Re: SSH Login using only Public-Private Key and Priv Levels

NielsvdBerghe · ‎03-11-2013

Hey, I'm trying to make a setup on my Cisco 881 router, but I'm having some trouble.

I've managed to configure logging in with a Public-Private key pair over SSH, but it's also still possible to log in over SSH with just a username and password. I'd like to prevent this, if possible. I imagine I might have manually configured this to be allowed at some point, but I can't quite figure out how I did this, as no matter what I've tried to remove, it keeps allowing this option. I still need to be able to log in with a username, because I want users to have different privileges. Which brings me to my second problem...

Once I've logged in using the Public-Private key, I don't automatically go into privilege mode, even though the user is configured with a privilege level. I'd like to configure that users that I've configured to use a certain privilege mode, automatically go into privilege mode without a password prompt. I know it did this before I started using the Public-Private key (or before I used AAA, which was configured around the same time), so I wondered if it's possible to do this still.

If anyone needs a part of my configuration in order to help, just ask for the part that you need and I'll post it.

Thanks in advance for anyone trying to help!

Chris Illsley · ‎03-11-2013

Hi Niels,

Wrong section, try putting it in AAA, Identity and NAC.

Thanks

Chris

NielsvdBerghe · ‎03-19-2013

I've figured out how to make a user go straight into privilege mode and have lower ranking users not go into a higher privilege level. After configuring AAA, I used these commands:

(config)#aaa authorization exec default local
(config)#aaa authorization console
(config)#enable secret password

Now my last problem is with the SSH password login. I've configured to use a Public-Private keypair to login and this works just fine. The problem is that the router still allows people to log in using a regular password when they don't have a key. Anyone know how to fix this?

Karsten Iwen · ‎03-20-2013

To restrict users to only do pubkey-authentication you need to remove the secret/password from the regular user-account:

username test privilege 15

That way the user can only log in with the stored public key information and still gets directly to privilege 15.

Sent from Cisco Technical Support iPad App

NielsvdBerghe · ‎03-20-2013

I've tried removing the password from the user, but it didn't quite work out. It still allows you to login without a key, only now you don't input anything when it asks for a password.

Karsten Iwen · ‎03-20-2013

well, that's not how its supposed to be ...

Did you accidently use the "nopassword" keyword instead of removing the secret/password?

Wenn you do a "show run | i username" it should be in the form above.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

NielsvdBerghe · ‎03-20-2013

When I do a "show run | i username", this is what I get:

username admin privilege 15

username admin

Is it possible that I'm allowing the password prompt through a command I've used somewhere?

Karsten Iwen · ‎03-20-2013

I just tested it again and you are right. I completely remembered wrong about how that worked. You could specify a long and random password that the user doesn't know. That would restrict it to pubkey-logins. Not very elegant but should work.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni