Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2988
Views
5
Helpful
6
Replies

Is ssh with pki possible?

misch1942
Level 1
Level 1

‎10-21-2012 12:54 PM - edited ‎02-21-2020 04:46 AM

Hi,

I found documentation that ssh login should be able using x509 certificates. At least in NX-OS. But I did not find any documentation HOW this can be configured. Does anybody has a hint for me, where I can find more documentation about this? Is it possible in IOS 15?

Thanks for any hint.

Greetings,

Michael Schwartzkopff

0 Helpful
6 Replies 6

Rudy Sanjoko
Level 4
Level 4

‎10-22-2012 06:10 AM

It is possible, please refer to following document by Ivan Pepelnjak on his blog regarding SSH with PKI on IOS v15.0.

ssh-rsa-authentication-works-in-ios

0 Helpful

misch1942
Level 1
Level 1
In response to Rudy Sanjoko

‎10-22-2012 06:20 AM

Hi,

I thought my qustion was clear enough. I asked about x509 certificates, not about RSA key pairs. For RSA keys I would have to extract the keys from the certificate and configure it on all 1000+ switches.

0 Helpful

Rudy Sanjoko
Level 4
Level 4
In response to misch1942

‎10-22-2012 08:28 AM

my mistake, kinda missed that part.

0 Helpful

misch1942
Level 1
Level 1
In response to Rudy Sanjoko

‎10-23-2012 12:56 AM

Hi,

I think I finally found the answer. The ssh service on a cisco device can extract the keypair from the certificate on the PKI. But it cannot authenticate the user certificate against the CA on the PKI.

At least that is what I found after long experiments.

Greetings,

Michael Schwartzkopff

Mike.Cifelli
VIP Alumni
VIP Alumni

‎03-14-2019 05:47 AM

I strongly suggest checking this out:
https://www.pragmasys.com/products/support/cisco-2-factor

This is how I have seen 2FA implemented with Cisco devices for pki ssh login.

Is it possible in IOS 15?
Yes. As long as you are running 15.2.4 or higher you can utilize the solution provided above. If you have IOS devices running something lower than 15.2.4 you can still do pki ssh login. The process is a bit different. You have to create local user profiles and store their public key on your device. Regardless you can definitely accomplish this.

HTH!
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card