07-16-2014 11:13 AM
Hello,
I have been reading Cisco docs about how to configure RSA Based User Authentication on a ASR9K.
http://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/asr9k_r4-2/security/configuration/guide/b_syssec_cg42asr9k/b_syssec_cg42asr9k_chapter_0110.pdf
I have problems importing the public key to the router. No matter how i try i always get this output:
RP/0/RSP1/CPU0:XXX#crypto key import authentication rsa tftp://10.232.201.180/id_rsa.pub
Wed Jul 16 14:00:15.558
Cannot execute the command : Invalid argument
I have tried copying the file to Disk0: and using this path but get the same error.
Could anyone help me explaining step by step how to configure RSA Based User Authentication.
Thanks
Solved! Go to Solution.
07-17-2014 12:42 AM
Hi
1. Generate a key on your station
ssh-keygen -t rsa -b 1024
2. Remove the key type and host, leaving only key and decrypt it using base64:
cut -f2 -d\ id_rsa.pub | base64 -d > id_rsa2.pub
3. Import the key to the deivce
(admin)#crypto key import authentication rsa username USERTEST ftp://xxxr/ak/id_rsa2.pub
4. Create a username on the device matching the imported key
!
username USERTEST
group root-system
!
Regards,
/A
07-17-2014 12:42 AM
Hi
1. Generate a key on your station
ssh-keygen -t rsa -b 1024
2. Remove the key type and host, leaving only key and decrypt it using base64:
cut -f2 -d\ id_rsa.pub | base64 -d > id_rsa2.pub
3. Import the key to the deivce
(admin)#crypto key import authentication rsa username USERTEST ftp://xxxr/ak/id_rsa2.pub
4. Create a username on the device matching the imported key
!
username USERTEST
group root-system
!
Regards,
/A
07-17-2014 08:18 AM
Hello akiritch,
When i tried step 3(import key to the device), i had the following output after executing the command:
"Cannot execute the command : Operation not permitted"
What could be the cause? and how could i solve it?
Regards,
07-17-2014 08:53 AM
Forget it, i got the output because i was trying the ftp with the username and password in the link( ftp://username:password@xxxr/ak/id_rsa2.pub.
Thank you very much. It works following your steps.
Regards
01-20-2017 01:41 PM
Michael, Alexei,
One followup question:
How does the XR know where the FTP server is? You have not provided the FTP server IP in Step 3.
In my test, I configured ssh server on the XR and trying to ssh from a linux box connected to the Gig interface. The keys are generated in Step1 and Step2 are in the linux box.
How does XR know the id_rsa2.pub is in the linux machine (which is the ssh client in this case) ?
-Anil.
01-23-2017 05:01 AM
in Alexei's example xxxr was the FTP server (i.e. xxxr.cisco.com)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide