi guys,

I have a backup server, which should backup the router configuration files securely for a list of routers.

My colleagues applied this in Juniper but unfortunately am unable to figure it out on Cisco routers.

The requirement is as follows:

I want to execute a cron job on the backup server, which will backup the running configs for a list of routers using ssh and without specifying a password. I want to insert a certificate into the routers, which was created on the backup server for a specific username called "backup_user”. Then when the cron job is executed it will issue the required command(s) without specifying any password or ask for any user confirmation/prompt.

Am thinking to breakdown this requirement as follow:

The first step is that I want to execute "ssh -l backup_user 3.3.3.3" on the backup sever from the command line so that I will login to the router, which is having 3.3.3.3 as a loopback IP, without being asked for a password/prompt. Being asked for any confirmation/acceptance for the first time accessing the router from the backup server is ok, but later I don’t want to be asked for any questions while trying to login/access the 3.3.3.3 router from the backup server. So how can I do that ?

My colleagues who implemented it in Juniper did the following:

1- They created a self-signed certificate in the backup server banded to user "backup_user".

2- They create a local user on the router also called "backup_user".

3- They imported the certificate generated in the backup server into the router and they binded it to the local user "backup_user". How can I do both in Cisco routers ?

4- They issued the "ssh -l backup_user x.x.x.x" from the backup server. Once they did that, they were able to login to the router.

So the point here is that instead for the router to ask for a password to authenticate "backup_user" who is accessing from the backup server, it won't ask for it and it will consider the user as legitimate and he will be granted access. How this can be done ?

Thanks and best regards,

Mohammad Jamal Tabbara

CCIE R&S # 24487

Re: SSH access without password

Panos Kampanakis — Tue, 26 Oct 2010 16:50:30 GMT

Interesting Mohammad!

So you want to do certificate client authentication for SSH on IOS.

I am not sure if it can be done, but please post the question in the AAA forum and let's see if they can help.

Re: SSH access without password

mjtabbara — Wed, 27 Oct 2010 03:25:56 GMT

Thanks pkampana !

I have found the solution for that.

This called "RSA-based public key authentication" it is a new feature under SSH version 2 Enhancments.

Doucment name: Secure Shell Version 2 Support

Link: http://www.cisco.com/en/US/docs/ios/sec_user_services/configuration/guide/sec_secure_shell_v2.html

This is explained under:

"Secure Shell Version 2 Enhancements for RSA Keys"

and under "Configuring the Cisco IOS SSH Server to Perform RSA-Based User Authentication"

This feature is only supported in IOS 15.0(1)M and later versions.

Thanks and best regards

Mohammad Jamal Tabbara

CCIE R&S# 24487

Re: SSH access without password

Panos Kampanakis — Wed, 27 Oct 2010 04:08:15 GMT

Good to know, thanks!

SSH access without password

Thu, 14 Mar 2013 08:25:40 GMT

Hi Mohmammad,

I ma trying to loging in to Cisco Router uc540 from Linux server using rsa ssh key of Linux server without asking password.

its worked but router is asking passphare key every login time when i am login from linux server.

I have enabled the AAA login and even i given 15 privalage access to backup user on the router uc540.

And another one problem is that when i login into cisco uc540 router using ssh private key from linux server its first asked me for passphare after that i logged into the cisco router, but still i am on non configuration user mode and then i need to type enable password to copy the backup configuration file of cisco router.

Kindly help me implemate this auto backup from linux server to cisco router using ssh private and publick key.

Khandesha

CCNA,

Sr. Network and Security Administrator

India.

Re: SSH access without password

laithabbas0 — Thu, 06 Jun 2013 14:54:07 GMT

Hi Mohammad,

I am trying to set this up for about 50-60 switches and routers, and I want to ssh into them from a couple of computers without asking for login. I am having a hard time setting it up, can you please post the steps you have taken to do so.

I have created a truspoint, which I do not think that I need but it tells me that I need to authenticate it somehow and the other problem I have is how to send teh public key to the machine I am trying to ssh from.

Thanks,

Laith

Re: SSH access without password

Jatin Katyal — Sat, 08 Jun 2013 10:23:53 GMT

Can you provide the output of show run | in aaa and show run | beg line vty 0 15 from the router please.

You can actually use the below listed command. It basically disables authentication and won't prompt for username and password. Remember, we are using default and not any method list so it will disable authentication on all lines including console.

IOS(config)#aaa authentication login default none

If you would only like to disable authentication on a specific line then create a method list and apply it on that line.