Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2147
Views
0
Helpful
1
Replies

Using SSH keys between Ubuntu 16.04 client and Cisco router (SSH Server)

aacole
Level 5
Level 5

‎05-10-2018 08:02 AM - edited ‎02-21-2020 10:55 AM

Hi, I'm attempting to setup SSH between my Ubuntu client and CSR 1000 router in  VIRL running 16.5.1b with SSH keys so that I don't need to enter a password, its for an Ansible lab I'm working on. Prior to setting this up I had regular  password authentication working, so when I SSH'ed from my client to this router I logged in with a passwortd as normal, so I know I have basic IP connectivity.

 

I've generated the client key as follows:

ssh-keygen

I can see the key with:

cat ~/.ssh/id_rsa.pub
And found information that explained how to breakup the key into shorter lines:

 fold -b -w 72 ~/.ssh/id_rsa.pub

 

I checked the RSA key fingerprint with:

ssh-keygen -lf ~/.ssh/id_rsa.pub
2048 SHA256:OURv0YmzLD1xC8mSihmELU2tEgHuETnkkcZ4jGLRP8w andyc@ubuntu (RSA)

 

 

On the router I configured:

ip domain-name cisco.com

ip ssh pubkey-chain
username andyc
key-string

< pasted output from cat ~/.ssh/id_rsa.pub on the client >

 

I can see the fingerprint with:

show run | beg pubkey

ip ssh pubkey-chain
  username andyc
   key-hash ssh-rsa 81AB71B476661EB1D248EC2CAE1CCFDF andyc@ubuntu
  username andy
   key-hash ssh-rsa FA570736F0B4C3AE9837A50F79380B91
ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr
ip ssh server algorithm authentication publickey
ip ssh client algorithm encryption aes128-ctr aes192-ctr aes256-ctr

 

 

When I attempt to connect from the client with:

ssh andyc@192.168.255.1

It fails to connect, with no error message on the router console.

 

Debug shows:

*May 10 13:52:02.229: SSH0: protocol version id is - SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.4
*May 10 13:52:02.291: SSH2 0: Using kex_algo = diffie-hellman-group-exchange-sha1
*May 10 13:52:02.669: SSH0: TCP send failed enqueueing
*May 10 13:52:05.301: SSH0: Session disconnected - error 0x00

 

What i did notice from this is that the fingerprints don't match, I'm not sure if they should, but its somehow feels wrong that they don't match, can someone clarify this please.

 

At this stage, I'm out of ideas on what to do next to try and get this working, any suggestions welcome. I've attached the router config for reference.

 

Andy

1 person had this problem
Labels:
Preview file
4 KB
0 Helpful
1 Reply 1

aacole
Level 5
Level 5

‎05-10-2018 09:54 AM

An update on this issue, I restarted the CSR1000 in my virl topology to clear out the config (I'd purposefully not saved it), and started again.

 I get the same, no connection but now my public keys match, which they didn't before, when I re-looked at my data. Also I've got additional debug from the client and server, attached.

The router debug shows that its unable to locate the public key for my configured username, but the show run | beg pubkey output shows its there.

 

 

 

Preview file
7 KB
Preview file
5 KB
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents