Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2599
Views
0
Helpful
2
Replies

Public key authentication to log on to a FMC managed FTD w/o password

Go to solution
atsukane
Level 1
Level 1

‎06-06-2022 05:27 AM - edited ‎06-28-2022 01:05 AM

Hi there,

 

Currently we run  a scheduled task to fetch arp records from specific vlans behind ASA5525 for our facilities team, they use these arp records and another data from another system to see how many desks are in use daily.

The job is scheduled on MS Systems Center Orchestrator server which runs PLink to SSH onto the device using private/public key pair so no need to enter ID or password, it then issue a few commands and the outputs are saved as text file which is then processed by another scheduled job. Putty gen was used to generate the key pair and the public key was imported onto the ASA

 

We are in the process of migrating this ASA to a pair of FTD2130 managed by a FMC.

I've followed leszek.sroka 's method described here to generate a key pair.

Key pair gets generated on FTD but I can't get it to work to SSH onto the FTD, it prompts for password and fails. (password was left blank)

                username@192.168.15.11: Permission denied (publickey,password).

https://community.cisco.com/t5/network-security/login-to-ftd-via-ssh-with-public-private-key/td-p/4026785  

 

Are there any other ways of achieving this instead of using pri/pub key pair? 

I am guessing we can't achieve this with FMC's built-in features.

As we have Cisco ISE (ver 3.1) I thought that may be we can create an account and only allow a few commands so even using plain text password saved somewhere won't be a much of an issue/

Or perhaps maybe API can be used to achieve this?

Any suggestion is very much appreciated.

 

 

FMC is ver 7.1.0.1

FTD is 6.6.5

 

Many thanks,

 

 

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
atsukane
Level 1
Level 1

‎06-28-2022 01:19 AM - edited ‎06-28-2022 01:23 AM

OK, I've received this steps from our support firm and confirmed it works:


Step 1

Log into the FTD and add the user:
e.g.  configure user add user1 basic
"Set a secure password" here.

Step 2

Log into Expert mode and create the .SSH directory for the new user:

expert
sudo su
mkdir -p /home/user1/.ssh

Step 3

Download puttygen and generate a public/private key pair, Store somewhere secure
Leave the passphrase blank!


Step 4

Copy the key text from Puttygen and paste into the FTD:

 

Go to the .ssh directory: cd /home/user1/.ssh
Type "vi authorized_keys" to edit authorized_keys with text editor
hit "i" for insert
Paste the long key text that you copied at Step 3
hit Esc
Type :wq to save and exit.

 

You can verify the copied key text by issuing "cat authorized_keys"


Step 5

Open Putty and enter host name as "username@ip" format, go to Connection > SSH > Auth and select the "private key file for authentication". This is the private key generated at Step 3.

Step 6:

When you hit Open to attempt to connect to the device, you shouldn't get a prompt for a password and should be able to login as usual.

 

Only thing with this is that when you deploy changes to the device, the key is wiped from the device

Will post if there's a way to keep the private key somehow.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
atsukane
Level 1
Level 1

‎06-28-2022 01:19 AM - edited ‎06-28-2022 01:23 AM

OK, I've received this steps from our support firm and confirmed it works:


Step 1

Log into the FTD and add the user:
e.g.  configure user add user1 basic
"Set a secure password" here.

Step 2

Log into Expert mode and create the .SSH directory for the new user:

expert
sudo su
mkdir -p /home/user1/.ssh

Step 3

Download puttygen and generate a public/private key pair, Store somewhere secure
Leave the passphrase blank!


Step 4

Copy the key text from Puttygen and paste into the FTD:

 

Go to the .ssh directory: cd /home/user1/.ssh
Type "vi authorized_keys" to edit authorized_keys with text editor
hit "i" for insert
Paste the long key text that you copied at Step 3
hit Esc
Type :wq to save and exit.

 

You can verify the copied key text by issuing "cat authorized_keys"


Step 5

Open Putty and enter host name as "username@ip" format, go to Connection > SSH > Auth and select the "private key file for authentication". This is the private key generated at Step 3.

Step 6:

When you hit Open to attempt to connect to the device, you shouldn't get a prompt for a password and should be able to login as usual.

 

Only thing with this is that when you deploy changes to the device, the key is wiped from the device

Will post if there's a way to keep the private key somehow.

0 Helpful

Go to solution
atsukane
Level 1
Level 1
In response to atsukane

‎06-28-2022 05:27 AM

So, it turned out that external authentication on Platform settings was was overriding the local setting.

External Authentication was configured to use ISE, however, our admin account begins with "-" which is not supported anyway, I've disabled the external authentication on platform settings, deleted and readded local user account on the FTD and went over the above steps. After that deployment didn't remove the key and it is staying there and private key auth is working as expected.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card