Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

ASA 8.4(4) public key authentication

I notice 8.4(4) now has public key authentication (just like IOS - yay!) and found a couple of issues:

  1. The CLI config guide (http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/access_aaa.html#wp1122833) states incorrect syntax for adding the public key to the ASA
  2. There is an undocumented ASA limit on the public key size supported

Taking each of these in turn:

(1) The manual states:

Example:

hostname(config)# username anyuser ssh authentication  publickey key [hashed]

The correct syntax is:

username <user> [nopassword] [privilege <priv-lvl>]

username <user> attributes

ssh authentication publickey <key> [hashed]

(2) The ASA supports a maximum command line length of 512 characters.  If the public key is longer than 2048 bits, it is impossible to enter the public key because it is too long.  IOS got around this by using multi-line input for the key; it seems the ASA does not support this.

In addition, the manual does not give any useful information on how to use keys generated under different systems (PuTTY, openSSH, ssh-keygen etc).

Here are the steps I took to generate the required keys and configure the ASA.  The client system is Ubuntu.  Note the key message near the bottom "SSH2 0: key lookup succeeded"; if the pub key configured for the user does match the data presented by the client, the message "SSH2 0: key lookup failed" is displayed in the debug.

! create test keypair

! NB max keysize is 2048 bits as ASA CLI will not allow more than 512 chars input on a single line

ssh-keygen -t rsa -b 2048 -f /home/grim/.ssh/id_rsa2 -N ''

Generating public/private rsa key pair.

Your identification has been saved in /home/grim/.ssh/id_rsa2.

Your public key has been saved in /home/grim/.ssh/id_rsa2.pub.

The key fingerprint is:

61:f6:4f:64:24:bf:ae:64:df:80:aa:91:8e:fd:bb:94 grim@s1

The key's randomart image is:

+--[ RSA 2048]----+

|          . .    |

|           +     |

|        +   +    |

|       o o o .   |

|        S . o    |

|       . . =     |

|      o E + +    |

|     + o + o o   |

|    . +o=o. . .  |

+-----------------+

! my pub key

grim@s1:~$ ssh-keygen -y -f /home/grim/.ssh/id_rsa2

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC2PPocGcHnSbC1tWRrG4fIrHt8vGJZ/dmaqgkiW5hkrcITj7frAUSdL8a8l6QxqxDSOmF7fLYRHxaGFPAdzI+3C+czzS+DxhTYjanz5TAveYrC9kLVK+QXl8U0m4M9ZoE4GkRVwjRjWDGQsjdnETUoG3aRgpPT1gYzP6BN+Rv9cQ8JUGVVt79PqXWgE4t/p7NeEHgWVEf+Yyfuo2PV5e9/ajwOIOCxFmjqmHk5DzFV6Oe4H7EXGCA/o7L3hD7Rn12G4U2dpLWTiZaXdcldmrsuv5ip/Az+bnslUMNLrLfMNw7hXEgjYfGVZPXhMEp+hQ5e4zxdh3yVFHVooQStJaHv

! create the user and add the pub key

username grim nopassword privilege 15

username grim attributes

ssh authentication publickey AAAAB3NzaC1yc2EAAAADAQABAAABAQC2PPocGcHnSbC1tWRrG4fIrHt8vGJZ/dmaqgkiW5hkrcITj7frAUSdL8a8l6QxqxDSOmF7fLYRHxaGFPAdzI+3C+czzS+DxhTYjanz5TAveYrC9kLVK+QXl8U0m4M9ZoE4GkRVwjRjWDGQsjdnETUoG3aRgpPT1gYzP6BN+Rv9cQ8JUGVVt79PqXWgE4t/p7NeEHgWVEf+Yyfuo2PV5e9/ajwOIOCxFmjqmHk5DzFV6Oe4H7EXGCA/o7L3hD7Rn12G4U2dpLWTiZaXdcldmrsuv5ip/Az+bnslUMNLrLfMNw7hXEgjYfGVZPXhMEp+hQ5e4zxdh3yVFHVooQStJaHv

! ASA parsed config (note the ASA re-hahses the key) and appends the [hashed] tag

5540-1# sh run username grim

username grim nopassword privilege 15

username grim attributes

service-type admin

ssh authentication publickey ca:b1:21:65:2e:b6:18:91:74:fa:38:a1:d0:72:b0:d1:78:b9:e3:40:b0:20:1f:1d:ab:8f:e1:8a:72:cb:e1:17 hashed

! try to connect

grim@s1:~$ ssh -i .ssh/id_rsa2 grim@5540-1

Type help or '?' for a list of available commands.

5540-1>

! debug from ASA showing incoming SSH connection from client

5540-1# debug ssh 19

debug ssh  enabled at level 19

5540-1# Device ssh opened successfully.

SSH1: SSH client: IP = '192.168.0.3'  interface # = 7

SSH: host key initialised

SSH1: starting SSH control process

SSH1: Exchanging versions - SSH-2.0-Cisco-1.25

SSH1: send SSH message: outdata is NULL

server version string:SSH-2.0-Cisco-1.25SSH1: receive SSH message: 83 (83)

SSH1: client version is - SSH-2.0-OpenSSH_5.8p1 Debian-7ubuntu1

client version string:SSH-2.0-OpenSSH_5.8p1 Debian-7ubuntu1SSH1: begin server key generation

SSH1: complete server key generation, elapsed time = 400 ms

SSH2 1: SSH2_MSG_KEXINIT sent

SSH2 1: SSH2_MSG_KEXINIT received

SSH2 0:

kex_parse_kexinit: diffie-hellman-group1-sha1

SSH2 0:

kex_parse_kexinit: ssh-rsa

SSH2 0:

kex_parse_kexinit: aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc

SSH2 0:

kex_parse_kexinit: aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc

SSH2 0:

kex_parse_kexinit: hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96

SSH2 0:

kex_parse_kexinit: hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96

SSH2 0:

kex_parse_kexinit: none

SSH2 0:

kex_parse_kexinit: none

SSH2 0:

kex_parse_kexinit:

SSH2 0:

kex_parse_kexinit:

SSH2 0:

kex_parse_kexinit: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie

SSH2 0:

kex_parse_kexinit: ssh-rsa-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-rsa,ecdsa-sha2-nistp256-cert-v01@opens

SSH2 0:

kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,

SSH2 0:

kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,

SSH2 0:

kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-m

SSH2 0:

kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-m

SSH2 0:

kex_parse_kexinit: none,zlib@openssh.com,zlib

SSH2 0:

kex_parse_kexinit: none,zlib@openssh.com,zlib

SSH2 0:

kex_parse_kexinit:

SSH2 0:

kex_parse_kexinit:

SSH2: kex: client->server aes128-cbc hmac-md5 none

SSH2: kex: server->client aes128-cbc hmac-md5 none

SSH2 1: expecting SSH2_MSG_KEXDH_INIT

SSH2 1: SSH2_MSG_KEXDH_INIT received

dh_client_pub=

3c50d86d4b12ab9a 07800b9c5568c990 018bb7b68164b9db 43cc665b7c7ed992

a5f9c4a9c20e4e58 9e75f2cd172bd26e e247ba070be8938c 8aae091a40ef89ba

ce891c7540f7c435 9d19d666f7c9228a a07b498f9b449d38 b3d3dd41282be9eb

a2e5292452978a7e 7114a50693e959cc 356d16106e3b9f18 59907bfae720a96a

my_dh_pub=

588d56d998f4ed76 4199521e57a8b442 ffaebc422ee57265 63519610bea5eddf

e369b6f95bc8cd26 b542b701e0cd02e7 08dd2c3bde19d78c 528448f1a229487b

a356efaeb8739273 2de18334d084b9e2 0db3cb40f8ae9c91 5835dc4ad7018e2e

db2b35f5083e837e 37aac4c5916a2c93 16d94fbcd610f1a6 acfc91088ca8f1fa

shared secret

66bd9cd7b8689c83 43a75e24f5253e04 8461f9280302ba73 8d5e82ba0d308cd5

5f7d3f63287cd2bb 6fac0ad109bea5fd 26133a67b048225f 0de565362cd60ffa

265176e1b0b6b575 53ba09c5234ffb51 0b468ec2d6b4e684 30bae094279a6ee2

177b20ad6aaa327d 0bcce3bd5e6bc7e6 69b31d1e32dad65a 47a6d3257c19a2ea

hash

67e521389910aec1 b1bd74a134e35b0e 53a41469

SSH2 1: signature length 271

signature

000000077373682d 727361000001000f c04e5f46a08532d3 f7ba6672d5d95e55

b763bdb2abef5187 a1b70cfd661ded71 9d1eec29f2ba3fa8 c479bcadedcefc82

451dcc77f27ccfa9 e8fa573818420baa 76a412d225358d79 1cc599f207d8606e

57ce2a357e7a8f4c cf2bdfe542a9ed12 30a89bea4668259f f58b87ab500fa4fa

d25dd039a085e812 9475a4c4aa56b296 89ea8a75603659be db3f3a50e9046b23

e505a3e2c285bb73 a06a8163216cb086 2de0417ef856dc15 31c9812997d1c72b

f0728e07d6b033d0 7be3141730507b74 d1a19535fa13b0be e661ff563657eba9

97d2636039e43d52 22add4b91b69c61d de70e96d290e841b 3d281be854a8aa31

c807c29eb0bd755e 451ccef6322cb7

key

7e0e96df24456a95 05c7ae58be28c185

key = A

7e0e96df24456a95 05c7ae58be28c185

key

796ec25ccec293b9 34e2a6f4fd580aff

key = B

796ec25ccec293b9 34e2a6f4fd580aff

key

a444e46d89589741 0c7900eb3dfa02e5

key = C

a444e46d89589741 0c7900eb3dfa02e5

key

a760060754e15f07 85a2eb074da7c988

key = D

a760060754e15f07 85a2eb074da7c988

key

dba6d652148f36f7 8808113a8e4433e3

key = E

dba6d652148f36f7 8808113a8e4433e3

key

f55b8bf3aefac524 403e7f89fba47c36

key = F

f55b8bf3aefac524 403e7f89fba47c36

SSH2: kex_derive_keys complete

SSH2 1: newkeys: mode 1

SSH2 1: SSH2_MSG_NEWKEYS sent

SSH2 1: waiting for SSH2_MSG_NEWKEYS

SSH2 1: newkeys: mode 0

SSH2 1: SSH2_MSG_NEWKEYS receivedSSH(grim): user authen method is 'use AAA', aaa server group ID = 1

SSH(grim): user authen method is 'use AAA', aaa server group ID = 1

SSH2 0: key lookup succeeded

SSH2 1: Sent SSH2_MSG_USERAUTH_PK_OK to clientSSH(grim): user authen method is 'use AAA', aaa server group ID = 1

public key pkt

0000001467e52138 9910aec1b1bd74a1 34e35b0e53a41469 3200000007646861

797730310000000e 7373682d636f6e6e 656374696f6e0000 00097075626c6963

6b65790100000007 7373682d72736100 0001170000000773 73682d7273610000

0003010001000001 0100b63cfa1c19c1 e749b0b5b5646b1b 87c8ac7b7cbc6259

fdd99aaa09225b98 64adc2138fb7eb01 449d2fc6bc97a431 ab10d23a617b7cb6

111f168614f01dcc 8fb70be733cd2f83 c614d88da9f3e530 2f798ac2f642d52b

e41797c5349b833d 6681381a4455c234 63583190b2376711 35281b76918293d3

d606333fa04df91b fd710f09506555b7 bf4fa975a0138b7f a7b35e1078165447

fe6327eea363d5e5 ef7f6a3c0e20e0b1 1668ea9879390f31 55e8e7b81fb11718

203fa3b2f7843ed1 9f5d86e14d9da4b5 9389969775c95d9a bb2ebf98a9fc0cfe

6e7b2550c34bacb7 cc370ee15c482361 f19564f5e1304a7e 850e5ee33c5d877c

95147568a104ad25 a1ef

SSH2 0: key lookup succeeded

SSH2 0: Signature verification succeeded

SSH2 1: Public key authentication succeeded for user (grim)

SSH2 1: authentication successful for grim

SSH2 1: channel open request

SSH2 1: pty-req request

SSH2 1: requested tty: vt220, height 40, width 122

SSH2 1: env request

SSH2 1: shell request

5540-1# sh ssh sessions

SID Client IP       Version Mode Encryption Hmac     State            Username

0   192.168.0.3     2.0     IN   aes128-cbc md5      SessionStarted   grim

                            OUT  aes128-cbc md5      SessionStarted   grim

Everyone's tags (6)
5 REPLIES
Community Member

Re: ASA 8.4(4) public key authentication

Grim - thanks for the heads-up.  I missed this detail in the release notes. 

Using Puttygen I generated a 2048 bit SSH-2 RSA (default) key pair and added the public key portion to my ASA using using the command as prescribed.

     # username {name} attributes

     (config-username)# ssh authentication publickey {key from puttygen "for pasting" box}

Then I added the private key (without a password) to my Putty session under Connection --> SSH --> Auth under Authentication Parameters (click browse and add .ppk).  Then under Connection --> Data --> Login Details I entered my username.  Finally save the session.

Now putty connects with no username or passphrase.  Note, if you password protect your private key then you will be prompted to enter it.

I solely did this for internal connections from my trusted PC. 

Love it.

Community Member

Re: ASA 8.4(4) public key authentication

Thanks Andy.

You probably already know this already but with PuTTY you can run "pageant" which prompts for your private key pass phrase and then allows you to connect (via a notification bar icon - right-click) to multiple devices without needing to re-enter the phrase every time.

Add a shortcut to your startup group:

"C:\Program Files\PuTTY\pageant.exe"

ie:

"C:\Program Files\PuTTY\pageant.exe" z:\GPG\putty-priv.ppk

Community Member

Re: ASA 8.4(4) public key authentication

Grim - I learn something new every day.  I have not used Pageant before, it looks quite handy.  Thanks for the heads-up.

Community Member

ASA 8.4(4) public key authentication

Most peple will already have command "aaa authentication ssh console LOCAL". This combined with the command "username grim nopassword privilege 15" means that if you don't present the SSH private key then you will be logged in without any passwords. The key "nopassword" does not mean only ssh keys but literally means a blank password.

To effectively do a ssh public key only authentication you need:

!turn of ssh password authentication

no aaa authentication ssh console LOCAL

!enable ssh public key authentication

username nopassword [privilege ]

username attributes

ssh authentication publickey [hashed]

Community Member

I found that if you happen to

I found that if you happen to have set

aaa authentication enable console LOCAL

 you would actually be permitted to go to enable without a password if you also have the above

username nopassword [privilege ]

9814
Views
0
Helpful
5
Replies
CreatePlease to create content