02-20-2013 05:38 AM - edited 03-10-2019 08:06 PM
I have seen in the configuration guide and a separate post in the support community that RSA Public Key authentication is support for SSH sessions in 8.4 and after. I have tried implementing this on both an 8.4 ASA and a 9.1 ASA and I get the same error on both. I have tried specifying SSH version 2 to see if that is the issue but I still get the error. Is there a step I am missing?
Here is the output of the configuration commands:
ciscoasa(config)#username test nopassword privilege 15
ciscoasa(config)#username test attributes
ciscoasa(config-username)# ssh authentication publickey
^
ERROR: % Invalid Hostname
The links referenced above:
https://supportforums.cisco.com/thread/2150480
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/access_aaa.html#wp1053558
http://www.cisco.com/en/US/docs/security/asa/asa91/configuration/general/aaa_servers.html#wp1176050
Thanks!
Solved! Go to Solution.
02-20-2013 09:49 PM
My version is 8.4(4).
Tried to do this on ohter asa vith 9.1 and no luck.
Did a little research, and it turns out that this feature was introdused in 8.4(4) and not avaliable for later releases.
So, probably, your 8.4 is pre (4) release and it was not available back then and in your 9.1 it's not available either)))
Here's the document:
http://www.cisco.com/en/US/docs/security/asa/roadmap/asa_new_features.html
Take a look at the table 10.
02-20-2013 09:38 AM
Probably you're using incorrect format of a public key. I've just tried it and it's accepted the public key.
Let's say the public key, of a generated with putty keypair looks like this:
ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIBlYvixsXAg7N440SZ
A032tB9ocvbNVhnbgO9O/oX9e7PIi2uIXn6iD45goic1+SXh6bYzi9
WgmjZgVzT3VvhtFaMuwOOxjcQeLYxg56f+sQDrrRQFXNa6c9ae
mtW7pS5LLD1hmVVojBt4CLDg7X+5qlHqOE9gPuvLhQQU35pJP6Q== rsa-key-20130220
In ciscoasa(config-username)# ssh authentication publickey you should enter just key itself without ssh-rsa and that thing in the end (linux would accept everything), i.e. just this:
AAAAB3NzaC1yc2EAAAABJQAAAIBlYvixsXAg7N440SZ
A032tB9ocvbNVhnbgO9O/oX9e7PIi2uIXn6iD45goic1+SXh6bYzi9
WgmjZgVzT3VvhtFaMuwOOxjcQeLYxg56f+sQDrrRQFXNa6c9ae
mtW7pS5LLD1hmVVojBt4CLDg7X+5qlHqOE9gPuvLhQQU35pJP6Q==
02-20-2013 02:00 PM
That would be great if the resolution was that simple. I am using a public key I generated using the putty key generator. Below is the key I would use if I got that far. However I get an error on the "ssh authentication publickey" attribute so I never get the chance to enter a public key. What code version and hardware version are you running that this worked on?
AAAAB3NzaC1yc2EAAAABJQAAAIEA2h00RCKBbpbrTWSe/3TYAvRpkJz7tLwQDCf9
4fDJUWUGrmxXHeomuBhNGZh7tyfFjRL2CKY6nWmFyKN/eDm0PF4IWhhCArzOPVDu
q7Nu2y/pD8wWH8dH4a3zRpkLSekNJtH6lzuqmY0zqz9TnZlpS6g4LI1a+lOGSmhU
/HySw9s=
ciscoasa(config)#username test nopassword privilege 15
ciscoasa(config)#username test attributes
ciscoasa(config-username)#ssh ?
configure mode commands/options:
Hostname or A.B.C.D The IP address of the host and/or network authorized to
login to the system
X:X:X:X::X/<0-128> IPv6 address/prefix authorized to login to the system
scopy Secure Copy mode
timeout Configure ssh idle timeout
version Specify protocol version to be supported
exec mode commands/options:
disconnect Specify SSH session id to be disconnected after this keyword
ciscoasa(config-username)# ssh
ciscoasa(config-username)# sh ver | in Ver
Cisco Adaptive Security Appliance Software Version 9.1(1)
Device Manager Version 7.1(1)52
ciscoasa(config-username)#
02-20-2013 09:49 PM
My version is 8.4(4).
Tried to do this on ohter asa vith 9.1 and no luck.
Did a little research, and it turns out that this feature was introdused in 8.4(4) and not avaliable for later releases.
So, probably, your 8.4 is pre (4) release and it was not available back then and in your 9.1 it's not available either)))
Here's the document:
http://www.cisco.com/en/US/docs/security/asa/roadmap/asa_new_features.html
Take a look at the table 10.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: