cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
81569
Views
29
Helpful
9
Comments
Marcin Latosiewicz
Cisco Employee
Cisco Employee

 

 

About this document

 

This document is intended to show how one can get big outputs for IOS CLI using SSH public key authentication.

It might be useful when you have scripts executed automatically to obtain information for monitoring purposes.

 

Initial configration

In this example I'm using an ASR running 15.2.2S software, however since it's control-plane feaute, SSH will work similar way on other platforms.

Client side

 

I'm assuming client is a flavor of unix, just because it's the more common way. This method however works on Windows using Putty and other terminal emulators.

 

Let's verify that we have a public key already:

 

cd

cat .ssh/id_rsa.pub

 

If it's not there you can generate it by using interactive command:

ssh-keygen 

 

 

Server side

Create a user:

username test priv 15 secret supers3cr3tn0bdyw1llgue55

 

You need to make sure this public key is trusted by our router.

ip ssh pubkey-chain
     username test
          key-string
               copy the entire public key as appears in the cat id_rsa.pub including the ssh-rsa and username@hostname.
               please note that some IOS versions will accept maximum 254 characters.
               you can paste multiple lines.     
          exit
     exit

Please also make sure that you generate RSA keys on Server larger than 768 bits.

You can also set SSHv2 on server side (although strictly speaking it's not required if you're using SSH 1.99)

ip ssh version 2

 

 

Verification

Typically most devices prefer following order of authentication mechanism:

1) Public key

2) Keyboard interactive

3) Password

This allows us to try use pubic key auth without any additional changes.

For example I could use this:

Linux# ssh -2 -v test@bsns-asr1006-2.cisco.com

 

Big output handling

 

One that is done we can discuss handling of big outputs.

 

There are two way of doing it.

 

One command at a time

 

SSH allows you to specify as a parameter the command to be executed.

For example.

ssh test@bsns-asr1002-1.cisco.com 'show clock'

This command will log into IOS device, execute "show clock" command and disconnect immedietly.

 

The downside is quite obvious, you would need to start multiple session to exacute several commands (unlike most UNIX flavors)

 

Pipelining

A need may arrise to execute several commands in one big batch.

 

You should start by understanding which commands you would need to put in that batch.

 

For example my batch:

Linux# cat commands

show clock

term len 0

term exec pro ti

show ip nat trans

show ip nat trans total

show platf hard qfp act fea ipsec data drop

show platf hard qfp act stati drop

show tech

 

I can pipe those commands into my SSH sessions and get desired outputs. Right?

Yes and no :-)

 

If you perform just:

cat commands | ssh -T test@bsns-asr1002-1.cisco.com 

You will notice  that not all outputs complete - depending on timing.

 

What's the problem?

The actual issue is related to handling of end of file (EOF), which is signalising to SSH to close the connection down.

 

The solution is to delay that EOF until output finishes.

 

A very simple way to accomplish this in bash is:

( cat commands ; sleep 100 ) | ssh -T test@bsns-asr1002-1.cisco.com

What this will do is allow 100 seconds to finish execution of that batch of commands - even on asr 1000 with medium sized config and ultization it should be enough to extract everything.

 

Hope that helps!

 

Feedback?Comments? Flames?

Leave a comment.

Comments
dbrown
Community Member

I know this is an old article... and I found it very helpful in adding my SSH key. However, there's a major security issue with it. Users visiting this page (from Google, for instance, who may or may not be Cisco or SSH security experts) may not realize that these instructions will create a virtually unsecured user account!! -- The command to create a user given off-handedly above means that anyone who uses telnet (if it hasn't been disabled) or forces their SSH connection to request the use of keyboard-interactive authentication, will be able to get in WITHOUT A PASSWORD!! Please update these instructions to note this is a sample and that a "secret" (preferably) or "password" keyword should ALWAYS be appended to that particular command.

Marcin Latosiewicz
Cisco Employee
Cisco Employee

Good catch. Updated. 

n.oneill
Level 1
Level 1

Very important comment.  Just tested this and would have missed it otherwise!

 

Thanks

pat98eraser
Level 1
Level 1

In stead of the full key, you could only put key-hash like bellow:

ip ssh pubkey-chain

 username admin

 key-hash ssh-rsa 539197BB0F11CE77A123334A97859E30 admin@server

neaga
Cisco Employee
Cisco Employee

Actually the better solution would be to not use that command at all.   There is no reason to create a local user on the IOS device at all. Don't include 

username test priv 15 secret supers3cr3tn0bdyw1llgue55

All you need is 

ip ssh pubkey-chain
     username test
          key-string <insert public key data here>
That is enough to authenticate.  Then use aaa to prodvide TACACS authroziation through ISE. The user should to be created/accessible there (in ISE, say from AD).  Then the authentication will happen with the rsa public/private key and the authorization will happen with ISE  (If you want to be less secure you can just say aaa authorization exec default if-authenticated)
Voila! SSHed into your Cisco stuff with no password. Very important as we move to more programmatic interfaces in a DevOps world on our stuff. 

asverma2
Cisco Employee
Cisco Employee

What should we do in reverse case i.e. when we are accessing the linux box from IOS.

Ping is working fine , but when i'm trying to do the ssh to linux box its not happening. 

Phil Leinster
Level 1
Level 1

You can find the SSH key of the IOS device with:

show ssh key

You can then google how you should apply this to whatever device type you are trying to connect to.

PoC
Level 1
Level 1
@dbrown: A lone if-auth isn't sufficient (anymore? 15.4(3)M9): *Apr 9 10:16:43: AAA SRV(00000015): process author req *Apr 9 10:16:43: AAA SRV(00000015): Author method=IF_AUTHEN - FAIL - FAIL *Apr 9 10:16:43: AAA SRV(00000015): Author method=NOT_SET - No methods left to try - FAIL *Apr 9 10:16:43: AAA SRV(00000015): Return Authorization status=FAIL Seems logical to me, since SSH Auth obviously doesn't integrate with AAA. Having a central auth server isn't feasible here, the only solution seems to be a local user with a loong random password. I tested this to actually work.
Edward Clear
Level 1
Level 1

Dusting this thread off again as it's still relevant.  

 

This works in IOS-XE (at least in 16.9 Fuji), too.   And integrates fine with TACACS+/ISE for authorization.  No need for the username statement.

 

Also if you're loading a public key from from a PEM file (e.g. one from puttygen) leave on the "==" at the end of the key.  Remove the header, footer and any comments.

 

Unfortunately the remote authentication integration doesn't work with NX-OS.  There you put in the public key in a username sshkey statement, not with "ip ssh pubkey-chain".  If you try to add a public key for a remote user it errors and complains that the username is a remote user.  We looked at adding the public key at the shell level which works briefly.  Seems the remote user's $HOME/.ssh directory is transient and gets removed after the user session ends.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: