This document is intended to show how one can get big outputs for IOS CLI using SSH public key authentication.
It might be useful when you have scripts executed automatically to obtain information for monitoring purposes.
In this example I'm using an ASR running 15.2.2S software, however since it's control-plane feaute, SSH will work similar way on other platforms.
I'm assuming client is a flavor of unix, just because it's the more common way. This method however works on Windows using Putty and other terminal emulators.
Let's verify that we have a public key already:
If it's not there you can generate it by using interactive command:
Create a user:
username test priv 15 secret supers3cr3tn0bdyw1llgue55
You need to make sure this public key is trusted by our router.
Please also make sure that you generate RSA keys on Server larger than 768 bits.
You can also set SSHv2 on server side (although strictly speaking it's not required if you're using SSH 1.99)
ip ssh version 2
Typically most devices prefer following order of authentication mechanism:
1) Public key
2) Keyboard interactive
This allows us to try use pubic key auth without any additional changes.
For example I could use this:
Linux# ssh -2 -v email@example.com
One that is done we can discuss handling of big outputs.
There are two way of doing it.
SSH allows you to specify as a parameter the command to be executed.
ssh firstname.lastname@example.org 'show clock'
This command will log into IOS device, execute "show clock" command and disconnect immedietly.
The downside is quite obvious, you would need to start multiple session to exacute several commands (unlike most UNIX flavors)
A need may arrise to execute several commands in one big batch.
You should start by understanding which commands you would need to put in that batch.
For example my batch:
Linux# cat commands
term len 0
term exec pro ti
show ip nat trans
show ip nat trans total
show platf hard qfp act fea ipsec data drop
show platf hard qfp act stati drop
I can pipe those commands into my SSH sessions and get desired outputs. Right?
Yes and no :-)
If you perform just:
cat commands | ssh -T email@example.com
You will notice that not all outputs complete - depending on timing.
The actual issue is related to handling of end of file (EOF), which is signalising to SSH to close the connection down.
The solution is to delay that EOF until output finishes.
A very simple way to accomplish this in bash is:
( cat commands ; sleep 100 ) | ssh -T firstname.lastname@example.org
What this will do is allow 100 seconds to finish execution of that batch of commands - even on asr 1000 with medium sized config and ultization it should be enough to extract everything.
Hope that helps!
Leave a comment.
I know this is an old article... and I found it very helpful in adding my SSH key. However, there's a major security issue with it. Users visiting this page (from Google, for instance, who may or may not be Cisco or SSH security experts) may not realize that these instructions will create a virtually unsecured user account!! -- The command to create a user given off-handedly above means that anyone who uses telnet (if it hasn't been disabled) or forces their SSH connection to request the use of keyboard-interactive authentication, will be able to get in WITHOUT A PASSWORD!! Please update these instructions to note this is a sample and that a "secret" (preferably) or "password" keyword should ALWAYS be appended to that particular command.
Good catch. Updated.
Very important comment. Just tested this and would have missed it otherwise!
In stead of the full key, you could only put key-hash like bellow:
ip ssh pubkey-chain
key-hash ssh-rsa 539197BB0F11CE77A123334A97859E30 admin@server
Actually the better solution would be to not use that command at all. There is no reason to create a local user on the IOS device at all. Don't include
All you need is
What should we do in reverse case i.e. when we are accessing the linux box from IOS.
Ping is working fine , but when i'm trying to do the ssh to linux box its not happening.
You can find the SSH key of the IOS device with:
show ssh key
You can then google how you should apply this to whatever device type you are trying to connect to.