SSH using public/private Keys

Unanswered Question
Dec 26th, 2008

Hi All,

I have the Cisco switch & Routers configured for SSH and it is working good.

I know how to configure SSH in router using crypto command.

The new requirement araised now. My organisation has created a pair of key - PULIC KEY & PRIVATE KEY common to the company using some mechanism. The idea is the PUBLIC KEY will be installed in the devices like Unix, Linux Servers. so the staff who is owing the PRIVATE KEY is only be allowed to access the device. I am trying to add / install / import the PUBLIC KEY into the Switch in similar fashion. But i am not getting clue how to go ahead. Please guide me how to import the PUBLIC KEY into the Switch, so that who ever is having the PRIVATE KEY is only allowed to login to the device.

R.B.KUMAR

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Giuseppe Larosa Sat, 12/27/2008 - 13:50

Hello R.B Kumar,

the term for what you want to do is PKI = Public Key Infrastructure

this involves the usage of certificates, CA= Certificates Autorities.

see

http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_pki_feat_rmap_ps6350_TSD_Products_Configuration_Guide_Chapter.html

see the feature

Import of RSA Key Pair and Certificates in PEM Format

http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_deploy_RSA_piki_ps6350_TSD_Products_Configuration_Guide_Chapter.html#wp1055433

but I don't know if this can be used on all devices otherwise you may need to deploy a CA server.

Hope to help

Giuseppe

hclisschennai Mon, 12/29/2008 - 08:28

Hi giuslar,

Thankyou for your response.

But your answer is deviating from the requirement. Let me explain again

I donot have CA Server in place.I have created two keys PUBLIC KEY and PRIVATE KEY using a 3rdParty Tool.

I will keep the PRIVATE KEY safe with me. I want to install the PUBLIC KEY in the switch/Router.

so only i should be able to access the switch / Router even though i somebody knows the username/password

Hope now you understood the requirement and help me better

R.B.KUMAR

Giuseppe Larosa Mon, 12/29/2008 - 12:20

Hello R.B Kumar,

the second link of my previous should be the feature that fits your needs.

it provides the option to import an RSA key using

crypto key import rsa key-label pem [usage-keys] {terminal | url url} [exportable] passphrase

see

http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_deploy_RSA_piki_ps6350_TSD_Products_Configuration_Guide_Chapter.html#wp1055433

the advice is that RSA keys has to be flagged as exportable where they are generated.

And this should allow to deploy the public key on devices.

Then there is a section about private locked keys

Encrypting and Locking Private Keys on a Router

But this is different from what you want to do because the private key is stored on the device

You would like to use asymmetric encryption

see

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/ps6664/product_data_sheet0900aecd80313df7.pdf

But as you can read again CAs and certificates are involved in this second document.

Hope to help

Giuseppe

Actions

This Discussion