08-23-2012 06:55 AM - edited 08-29-2017 02:41 AM
This document is intended to show how one can get big outputs for IOS CLI using SSH public key authentication.
It might be useful when you have scripts executed automatically to obtain information for monitoring purposes.
In this example I'm using an ASR running 15.2.2S software, however since it's control-plane feaute, SSH will work similar way on other platforms.
I'm assuming client is a flavor of unix, just because it's the more common way. This method however works on Windows using Putty and other terminal emulators.
Let's verify that we have a public key already:
cd
cat .ssh/id_rsa.pub
If it's not there you can generate it by using interactive command:
ssh-keygen
Create a user:
username test priv 15 secret supers3cr3tn0bdyw1llgue55
You need to make sure this public key is trusted by our router.
Please also make sure that you generate RSA keys on Server larger than 768 bits.
You can also set SSHv2 on server side (although strictly speaking it's not required if you're using SSH 1.99)
ip ssh version 2
Typically most devices prefer following order of authentication mechanism:
1) Public key
2) Keyboard interactive
3) Password
This allows us to try use pubic key auth without any additional changes.
For example I could use this:
Linux# ssh -2 -v test@bsns-asr1006-2.cisco.com
One that is done we can discuss handling of big outputs.
There are two way of doing it.
SSH allows you to specify as a parameter the command to be executed.
For example.
ssh test@bsns-asr1002-1.cisco.com 'show clock'
This command will log into IOS device, execute "show clock" command and disconnect immedietly.
The downside is quite obvious, you would need to start multiple session to exacute several commands (unlike most UNIX flavors)
A need may arrise to execute several commands in one big batch.
You should start by understanding which commands you would need to put in that batch.
For example my batch:
Linux# cat commands
show clock
term len 0
term exec pro ti
show ip nat trans
show ip nat trans total
show platf hard qfp act fea ipsec data drop
show platf hard qfp act stati drop
show tech
I can pipe those commands into my SSH sessions and get desired outputs. Right?
Yes and no :-)
If you perform just:
cat commands | ssh -T test@bsns-asr1002-1.cisco.com
You will notice that not all outputs complete - depending on timing.
The actual issue is related to handling of end of file (EOF), which is signalising to SSH to close the connection down.
The solution is to delay that EOF until output finishes.
A very simple way to accomplish this in bash is:
( cat commands ; sleep 100 ) | ssh -T test@bsns-asr1002-1.cisco.com
What this will do is allow 100 seconds to finish execution of that batch of commands - even on asr 1000 with medium sized config and ultization it should be enough to extract everything.
Hope that helps!
Leave a comment.
I know this is an old article... and I found it very helpful in adding my SSH key. However, there's a major security issue with it. Users visiting this page (from Google, for instance, who may or may not be Cisco or SSH security experts) may not realize that these instructions will create a virtually unsecured user account!! -- The command to create a user given off-handedly above means that anyone who uses telnet (if it hasn't been disabled) or forces their SSH connection to request the use of keyboard-interactive authentication, will be able to get in WITHOUT A PASSWORD!! Please update these instructions to note this is a sample and that a "secret" (preferably) or "password" keyword should ALWAYS be appended to that particular command.
Good catch. Updated.
Very important comment. Just tested this and would have missed it otherwise!
Thanks
In stead of the full key, you could only put key-hash like bellow:
ip ssh pubkey-chain
username admin
key-hash ssh-rsa 539197BB0F11CE77A123334A97859E30 admin@server
Actually the better solution would be to not use that command at all. There is no reason to create a local user on the IOS device at all. Don't include
username test priv 15 secret supers3cr3tn0bdyw1llgue55
All you need is
What should we do in reverse case i.e. when we are accessing the linux box from IOS.
Ping is working fine , but when i'm trying to do the ssh to linux box its not happening.
You can find the SSH key of the IOS device with:
show ssh key
You can then google how you should apply this to whatever device type you are trying to connect to.
Dusting this thread off again as it's still relevant.
This works in IOS-XE (at least in 16.9 Fuji), too. And integrates fine with TACACS+/ISE for authorization. No need for the username statement.
Also if you're loading a public key from from a PEM file (e.g. one from puttygen) leave on the "==" at the end of the key. Remove the header, footer and any comments.
Unfortunately the remote authentication integration doesn't work with NX-OS. There you put in the public key in a username sshkey statement, not with "ip ssh pubkey-chain". If you try to add a public key for a remote user it errors and complains that the username is a remote user. We looked at adding the public key at the shell level which works briefly. Seems the remote user's $HOME/.ssh directory is transient and gets removed after the user session ends.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: