03-14-2013 06:19 AM - edited 03-07-2019 12:14 PM
Hi Guys,
Since IOS 15.X it is possible to authenticate users who are using SSH to connect to a device with their RSA public/private key pair. One of the limitations of this technology is that you can only define 10 users for this authentication scheme.
I'm trying to figure out whether it is possible to combine this authentication scheme with normal Tacacs+ authentication? So users that do not have their public key registered in the device can still connect, but using their Tacacs+ account.
Does anybody know this?
06-12-2013 04:55 AM
I'm also interested in this, as well as disabling keyboard authentication, ie no key no prompt.
Regards Neil
02-12-2014 09:49 AM
Did you ever find out an answer? This is something I wish to implement as well.
07-27-2016 12:25 PM
You can use workaround: we can use default tacacs+ auth with auth with SSH RSA (username must exist in tacacs for authz if you use it)
We can configure aaa auth/authz default with tacacs and also configure rsa auth for users. In this scenarious IOS doesn't send auth to tacacs if pubkey exists in configuration (authentcate by RSA pubkey locally), but authz does (with username from configuration). It's working fine
But other side of this - you can login to device with any username if you configure your pubkey for this user...
Example: we have two users (user1 and user2). I'm user1 and i don't know credential for user2.
we have this config:
aaa authentication login default group tacacs local
aaa authorization config-commands
aaa authorization exec default group tacacs local if-authenticated
aaa authorization commands 15 default group tacacs local if-authenticated
ip ssh pubkey-chain
username user1
key-hash ssh-rsa ****
I can authenticate by ssh rsa key without problem (auth by key process locally, authorization goes throught ACS. ACS knows about user1 - it will be OK). After that i can make this:
ip ssh pubkey-chain
username user2
key-hash ssh-rsa ****
And after that i can login to device by key with username user2 :)
So we need to configure ACS prohibit to use ssh pubkey-chain command for normal users.
P.S.: Don't know it's bug or not when we can use RSA pubkey auth with default tacacs authentication...
01-29-2023 02:17 AM
hi,
i want to share my worked code;
ubuntu:
ssh-keygen -t rsa -b 4096
/root/.ssh/my_rsa
fold -b -w 64 ~/.ssh/my_rsa.pub
ssh-rsa x
x
x
x
x== root@pclab.mydomain.local
switch :
conf t
ip ssh pubkey-chain
username myadmin
key-string
ssh-rsa x
x
x
x
x== root@pclab.mydomain.local
exit
exit
do wr
my tacacs username : myadmin
ssh -v -l myadmin -i /root/.ssh/my_rsa 10.1.1.200
thank you
best regards
Erdem Sarıkuş
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide