Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

SSH using public key authentication to IOS and big outputs.

 

 

About this document

 

This document is intended to show how one can get big outputs for IOS CLI using SSH public key authentication.

It might be useful when you have scripts executed automatically to obtain information for monitoring purposes.

 

Initial configration

In this example I'm using an ASR running 15.2.2S software, however since it's control-plane feaute, SSH will work similar way on other platforms.

Client side

 

I'm assuming client is a flavor of unix, just because it's the more common way. This method however works on Windows using Putty and other terminal emulators.

 

Let's verify that we have a public key already:

 

cd

cat .ssh/id_rsa.pub

 

If it's not there you can generate it by using interactive command:

ssh-keygen 

 

 

Server side

Create a user:

username test priv 15 secret supers3cr3tn0bdyw1llgue55

 

You need to make sure this public key is trusted by our router.

ip ssh pubkey-chain
     username test
          key-string
               copy the entire public key as appears in the cat id_rsa.pub including the ssh-rsa and username@hostname.
               please note that some IOS versions will accept maximum 254 characters.
               you can paste multiple lines.     
          exit
     exit

Please also make sure that you generate RSA keys on Server larger than 768 bits.

You can also set SSHv2 on server side (although strictly speaking it's not required if you're using SSH 1.99)

ip ssh version 2

 

 

Verification

Typically most devices prefer following order of authentication mechanism:

1) Public key

2) Keyboard interactive

3) Password

This allows us to try use pubic key auth without any additional changes.

For example I could use this:

Linux# ssh -2 -v test@bsns-asr1006-2.cisco.com

 

Big output handling

 

One that is done we can discuss handling of big outputs.

 

There are two way of doing it.

 

One command at a time

 

SSH allows you to specify as a parameter the command to be executed.

For example.

ssh test@bsns-asr1002-1.cisco.com 'show clock'

This command will log into IOS device, execute "show clock" command and disconnect immedietly.

 

The downside is quite obvious, you would need to start multiple session to exacute several commands (unlike most UNIX flavors)

 

Pipelining

A need may arrise to execute several commands in one big batch.

 

You should start by understanding which commands you would need to put in that batch.

 

For example my batch:

Linux# cat commands

show clock

term len 0

term exec pro ti

show ip nat trans

show ip nat trans total

show platf hard qfp act fea ipsec data drop

show platf hard qfp act stati drop

show tech

 

I can pipe those commands into my SSH sessions and get desired outputs. Right?

Yes and no :-)

 

If you perform just:

cat commands | ssh -T test@bsns-asr1002-1.cisco.com 

You will notice  that not all outputs complete - depending on timing.

 

What's the problem?

The actual issue is related to handling of end of file (EOF), which is signalising to SSH to close the connection down.

 

The solution is to delay that EOF until output finishes.

 

A very simple way to accomplish this in bash is:

( cat commands ; sleep 100 ) | ssh -T test@bsns-asr1002-1.cisco.com

What this will do is allow 100 seconds to finish execution of that batch of commands - even on asr 1000 with medium sized config and ultization it should be enough to extract everything.

 

Hope that helps!

 

Feedback?Comments? Flames?

Leave a comment.

Comments
Community Member

I know this is an old article... and I found it very helpful in adding my SSH key. However, there's a major security issue with it. Users visiting this page (from Google, for instance, who may or may not be Cisco or SSH security experts) may not realize that these instructions will create a virtually unsecured user account!! -- The command to create a user given off-handedly above means that anyone who uses telnet (if it hasn't been disabled) or forces their SSH connection to request the use of keyboard-interactive authentication, will be able to get in WITHOUT A PASSWORD!! Please update these instructions to note this is a sample and that a "secret" (preferably) or "password" keyword should ALWAYS be appended to that particular command.

Cisco Employee

Good catch. Updated. 

Community Member

Very important comment.  Just tested this and would have missed it otherwise!

 

Thanks

Community Member

In stead of the full key, you could only put key-hash like bellow:

ip ssh pubkey-chain

 username admin

 key-hash ssh-rsa 539197BB0F11CE77A123334A97859E30 admin@server

Cisco Employee

Actually the better solution would be to not use that command at all.   There is no reason to create a local user on the IOS device at all. Don't include 

username test priv 15 secret supers3cr3tn0bdyw1llgue55

All you need is 

ip ssh pubkey-chain
     username test
          key-string <insert public key data here>
That is enough to authenticate.  Then use aaa to prodvide TACACS authroziation through ISE. The user should to be created/accessible there (in ISE, say from AD).  Then the authentication will happen with the rsa public/private key and the authorization will happen with ISE  (If you want to be less secure you can just say aaa authorization exec default if-authenticated)
Voila! SSHed into your Cisco stuff with no password. Very important as we move to more programmatic interfaces in a DevOps world on our stuff. 

Cisco Employee

What should we do in reverse case i.e. when we are accessing the linux box from IOS.

Ping is working fine , but when i'm trying to do the ssh to linux box its not happening. 

Community Member

You can find the SSH key of the IOS device with:

show ssh key

You can then google how you should apply this to whatever device type you are trying to connect to.

34404
Views
19
Helpful
7
Comments