Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
980
Views
1
Helpful
4
Replies

cant ssh with keys

teamdv6199
Level 1
Level 1

‎11-07-2023 10:01 AM

I am trying to get my redhot box(which has ansible on it) to ssh into a cisco 9300 without a password. 

I created a ssh key on my redhat box

fold -b -w 72 ~/.ssh/id_rsa.pub


On cisco 9300  I did this:

conf t
ip ssh pubkey-chain
username nsrc
key-string
<< pasted the whole key inculding the ssh >>
exit


 When I checked my pibkey on cisco I got something like this:

username nsrc
key-hash ssh-rsa EFF40492D1D6BF5D0B68491128456D27 yourname@yourdomain.example.com


But when I checked the linux side the key looked completely different. I still could not ssh to the cisco box without a password.

$ ssh-keygen -l -f ~/.ssh/id_rsa.pub
I got something like this 2048 SHA256:3HWC8vCXb....etc..etc... 

I tried my root pub key and i made a whole new user with root priv , i still can't ssh without a password.

Labels:
0 Helpful
4 Replies 4

Richard Burts
Hall of Fame
Hall of Fame

‎11-07-2023 01:23 PM

When you attempt to ssh do you get a response? If so what is the response?

When you attempt to ssh is there any log message generated on the 9300? If so post the log messages.

How are the vty on 9300 configured? Especially what is configured for authentication?

HTH

Rick
0 Helpful

teamdv6199
Level 1
Level 1
In response to Richard Burts

‎11-07-2023 02:36 PM

I can ssh to the cisco machine with a password. 

On the 9300 I just see a bunch of:

 

7 21:55:48.073: %SSH-5-DISABLED: SSH 2.0 has been disabled
*Nov 7 21:55:48.073: %SSH-5-ENABLED: SSH 2.0 has been enabled
*Nov 7 21:55:48.107: %PKI-6-TRUSTPOINT_CREATE: Trustpoint: CISCO_IDEVID_SUDI0 created succesfully
*Nov 7 21:55:49.897: %CRYPTO_ENGINE-5-KEY_ADDITION: A key named TP-self-signed-1002044442 has been generated or imported by crypto-engine
*Nov 7 21:55:49.947: %PKI-4-NOCONFIGAUTOSAVE: Configuration was modified. Issue "write memory" to save new IOS PKI configuration
*Nov 7 21:55:51.286: %CRYPTO_ENGINE-5-KEY_ADDITION: A key named kvm.some-domain.COM.server has been generated or imported by crypto-engine
*Nov 7 21:55:51.689: %CRYPTO_ENGINE-5-KEY_REPLACE: A key named kvm.some-domain.COM.server has been replaced by crypto-engine with new key data

the name of the switch is kvm i dont know if appending it as its in the logs is a problem.

When I try to ssh with the username I made on the cisco side, I dont see anything related to that user in the logs. 

My redhat is joined to a domain using relm.  I had 9300 on ISE but I just removed it to see if there was a difference.

 VTY:


line vty 0 4
line vty 5 31

 

kvm#sh running-config | i auth
aaa authentication login default local group tacacs+
aaa authentication login consle local
aaa authentication login console local
aaa authentication enable default group tacacs+ enable
aaa authentication dot1x default group ise-group
aaa authorization config-commands
aaa authorization exec default local group tacacs+
aaa authorization commands 15 default local group tacacs+
aaa authorization network default group radius
class-map match-any system-cpp-police-punt-webauth
  description Punt Webauth
class-map match-any system-cpp-police-dot1x-auth
  description ICMPGEN,BROADCAST,ICMP,L2LVXCntrl,ProtoSnoop,PuntWebauth,MCASTData,Transit,DOT1XAuth,Swfwd,LOGGING,L2LVXData,ForusTraffic,ForusARP,McastEndStn,Openflow,Exception,EGRExcption,NflSampled,RpfFailed
ip http authentication local
 login authentication console
kvm#
0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to teamdv6199

‎11-07-2023 08:20 PM

Thanks for the update. Being able to ssh using a password is consistent with what I see in the parts of the config that you have posted. I am not clear what would need to be added or changed to be able to ssh without a password. Perhaps someone else in the community might have some thoughts on this?

HTH

Rick
0 Helpful

pieterh
VIP
VIP
In response to teamdv6199

‎11-10-2023 12:46 AM

does this help ? How to login Cisco router with SSH key…. – IMTIAZ RAHMAN

some remarks from this post::
The router is actually not showing the actual public key, it’s a fingerprint of that key
=> that's why the output on the switch does not match the key on the redhot box

a remark about your procedure to login
>>> $ ssh -keygen -l -f ~/.ssh/id_rsa.pub <<<
are you sure you need to use "ssh -keygen" ???
 looks to me that this commands generates a new key every time you initiate an SSH session instead of using the existing key, that you copied to the Cisco

Customers Also Viewed These Support Documents