Solved: ASA 8.4+ RSA Public Key for SSH user authentication

greg.h · ‎02-20-2013

I have seen in the configuration guide and a separate post in the support community that RSA Public Key authentication is support for SSH sessions in 8.4 and after. I have tried implementing this on both an 8.4 ASA and a 9.1 ASA and I get the same error on both. I have tried specifying SSH version 2 to see if that is the issue but I still get the error. Is there a step I am missing?

Here is the output of the configuration commands:

ciscoasa(config)#username test nopassword privilege 15

ciscoasa(config)#username test attributes

ciscoasa(config-username)# ssh authentication publickey

^

ERROR: % Invalid Hostname

The links referenced above:

https://supportforums.cisco.com/thread/2150480

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/access_aaa.html#wp1053558

http://www.cisco.com/en/US/docs/security/asa/asa91/configuration/general/aaa_servers.html#wp1176050

Thanks!

Andrew Phirsov · ‎02-20-2013

My version is 8.4(4).

Tried to do this on ohter asa vith 9.1 and no luck.

Did a little research, and it turns out that this feature was introdused in 8.4(4) and not avaliable for later releases.

So, probably, your 8.4 is pre (4) release and it was not available back then and in your 9.1 it's not available either)))

Here's the document:

http://www.cisco.com/en/US/docs/security/asa/roadmap/asa_new_features.html

Take a look at the table 10.

View solution in original post

Andrew Phirsov · ‎02-20-2013

Probably you're using incorrect format of a public key. I've just tried it and it's accepted the public key.

Let's say the public key, of a generated with putty keypair looks like this:

ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIBlYvixsXAg7N440SZ

A032tB9ocvbNVhnbgO9O/oX9e7PIi2uIXn6iD45goic1+SXh6bYzi9

WgmjZgVzT3VvhtFaMuwOOxjcQeLYxg56f+sQDrrRQFXNa6c9ae

mtW7pS5LLD1hmVVojBt4CLDg7X+5qlHqOE9gPuvLhQQU35pJP6Q== rsa-key-20130220

In ciscoasa(config-username)# ssh authentication publickey you should enter just key itself without ssh-rsa and that thing in the end (linux would accept everything), i.e. just this:

AAAAB3NzaC1yc2EAAAABJQAAAIBlYvixsXAg7N440SZ

A032tB9ocvbNVhnbgO9O/oX9e7PIi2uIXn6iD45goic1+SXh6bYzi9

WgmjZgVzT3VvhtFaMuwOOxjcQeLYxg56f+sQDrrRQFXNa6c9ae

mtW7pS5LLD1hmVVojBt4CLDg7X+5qlHqOE9gPuvLhQQU35pJP6Q==

greg.h · ‎02-20-2013

That would be great if the resolution was that simple. I am using a public key I generated using the putty key generator. Below is the key I would use if I got that far. However I get an error on the "ssh authentication publickey" attribute so I never get the chance to enter a public key. What code version and hardware version are you running that this worked on?

AAAAB3NzaC1yc2EAAAABJQAAAIEA2h00RCKBbpbrTWSe/3TYAvRpkJz7tLwQDCf9

4fDJUWUGrmxXHeomuBhNGZh7tyfFjRL2CKY6nWmFyKN/eDm0PF4IWhhCArzOPVDu

q7Nu2y/pD8wWH8dH4a3zRpkLSekNJtH6lzuqmY0zqz9TnZlpS6g4LI1a+lOGSmhU

/HySw9s=

ciscoasa(config)#username test nopassword privilege 15

ciscoasa(config)#username test attributes

ciscoasa(config-username)#ssh ?

configure mode commands/options:

Hostname or A.B.C.D The IP address of the host and/or network authorized to

login to the system

X:X:X:X::X/<0-128> IPv6 address/prefix authorized to login to the system

scopy Secure Copy mode

timeout Configure ssh idle timeout

version Specify protocol version to be supported

exec mode commands/options:

disconnect Specify SSH session id to be disconnected after this keyword

ciscoasa(config-username)# ssh

ciscoasa(config-username)# sh ver | in Ver

Cisco Adaptive Security Appliance Software Version 9.1(1)

Device Manager Version 7.1(1)52

ciscoasa(config-username)#

Andrew Phirsov · ‎02-20-2013