Using Rsa Keys Generated From 4500 Switch

06.04.2020
6 Comments

The algorithm is selected using the -t option and key size using the -b option. The following commands illustrate: ssh-keygen -t rsa -b 4096 ssh-keygen -t dsa ssh-keygen -t ecdsa -b 521 ssh-keygen -t ed25519 Specifying the File Name. Normally, the tool prompts for the file in which to store the key.

  1. How To Configure SSH Keys Authentication With PuTTY And Linux Server In 5 Quick Steps. This tutorial explains how you can replace password-based SSH authentication with key-based authentication which is more secure because only the people that own the key can log in.
  2. Feb 16, 2008  If I want to connet to a Switch over https. The switch automaticlly generates an RSA 768 bit key - even if I generated a 1024 key before! What do I have to do so that the Switch uses the 1024bit-Key insteat of generating his own 768 bit key?? Thanks for helping. Cheers, Dominik. Followed procedre from CCO: CCO-Article.

Using an RSA Public/Private key pair instead of a password to authenticate an SSH session is popular on Linux/Unix boxes. Digital Ocean, a Virtual Private Server (VPS) provider, has this advice on how you should log into their Droplets: “you should use public key authentication instead of passwords, if at all possible. This is because SSH keys provide a more secure way of logging in compared to using a password alone. While a password can eventually be cracked with a brute-force attack, SSH keys are nearly impossible to decipher by brute force alone.” Plus, it means you never have to type C!$c0 again!

Cisco IOS now has support for using SSH with RSA keys. There are many resources showing how to configure SSH with RSA keys on the Internet and I have included several in the references section to give you more information. In this blog I am going to show how to configure a switch and create the public/private key pair using Puttygen for Windows.

OpenSSH ships with most *nix OS’s like Mac OSX and Ubuntu so you don’t need a separate program to generate the key pair. There are resources in the reference section on how to create the keys using OpenSSH. As a side note, Microsoft announced that it is going to build OpenSSH support into Powershell so you may be able to log into the next release of Windows server using SSH.

Download Puttygen

Recently there was some malware floating around using the name putty.exe. Make sure that you download putty and puttygen from http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html

The MD5 check sums are at this link – checksums. On Windows you can use the official MS tool FCIV to check the MD5 sums. If you prefer a GUI Hashtab is a nice tool that integrates into the right click menu. It’s free but does require registration and an email address.

Once you have Puttygen double click to start it up. Enter a description for your key and a passphrase. I recommend storing your passphrase in a password manager so that you don’t for get it. Select SSH-2 RSA and enter 2048 for bits. Enter a comment for your key pair and click Generate. You will be asked to move the mouse around to generate some entropy.

Once the key is done you can select it and paste it into the switch. You should also save the public and private keys to a file.

Open Putty and create a session. Click on Auth under the SSH menu. Under Authentication parameters click Browse and select your private key. Click on Session and save your session.

You can also click on Data under Connection and set up an Auto-login username:

Computer

Don’t forget to save your session. If you always log in using the same settings you can set all of them and then save the session as the default session.

Setup the Cisco Device

I’m using a 3750X-48P-L running IOS Version 15.2(3)E1 for this example.

Configure a time server

Using Rsa Keys Generated From 4500 Switch To Computer

While this isn’t absolutely necessary it’s the first thing I do on any production device.
3750x(config)#ntp server 129.6.15.29 prefer
3750x(config)#clock timezone PST -8 0
3750x(config)#clock summer-time PDT recurring

Configure an IP domain name, create the RSA private key and enable SSH

3750x(config)ip domain-name pu.pri
3750x(config)crypto key generate rsa modulus 2048 exportable
3750x(config)ip ssh version 2

Note the “exportable” parameter. This isn’t required but I wanted to point that out that you can make the keys exportable. It’s not so important in this case but if you have setup GetVPN on a router you absolutely want to export the keys used for the tunnels. If you don’t and the router fails you will have to touch EVERY tunnel once you replace the hardware. If you have exported the keys you just reload them on the new hardware and call it a day.

I have a link to a Cisco TAC podcast on GetVPN and DMVPN in the references that does a great job of explaining how to use RSA key pairs and why you MUST export them. If you don’t want to listen to the entire podcast jump to minute 40 or so and listen from there. I highly recommend listening to all the TAC Security podcasts.

View the key

3750x#sh crypto key mypubkey rsa
% Key pair was generated at: 22:53:25 PDT Jul 16 2015
Key name: 3750x.pu.pri
Key type: RSA KEYS
Storage Device: not specified
Usage: General Purpose Key
Key is exportable. Redundancy enabled.
Key Data:
30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101
00ABDBCC B2C31B8F 264A92D0 8C56D9F2 B5B2E8E3 354BDA0E A3C6F287 5D5A66D4
5BDF9E25 A866E5CA 3B6641CB 375410E9 4F142169 8334C1DC 88F8BC34 80129A62
F59E0B90 B329A728 93F96C32 EE2AF78A DFF692A0 1649D911 F8DA728B 108B2790
4954B60D 62999C52 2F832900 61A654A3 938EF6FB EB85F88F 2A3740D6 BE57B4C8
C55EE8A0 4F6A23AB 416CB6F3 9F211B2E 2640ED4E 7AB03B6F 4B982F91 4965B834
DB00254F F00E5D4D D3C102AA 75A78903 862D22AF 290D85B2 09D1D8A6 4A5D66C4
4B7A2E0F 437A4566 864130ED 82411160 4198AFC1 AC0C8946 2FE181A5 6AFBD4AF
20E8D5A5 83BA182F A5FA8352 48E55CF5 1A5C2F38 B61A57A1 DC7229F8 994C87B2
C5020301 0001

Export the key

3750x(config)#crypto key export rsa 3750x.pu.pri pem terminal 3des SecurePassPhrase
% Key name: 3750x.pu.pri
Usage: General Purpose Key
Key data:
—–BEGIN PUBLIC KEY—–
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAq9vMssMbjyZKktCMVtny
tbLo4zVL2g6jxvKHXVpm1FvfniWoZuXKO2ZByzdUEOlPFCFpgzTB3Ij4vDSAEppi
9Z4LkLMppyiT+Wwy7ir3it/2kqAWSdkR+NpyixCLJ5BJVLYNYpmcUi+DKQBhplSj
k472++uF+I8qN0DWvle0yMVe6KBPaiOrQWy2858hGy4mQO1OerA7b0uYL5FJZbg0
2wAlT/AOXU3TwQKqdaeJA4YtIq8pDYWyCdHYpkpdZsRLei4PQ3pFZoZBMO2CQRFg
QZivwawMiUYv4YGlavvUryDo1aWDuhgvpfqDUkjlXPUaXC84thpXodxyKfiZTIey
xQIDAQAB
—–END PUBLIC KEY—–
—–BEGIN RSA PRIVATE KEY—–
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,3E0EAC17DCDE45B0

Hq3gxGpuI8eE1WvPPr3Xw8bcrzV+cCHvGLu6D3atp5O89sQIQUMxI/udppUMWnbI
7iIpuFIJfTM9WfkNBvBBDVR4jjZfm8sHVqNll2flwqhwnPITaRBgJreaUaHL4xlU
xmPEkApfu7odjZS6sn93tZ1W1+Smn5XzAoBhKNi2N0oDjR0ruubUsPBEWcBFuzJQ
k5SKVsYl++DcA7WgFlL14/B6GgQTEoVJ6R9N14cOCJVORIhCYSxZlds4rNMeuX/9
RffhZriB+0OWJvEnxmgoKpshOX7hQVYpbHyPuJ2sDMwxwqv27uQPVp96kUhm33US
lA/7EEHzWnbvJI4TRCWFSLbaUAiPqA9NMalD6lGqpADqtaoPFPCq4pfQdMc1Lfm8
x0C8Yk+YhQDs/NNyem0xj1swKcxnbcisKzqvFdKNy4Oo60sZZD0dzBlQpxNGbQbo
GxqUPkf2nJ9/1cLnrYQ2gE5f3EN9vfBJbNWx4I5D4uNFaM/an2JxCatOwM7qglhh
C2kPofynBgxfedxSRwButo0VFt4wNs7Ijk2o/IlfZDpaxZoisQwz21z3gnKSTuVQ
gwBcfwXLLyP7e4xTmHcHQfpzu2XQjJmHTqYBU2c/fsBXYYmbwfKgp2UeeVgCVfWP
7Cd53PtRc6kycodB6phcHRdnBd2TDame6IP7dHKASbcuHXFmBRAPRG2wpt90BzFC
WRaRAkSvf8b2GAKjoHJF8Pw/eQBgc9JPXY5UkGapRT+fkw1fS99GUXPiI5EYMmws
BYOOMBgY7h+FCHCuuQ/FpZEyRYHBMYbUSZ0Vt4ikQh4L6kdOz5fC04IUXwtDnOh0
Lv9Un8YRS9tL4JzXjTauByhNxj+JEQnUCBXjTEbdJGZ1k8LGygfD8ixwK8StQ3pe
nwCrJwBPP5oORJmZssdTubyldZTy/abgnZMoJ9RgBI2muxL+3EtzvLnrUvaD4SkK
X8InDcEk8WlmI5joMe+wxrgKehWuRddD0iB+CfpE9N90fRGEvS/awHx2RVdh9VFo
b85l5ebRC8FsIckQPp8qc71vcrJ4P2D88FT5VshD4aUhZYWdLDRPLzbMrFOprjqu
sSU/cxL7V6w3954PzlAV0yVyiQ9TnPCSdPPBVLV8oJzXo/6LWWND72Xi9ORbCTIP
GcoSURd8oQwzmEbwuxeAv2JmZyiJCTZWOvDOc0mZCr7NgkbkZPH+wi8aJzsv9gDU
ISLBu4c+MQ5At4wad6fXLHeAOpKTNJ7nlfHgcgCichQv/tC+yZgvMiV3d6aumXri
dZLBThpuXOWNxkYO3tpZfNv1sRCfwTrn7sr/zW8mDvGMSNlwqOLwDGnH2G5HbQFm
G/w70NxwY5jQniOA/FurorBtm1P68uji7i1yHM6jctfElJXKcBWNyKHsLEc8Uk1A
2CdVPt9fXoUAqjcyV8rqyzn91P6E04ilqUp129oABcVAh7A3lr4u76Nt5Na5qDuo
zzP/2yZAi6dKQJOxpyMjQo4zkKPVPDjkJOwJtfIqGsC5glpYbMXGmUPhsYapAyK6
maXbb2L9aVDnZxl8bt0vHSBDpGVBThXX/iQgZaV0eGzSEhgwZF2wOuLTIMTnJX3C
—–END RSA PRIVATE KEY—–

