long, long time ago I’ve written a post about how to authenticate with keys via SSH to devices working under the control of IOS XE and ASA/FTD.

since the big boys usually work with IOS XR, below is a quick guide on how to import keys to this system in versions 7.0+.

OpenSSH and PEM format

first step is to convert the format used normally by OpenSSH to PEM. this can be done with ssh-keygen:

.ssh % ssh-keygen -f id_rsa.pub -m pem -e > id_rsa.pub.pem
.ssh % more id_rsa.pub.pem
-----BEGIN RSA PUBLIC KEY-----
MIICCgKCAgEAwoiwWqKVMLBW/WCTYRqlWKgWo5ax8JveTdRcnOCr6uHu9tE5hYQu
[...]
Vy83y6dMzKGdC/gTT0tI+FwUtDd7fFZfKFYsaiHhtv7KTsKQHyp4cdkCAwEAAQ==
-----END RSA PUBLIC KEY-----

importing key to IOS XR device

second step is to paste the text from the PEM file through the console to IOS XR, although you can also transport the PEM file to the device’s disk and indicate it for import. for user test1, console import process will look like this:

RP/0/RP0/CPU0:IOS_XR_DEVICE#crypto key import authentication rsa username test1
Enter the public key
-----BEGIN RSA PUBLIC KEY-----
MIICCgKCAgEAwoiwWqKVMLBW/WCTYRqlWKgWo5ax8JveTdRcnOCr6uHu9tE5hYQu
[...]
Vy83y6dMzKGdC/gTT0tI+FwUtDd7fFZfKFYsaiHhtv7KTsKQHyp4cdkCAwEAAQ==
-----END RSA PUBLIC KEY-----
        

yup, it’s not a formatting error - at the end you need to enter a blank line by pressing Enter. after this procedure, you can additionally check if the key has been imported correctly:

RP/0/RP0/CPU0:IOS_XR_DEVICE#sh crypto key authentication rsa all
Key label: test1
Type     : RSA public key authentication
Size     : 4096
Imported : 10:57:24 UTC Sun Jul 21 2023
Data     : 
 30820222 300D0609 2A864886 F70D0101 01050003 82020F00 3082020A 02820201 
[...]
 D9020301 0001

test

now the easiest way is to verify that the configuration works by trying to log in from the device with the key to the configured device with IOS XR:

.ssh % ssh test1@IP_ADDRESS_OF_IOS_XR_DEVICE
Host key fingerprint is SHA256:tM4LXt[...]

RP/0/RP0/CPU0:IOS_XR_DEVICE#

further hardening

since we are able to log in to the device using keys, why leave the door open to Bad People scanning hosts en masse with SSH and trying different combinations of logins and passwords? in particular, if your router needs to have an open SSH port to the world? nothing easier:

RP/0/RP0/CPU0:IOS_XR_DEVICE#conf t
RP/0/RP0/CPU0:IOS_XR_DEVICE(config)#ssh server v2
RP/0/RP0/CPU0:IOS_XR_DEVICE(config)#ssh server disable auth-methods password
RP/0/RP0/CPU0:IOS_XR_DEVICE(config)#ssh server disable auth-methods keyboard-interactive
RP/0/RP0/CPU0:IOS_XR_DEVICE(config)#commit

happy logging with ssh keys ;)