cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1726
Views
0
Helpful
2
Replies

public key authentication / 4096 bits

stuartkendrick
Beginner
Beginner

I'm trying to enable public key authentication to my gear.

Documentation suggests that IOS supports 4096 bit key lengths ... but I see the following error if I try to enter 4096 bit keys (2048 and 1024 work fine):

switch(config)# ip ssh pubkey-chain

switch(conf-ssh-pubkey)# username foo

switch(conf-ssh-pubkey-user)# [...]

% SSH: Invalid keyhash data

switch(conf-ssh-pubkey-user)#

I've replicated this under:

Cat2960X / IOS 15.2(4)E

Cat4500X / IOS-XE 15.2(4)E

Is anyone successfully implementing 4096 bit keys under IOS?

--sk

2 Replies 2

Karsten Iwen
VIP Mentor VIP Mentor
VIP Mentor

Yes, it works with 4096 bit keys. I assume that you are just missing the right way to paste your key.

When in "conf-ssh-pubkey-user" mode, you first have to specify "key-hash" or "key-string", depending what you want to put in. If you use the key-string, IOS automatically converts it to a key-hash.

OK, with Karsten's encouragement, I got this working.  For posterity, here is what I did:

IOS

linux> ssh-keygen -lf ~/.ssh./id_rsa.pub -E md5

2048 MD5:c8:25:cd:90:c8:6b:4c:48:a0:38:a3:8a:e5:67:75:60 stuart@vishnu (RSA)

ios-switch(config)# username stuart privilege 15 password 0 secret

ios-switch(config)# ip ssh pubkey-chain

ios-switch(conf-ssh-pubkey)# username stuart

ios-switch(conf-ssh-pubkey-user)# key-hash ssh-rsa c825cd90c86b4c48a038a38ae5677560

ios-switch(conf-ssh-pubkey-user)# end

ios-switch#

Notice:

- Username must already be defined before entering the ssh key info

- Specify the 'md5' flavor of fingerprint (the default sha256 didn't work for me for 4096 bit keys)

- Remove the colons ':' from the hash before applying it to the switch's running-config

- I dodge the whole 'copying & pasting 250 characters at a time' issue by using the key-hash

NXOS

Create a file on a host:

host> cat /tftpboot/Cisco-Files/my-account-details

username stuart password 0 secret role network-operator

username stuart sshkey ssh-rsa {insert contents of id_rsa.pub here} stuart@company.com

end

And then upload that file with something like:

nxos-switch# copy tftp://10.1.2.3/Cisco-Files/my-account-details running-config

Notice:

- I dodge the whole 'copy & paste ~250 characters at a time issue' by uploading a file

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers