long, long time ago I wrote a post about how to authenticate with keys via SSH to devices working under the control of IOS XE and ASA/FTD.
since the big boys usually work with IOS XR, below is a quick guide on how to import keys to this system in versions 7.0+.
OpenSSH and PEM format
first step is to convert the format used normally by OpenSSH to PEM. this can be done with
.ssh % ssh-keygen -f id_rsa.pub -m pem -e > id_rsa.pub.pem .ssh % more id_rsa.pub.pem -----BEGIN RSA PUBLIC KEY----- MIICCgKCAgEAwoiwWqKVMLBW/WCTYRqlWKgWo5ax8JveTdRcnOCr6uHu9tE5hYQu [...] Vy83y6dMzKGdC/gTT0tI+FwUtDd7fFZfKFYsaiHhtv7KTsKQHyp4cdkCAwEAAQ== -----END RSA PUBLIC KEY-----
importing key to IOS XR device
second step is to paste the text from the PEM file through the console to IOS XR, although you can also transport the PEM file to the device’s disk and indicate it for import. for user
test1, console import process will look like this:
RP/0/RP0/CPU0:IOS_XR_DEVICE#crypto key import authentication rsa username test1 Enter the public key -----BEGIN RSA PUBLIC KEY----- MIICCgKCAgEAwoiwWqKVMLBW/WCTYRqlWKgWo5ax8JveTdRcnOCr6uHu9tE5hYQu [...] Vy83y6dMzKGdC/gTT0tI+FwUtDd7fFZfKFYsaiHhtv7KTsKQHyp4cdkCAwEAAQ== -----END RSA PUBLIC KEY-----
yup, it’s not a formatting error - at the end you need to enter a blank line by pressing Enter. after this procedure, you can additionally check if the key has been imported correctly:
RP/0/RP0/CPU0:IOS_XR_DEVICE#sh crypto key authentication rsa all Key label: test1 Type : RSA public key authentication Size : 4096 Imported : 10:57:24 UTC Sun Jul 21 2023 Data : 30820222 300D0609 2A864886 F70D0101 01050003 82020F00 3082020A 02820201 [...] D9020301 0001
now the easiest way is to verify that the configuration works by trying to log in from the device with the key to the configured device with IOS XR:
.ssh % ssh test1@IP_ADDRESS_OF_IOS_XR_DEVICE Host key fingerprint is SHA256:tM4LXt[...] RP/0/RP0/CPU0:IOS_XR_DEVICE#
since we are able to log in to the device using keys, why leave the door open to Bad People scanning hosts en masse with SSH and trying different combinations of logins and passwords? in particular, if your router needs to have an open SSH port to the world? nothing easier:
RP/0/RP0/CPU0:IOS_XR_DEVICE#conf t RP/0/RP0/CPU0:IOS_XR_DEVICE(config)#ssh server v2 RP/0/RP0/CPU0:IOS_XR_DEVICE(config)#ssh server disable auth-methods password RP/0/RP0/CPU0:IOS_XR_DEVICE(config)#ssh server disable auth-methods keyboard-interactive RP/0/RP0/CPU0:IOS_XR_DEVICE(config)#commit
happy logging with ssh keys ;)