SSH using public/private Keys

Unanswered Question
Dec 26th, 2008
User Badges:

Hi All,


I have the Cisco switch & Routers configured for SSH and it is working good.


I know how to configure SSH in router using crypto command.


The new requirement araised now. My organisation has created a pair of key - PULIC KEY & PRIVATE KEY common to the company using some mechanism. The idea is the PUBLIC KEY will be installed in the devices like Unix, Linux Servers. so the staff who is owing the PRIVATE KEY is only be allowed to access the device. I am trying to add / install / import the PUBLIC KEY into the Switch in similar fashion. But i am not getting clue how to go ahead. Please guide me how to import the PUBLIC KEY into the Switch, so that who ever is having the PRIVATE KEY is only allowed to login to the device.


R.B.KUMAR

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Giuseppe Larosa Sat, 12/27/2008 - 13:50
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello R.B Kumar,

the term for what you want to do is PKI = Public Key Infrastructure


this involves the usage of certificates, CA= Certificates Autorities.


see


http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_pki_feat_rmap_ps6350_TSD_Products_Configuration_Guide_Chapter.html


see the feature


Import of RSA Key Pair and Certificates in PEM Format


http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_deploy_RSA_piki_ps6350_TSD_Products_Configuration_Guide_Chapter.html#wp1055433


but I don't know if this can be used on all devices otherwise you may need to deploy a CA server.


Hope to help

Giuseppe


hclisschennai Mon, 12/29/2008 - 08:28
User Badges:

Hi giuslar,


Thankyou for your response.


But your answer is deviating from the requirement. Let me explain again


I donot have CA Server in place.I have created two keys PUBLIC KEY and PRIVATE KEY using a 3rdParty Tool.


I will keep the PRIVATE KEY safe with me. I want to install the PUBLIC KEY in the switch/Router.


so only i should be able to access the switch / Router even though i somebody knows the username/password


Hope now you understood the requirement and help me better


R.B.KUMAR

Giuseppe Larosa Mon, 12/29/2008 - 12:20
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello R.B Kumar,


the second link of my previous should be the feature that fits your needs.


it provides the option to import an RSA key using


crypto key import rsa key-label pem [usage-keys] {terminal | url url} [exportable] passphrase


see


http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_deploy_RSA_piki_ps6350_TSD_Products_Configuration_Guide_Chapter.html#wp1055433


the advice is that RSA keys has to be flagged as exportable where they are generated.


And this should allow to deploy the public key on devices.


Then there is a section about private locked keys


Encrypting and Locking Private Keys on a Router


But this is different from what you want to do because the private key is stored on the device


You would like to use asymmetric encryption


see

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/ps6664/product_data_sheet0900aecd80313df7.pdf


But as you can read again CAs and certificates are involved in this second document.



Hope to help

Giuseppe


Actions

This Discussion