Solved: SSH Authorized Keys

mike_jones · ‎08-16-2004

I'm attempting to set up authentication using SSH Authorized Keys on my IDS. I've generated my keypair using Puttygen.

When I go in to set up my authorized key, I'm unable to determine what my Public Exponent is supposed to be. Can anyone shed some light?

Thanks,

Mike J.

brhamon · ‎08-16-2004

PuTTY has been my preferred SSH client for about four years now.

I'm currently using a recent build of PuTTY (02-Jul-2004), and the following instructions were written to this new version; however, any build from a snapshot taken in the past couple of years should work.

The primary issue when establishing SSH Authorized Keys is that only the older RSA1 key format is acceptable. This means you need to tell your key generator to create an RSA1 key, and you must restrict the SSH client to using the SSH1 protocol.

Here is how you do that with recent builds of PuTTY:

1) Launch puttygen

2) In the "Parameters" group at the bottom on the dialog, click the SSH1 key type. Also, I recommend setting the number of bits in the generated key to 2048.

3) Click Generate... follow the instructions. The key information is displayed in the upper pane of the dialog.

4) Clear out the "Key Comment" edit box.

5) Select all the text in the pane labelled "Public key for pasting into authorized_keys file" and press Ctrl-C.

6) Type a passphrase into the "Key passphrase" and "Confirm passphrase" edit boxes.

7) Click "Save private key"

8) Save the PuTTY private key file into a directory private to your Windows login (in the "Documents and Settings/(userid)/My Documents" subtree in Win2K/XP).

9) Launch PuTTY

10) Create a new PuTTY session as follows:

Session:

IP Address: IP address of the IDS sensor

Protocol: SSH

Port: 22

Connection:

Auto-login username: cisco (or whatever login you are using on the sensor)

Connection/SSH:

Preferred SSH version: 1 only

Connection/SSH/Auth:

Private key file for authentication: Browse to the .PPK file stored in step 8 above.

Session: (back to the top)

Saved sessions: (enter the sensor name, click Save)

11) Click Open

Use password authentication to connect to the sensor CLI, since we haven't put the public key on the sensor yet.

12) type the following CLI command and press enter:

configure terminal

13) type the following CLI command, but do not press enter yet (make sure and type a space at the end):

ssh authorized-key mykey

14) right mouse click in the PuTTY terminal window... this will cause the clipboard material copied in step 5 to be typed into the CLI

15) press enter

16) type the following CLI command and press enter:

exit

17) Confirm the authorized key was entered properly. Type the following CLI command and press enter:

show ssh authorized-keys mykey

18) Quit the IDS CLI. Type the following CLI command and press enter:

exit

=====

In my next post, I'll finish these instructions....

View solution in original post

brhamon · ‎08-16-2004

PuTTY has been my preferred SSH client for about four years now.

I'm currently using a recent build of PuTTY (02-Jul-2004), and the following instructions were written to this new version; however, any build from a snapshot taken in the past couple of years should work.

The primary issue when establishing SSH Authorized Keys is that only the older RSA1 key format is acceptable. This means you need to tell your key generator to create an RSA1 key, and you must restrict the SSH client to using the SSH1 protocol.

Here is how you do that with recent builds of PuTTY:

1) Launch puttygen

2) In the "Parameters" group at the bottom on the dialog, click the SSH1 key type. Also, I recommend setting the number of bits in the generated key to 2048.

3) Click Generate... follow the instructions. The key information is displayed in the upper pane of the dialog.

4) Clear out the "Key Comment" edit box.

5) Select all the text in the pane labelled "Public key for pasting into authorized_keys file" and press Ctrl-C.

6) Type a passphrase into the "Key passphrase" and "Confirm passphrase" edit boxes.

7) Click "Save private key"

8) Save the PuTTY private key file into a directory private to your Windows login (in the "Documents and Settings/(userid)/My Documents" subtree in Win2K/XP).

9) Launch PuTTY

10) Create a new PuTTY session as follows:

Session:

IP Address: IP address of the IDS sensor

Protocol: SSH

Port: 22

Connection:

Auto-login username: cisco (or whatever login you are using on the sensor)

Connection/SSH:

Preferred SSH version: 1 only

Connection/SSH/Auth:

Private key file for authentication: Browse to the .PPK file stored in step 8 above.

Session: (back to the top)

Saved sessions: (enter the sensor name, click Save)

11) Click Open

Use password authentication to connect to the sensor CLI, since we haven't put the public key on the sensor yet.

12) type the following CLI command and press enter:

configure terminal

13) type the following CLI command, but do not press enter yet (make sure and type a space at the end):

ssh authorized-key mykey

14) right mouse click in the PuTTY terminal window... this will cause the clipboard material copied in step 5 to be typed into the CLI

15) press enter

16) type the following CLI command and press enter:

exit

17) Confirm the authorized key was entered properly. Type the following CLI command and press enter:

show ssh authorized-keys mykey

18) Quit the IDS CLI. Type the following CLI command and press enter:

exit

=====

In my next post, I'll finish these instructions....

brhamon · ‎08-16-2004

To use RSA authentication:

A) launch PuTTY.

B) locate the Saved Session created in step 10 above and double click on it.

A PuTTY terminal window opens and the following text appears:

Sent username "cisco"

Trying public key authentication.

Passphrase for key "":

C) Type the private key passphrase you created in step 6 above, then press Enter.

D) You should be automatically logged in.

=====

The limitation of this setup will be quickly apparent because you will be prompted for a passphrase instead of a password.

True, the passphrase never traverses the network, so it is therefore more secure; however, you really haven't achieved the full potential of RSA Authentication until you start using a private key agent.

Fortunately, PuTTY includes one, called "pageant". When you launch pageant, a small PC icon wearing a spy hat appears in Windows system tray.

Right mouse click on this icon and select "Add Key". Select the .PPK file you saved in step 8 above. Enter the passphrase when prompted.

Now for the duration of your Windows login session, you won't need to enter your passphrase when this private key is used.

You will want to launch PuTTY, load the saved session from step 10 above and change the following settings:

Connection/SSH/Auth:

Delete the text from the edit box labelled "Private key file for authentication"

Allow Agent Forwarding: YES

Session:

(click Save)

Now click Open, and your session is opened with no passphrase!

=====

Now, for the final bit of magic. You may want Windows to automatically launch pageant every time you log in. Furthermore, you would like it to open your .PPK file automatically also.

Fire up regedit and navigate to:

HKEY_CURRENT_USER\

Software\

Microsoft\

Windows\

CurrentVersion\

Run

Add a new string value, named anything you like (I suggest "pageant"), and set its value to:

"C:\Program Files\PuTTY\pageant.exe" "D:\Documents and Settings\userid\My Documents\mykey.PPK"

(Substitute your name for "userid" and supply the correct path information to get to your .PPK file.)

Now, whenever you log into Windows, you will be prompted for the passphrase for your private key. Once entered, you can log into IDS sensors over and over again without user intervention.