RSA Authentication???NEED HELP

steffen.buehnemann · ‎05-31-2012

Hi all,

I wanted as part of an IOS update on access switches (3560, etc.), by changing from IPBASE to IPSERVICEK9.
It should be set equal to SSH.
It is intended to grant no username, password authentication-more. But solely on the public and private key.
This also includes security config on the TFTP.

Now I have already tried different methods, but unfortunately without success.
For example:

Switch (config) # crypto key import rsa RSA Key label {} pem url flash: {passphrase}
% Importing public General Purpose key or certificate PEM file ...
Source filename [XCA.pub]? publicKey.pem
Reading file from flash: publicKey.pem
% Importing private key PEM file general purpose ...
Source filename [XCA.prv]? privateKey.pem
Reading file from flash: privateKey.pem
* Mar 10 19:58:12.439:% SSH-5-ENABLED: SSH 1.99 has been enabled
% Key pair import succeeded.

The example above works without any problems in terms of importing public and private key.
However, if I import the private key in PuTTY I must still enter a user name and password.

Furthermore, I wanted to know more, it is correct that the public and private key are imported in the switch?
Must have but only the public key or pure? So create a key, public and private store separately.
Import the public key in the switch, and the private key on the client (PuTTY) deposit, and you're done?
As simple as it should be, right?

I did try another example:

Ciscozine (config) # ip ssh pubkey-chain
Ciscozine (config-ssh-pubkey) # username ciscozine
Ciscozine (config-ssh-pubkey-user) # key-string
Ciscozine (config-ssh-pubkey-data) + # $ yc2EAAAADAQABAQQQAQC8IV2QIeshErol zzo4Uh7pvL9vwXXAi1R
Ciscozine (config-ssh-pubkey-data) # $ SrM71X600nAY9TJI6lv0qbRoc3Kw9Utxzc3LR5ZtpRS333zhF7aNX
Ciscozine (config-ssh-pubkey-data) # $ mKvo9k3 +5 gdVsoy8NXTny5 Q1I2q0xvA666lZNMvujgWynBgBe + + gc
Ciscozine (config-ssh-pubkey-data) # $ BVgCu3/Jm2TjeLY +5 / 9L1T54lfVPKxijAHtZPnV3ToIVZTn7LWgHA
Ciscozine (config-ssh-pubkey-data) # $ qY5RXcIbfxxxdgEjC6iU5mVXN3NcZkigVdadoZGJIo0lVRIcGLLyC
Ciscozine (config-ssh-pubkey-data) # cvnDvAlQzBSJFhsabcV1E3IVagNHyz/HrH/4fZBAKXuJabcgYi2n
Ciscozine (config-ssh-pubkey-data) # exit
Ciscozine (config-ssh-pubkey-user) # exit
Ciscozine (config-ssh-pubkey) # exit
Ciscozine (config) # exit
Ciscozine #

However, I see the key but as a hash value ("sh run | b ssh pub"), but with the command "sh ip ssh"
I see no key.

Switch # sh ip ssh
SSH Disabled - version 2.0
% Please create RSA keys to enable SSH (and of atleast 768 bits for SSH v2).
Authentication timeout: 60 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size 1024 bits
IOS Keys SECSH format (ssh-rsa, base64 encoded): NONE

And access to the switch from the PuTTY Connection refused.

Can anyone of you help?

steffen.buehnemann · ‎06-01-2012

Did anybody know a solution or an answer for this issue???

Jatin Katyal · ‎06-06-2012

You may check this:

CSCtg38344 Router does not load any config after ip ssh pubkey-chain on a reload

Regards,

Jatin

Do rate helpful posts-

~Jatin

steffen.buehnemann · ‎06-06-2012

Thank you Jatin for your help.
I had looked at the bug tool kit once, unfortunately it is for IOS 15.X.
I am using IOS 12.2.58.

What I absolutely do not understand that if I import a key that does not appear this.
And if only as a hash. The other people have done before me, even that can not be so difficult.

How do you do it if you authenticate with RSA Key `s doing (including create the Key` s)

steffen.buehnemann · ‎06-13-2012

The shit works only with Cisco IOS version 15 .. thank you ...CISCO...