07-16-2014 11:13 AM
Hello,
I have been reading Cisco docs about how to configure RSA Based User Authentication on a ASR9K.
http://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/asr9k_r4-2/security/configuration/guide/b_syssec_cg42asr9k/b_syssec_cg42asr9k_chapter_0110.pdf
I have problems importing the public key to the router. No matter how i try i always get this output:
RP/0/RSP1/CPU0:XXX#crypto key import authentication rsa tftp://10.232.201.180/id_rsa.pub
Wed Jul 16 14:00:15.558
Cannot execute the command : Invalid argument
I have tried copying the file to Disk0: and using this path but get the same error.
Could anyone help me explaining step by step how to configure RSA Based User Authentication.
Thanks
Solved! Go to Solution.
07-17-2014 12:42 AM
Hi
1. Generate a key on your station
ssh-keygen -t rsa -b 1024
2. Remove the key type and host, leaving only key and decrypt it using base64:
cut -f2 -d\ id_rsa.pub | base64 -d > id_rsa2.pub
3. Import the key to the deivce
(admin)#crypto key import authentication rsa username USERTEST ftp://xxxr/ak/id_rsa2.pub
4. Create a username on the device matching the imported key
!
username USERTEST
group root-system
!
Regards,
/A
07-17-2014 12:42 AM
Hi
1. Generate a key on your station
ssh-keygen -t rsa -b 1024
2. Remove the key type and host, leaving only key and decrypt it using base64:
cut -f2 -d\ id_rsa.pub | base64 -d > id_rsa2.pub
3. Import the key to the deivce
(admin)#crypto key import authentication rsa username USERTEST ftp://xxxr/ak/id_rsa2.pub
4. Create a username on the device matching the imported key
!
username USERTEST
group root-system
!
Regards,
/A
07-17-2014 08:18 AM
Hello akiritch,
When i tried step 3(import key to the device), i had the following output after executing the command:
"Cannot execute the command : Operation not permitted"
What could be the cause? and how could i solve it?
Regards,
07-17-2014 08:53 AM
Forget it, i got the output because i was trying the ftp with the username and password in the link( ftp://username:password@xxxr/ak/id_rsa2.pub.
Thank you very much. It works following your steps.
Regards
01-20-2017 01:41 PM
Michael, Alexei,
One followup question:
How does the XR know where the FTP server is? You have not provided the FTP server IP in Step 3.
In my test, I configured ssh server on the XR and trying to ssh from a linux box connected to the Gig interface. The keys are generated in Step1 and Step2 are in the linux box.
How does XR know the id_rsa2.pub is in the linux machine (which is the ssh client in this case) ?
-Anil.
01-23-2017 05:01 AM
in Alexei's example xxxr was the FTP server (i.e. xxxr.cisco.com)
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: