10-26-2010 02:57 AM - edited 02-21-2020 04:07 AM
Hi guys,
I have a backup server, which should backup the router configuration files securely for a list of routers.
My colleagues applied this in Juniper but unfortunately am unable to figure it out on Cisco routers.
The requirement is as follows:
I want to execute a cron job on the backup server, which will backup the running configs for a list of routers using ssh and without specifying a password. I want to insert a certificate into the routers, which was created on the backup server for a specific username called "backup_user”. Then when the cron job is executed it will issue the required command(s) without specifying any password or ask for any user confirmation/prompt.
Am thinking to breakdown this requirement as follow:
The first step is that I want to execute "ssh -l backup_user 3.3.3.3" on the backup sever from the command line so that I will login to the router, which is having 3.3.3.3 as a loopback IP, without being asked for a password/prompt. Being asked for any confirmation/acceptance for the first time accessing the router from the backup server is ok, but later I don’t want to be asked for any questions while trying to login/access the 3.3.3.3 router from the backup server. So how can I do that ?
My colleagues who implemented it in Juniper did the following:
1- They created a self-signed certificate in the backup server banded to user "backup_user".
2- They create a local user on the router also called "backup_user".
3- They imported the certificate generated in the backup server into the router and they binded it to the local user "backup_user". How can I do both in Cisco routers ?
4- They issued the "ssh -l backup_user x.x.x.x" from the backup server. Once they did that, they were able to login to the router.
So the point here is that instead for the router to ask for a password to authenticate "backup_user" who is accessing from the backup server, it won't ask for it and it will consider the user as legitimate and he will be granted access. How this can be done ?
Thanks and best regards,
Mohammad Jamal Tabbara
CCIE R&S # 24487
10-26-2010 09:50 AM
Interesting Mohammad!
So you want to do certificate client authentication for SSH on IOS.
I am not sure if it can be done, but please post the question in the AAA forum and let's see if they can help.
PK
10-26-2010 08:25 PM
Thanks pkampana !
I have found the solution for that.
This called "RSA-based public key authentication" it is a new feature under SSH version 2 Enhancments.
Doucment name: Secure Shell Version 2 Support
Link: http://www.cisco.com/en/US/docs/ios/sec_user_services/configuration/guide/sec_secure_shell_v2.html
This is explained under:
"Secure Shell Version 2 Enhancements for RSA Keys"
and under "Configuring the Cisco IOS SSH Server to Perform RSA-Based User Authentication"
This feature is only supported in IOS 15.0(1)M and later versions.
Thanks and best regards
Mohammad Jamal Tabbara
CCIE R&S# 24487
10-26-2010 09:08 PM
Good to know, thanks!
PK
03-14-2013 01:25 AM
Hi Mohmammad,
I ma trying to loging in to Cisco Router uc540 from Linux server using rsa ssh key of Linux server without asking password.
its worked but router is asking passphare key every login time when i am login from linux server.
I have enabled the AAA login and even i given 15 privalage access to backup user on the router uc540.
And another one problem is that when i login into cisco uc540 router using ssh private key from linux server its first asked me for passphare after that i logged into the cisco router, but still i am on non configuration user mode and then i need to type enable password to copy the backup configuration file of cisco router.
Kindly help me implemate this auto backup from linux server to cisco router using ssh private and publick key.
Khandesha
CCNA,
Sr. Network and Security Administrator
India.
06-06-2013 07:54 AM
Hi Mohammad,
I am trying to set this up for about 50-60 switches and routers, and I want to ssh into them from a couple of computers without asking for login. I am having a hard time setting it up, can you please post the steps you have taken to do so.
I have created a truspoint, which I do not think that I need but it tells me that I need to authenticate it somehow and the other problem I have is how to send teh public key to the machine I am trying to ssh from.
Thanks,
Laith
06-08-2013 03:23 AM
Can you provide the output of show run | in aaa and show run | beg line vty 0 15 from the router please.
You can actually use the below listed command. It basically disables authentication and won't prompt for username and password. Remember, we are using default and not any method list so it will disable authentication on all lines including console.
IOS(config)#aaa authentication login default none
If you would only like to disable authentication on a specific line then create a method list and apply it on that line.
IOS(config)#aaa authentication login SSH none
IOS(config)# line vty 0 15
IOS(config-line)#login authentication SSH
IOS(config-line)#exit
Jatin Katyal
- Do rate helpful posts -
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide