cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4816
Views
10
Helpful
8
Replies

SSH access, Certificates & Putty Access

croftsd23
Level 1
Level 1

I need some clarity on SSH and certificates.  I have SSH enabled on a router which has a signed certificate loaded.  The Putty client has the root CA loaded.  Putty connectivity works.

 

The question I have is that SSH access works on another router when the certificate loaded on the router has expired?  I would have thought that the certificate would have provided an extra layer of security and possibly denied access to the client?  I get no message on the client session to say that is expired (apart from the show crypto) commands.

 

Also, if I have a new router without any certificates (apart from self signed) then I can gain access quite happily.

 

Thus what function is having the certificate signed by the CA and loaded as I can get access when a self signed is in use.

 

Therefore, from a trust perspective, what is the advantage of having a signed cert or am I missing an important piece of config for the Cisco? 

8 Replies 8

I am not entirely sure the Cisco router supports authentication with both certificate and username/password for SSH.  If you are using an external authentication server, you could setup 2factor authentication using DUO for example.

In any case, that the certificate is not being authenticated might be that you have not configured the router to accept certificate authentication.

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960l/software/15-2_6_e/configuration_guide/b_1526e_consolidated_2960l_cg/b_1526e_consolidated_2960l_cg_chapter_0100101.html

 

--
Please remember to select a correct answer and rate helpful posts

croftsd23
Level 1
Level 1

Thankyou for responding but the question I have is the validity of having a signed certificate for a Cisco device when a self signed on the device provides the same security.  I appreciate signed certificates provide the insight that you are connecting to the right place, but when applied on a Cisco device does it truly offer the same feature.

The main advantaged a signed 3rd party cert gives is that these root certificates are usually included with most OS installations and future patches.  

When using self signed certificates all you need to do is install the router's root certificate on your PC and you will have insight that you are connecting to the correct device.

So for administrative purposes I would agree that self signed certificates are fine so long as you have control of the root certificate and that it is not compromised.  But for access to servers from the public domain or other internal users to servers or other none management services a 3rd part or, I should say, an easily distributed PKI service should be used

--
Please remember to select a correct answer and rate helpful posts

croftsd23
Level 1
Level 1

HI Marius,  Thank you for the response.  Whether you have a self signed cert or a signed, access is always granted if you have configured correctly the authentication.  Leading from your question then, you reference connecting to the right device and all you need to do is install the router's root certificate on your PC and you will have insight that you are connecting to the correct device.  How can you ensure this apart from interrogating the router once logged onto it? Access would be granted whether you have the right root cert or not?

How can you ensure this apart from interrogating the router once logged onto it? Access would be granted whether you have the right root cert or not?

Well, if you are using username and password for authentication, then yes you would be logged inn.  But if you use cert (public / private keys) you will not be asked for username /password and you will be granted access based on the key-pair you are using.

--
Please remember to select a correct answer and rate helpful posts

Great, Marius Thankyou.  Last question and then I will leave you in Peace.  If you are not using the certificate as a way of authentication for access, then is there any real need to have a signed certificate from the root on the router. Just have a self signed.  Thank you.

If you are only using the certificates for authentication to SSH then the certificates are not needed when logging in to the router.  Don't forget that you do need to create an RSA keypair to enable SSH, so when you login for the first time you are asked to accept the router key. Also, if you require some extra security when connecting to the device and you are using an external TACACS server such as ISE, you could setup two-factor authentication from ISE to DUO for example.

--
Please remember to select a correct answer and rate helpful posts

croftsd23
Level 1
Level 1

Apologies for late reply, have not been able to upload a response.   

Review Cisco Networking for a $25 gift card