Configure AAA authentication

The aaa new-model command causes the local username and password on the router to be used in the absence of other AAA statements. Once you enter “aaa new-model” you will not be able to enter “login local” on vty line configuration. If you had login local configured it will be removed.

When you create the username be sure to include a secret. I you don’t anyone will be able to login with just the username. As always, create a strong secret and use a password manager to store it.

3750x(config)#username cisco privilege 15 secret ^8(nn-!#who
3750x(config)#aaa new-model
3750x(config)#aaa authentication login default local
3750x(config)#aaa authorization exec default local

(Authentication through the line password is not possible with SSH)

Configure the line

3750x(config)#line vty 0 4
3750x(config-line)#transport input ssh
3750x(config-line)#logging sync (prevents console messages from interfering with your inputs)

Add your PUBLIC key to the device.

Open the public key file you created in puttygen. Copy the text between the comments. If you generated a 2048 bit key you will need to paste it into notepad and break it into smaller pieces or you may see “%SSH: Failed to decode the Key Value” when you exit:
3750x(config)#ip ssh pubkey-chain
3750x(conf-ssh-pubkey)#username hubbard
3750x(conf-ssh-pubkey-user)#key-string
3750x(conf-ssh-pubkey-data)#$QAAAQEAkp2EDdpi86+h2aygSIYLt6DvoeFVKYJ1S/Zr
3750x(conf-ssh-pubkey-data)#$ylIDAzWA+G9TolxvWTLzTcUR/+Ykk74mqQbuGTxpteP
3750x(conf-ssh-pubkey-data)#$IStVVjycGYHRSJv9H2C8OQYMcHCR7yM/36TTFRIjLfV
3750x(conf-ssh-pubkey-data)#$PaWM45mr8DI2/sJkwESLWWGJKYiaSxEG6h+gLA5DePj
3750x(conf-ssh-pubkey-data)#$SP4zpktK7KD51NQDy8vx3jVVhkkANGbFfz/uWk2Uhno
3750x(conf-ssh-pubkey-data)#$DQeBxtZbxEGU4tXDZmRbPGVmk8DtFh9LVRCxUTQ
3750x(conf-ssh-pubkey-data)#exit

3750x#sh run sec ssh
ip ssh version 2
ip ssh pubkey-chain
username hubbard
key-hash ssh-rsa 0C029272CF23E61C4315A0D59E565B76
transport input telnet ssh
3750x#
3750x#sh run b 0 4
line vty 0 4
transport input ssh
line vty 5 15

Using Rsa Keys Generated From 4500 Switch Free

Note – You can use the HASH instead of the key for the next devices you setup. Instead of using “Key-string” in the ip ssh pubkey-chain statement use “key-hash ssh-rsa 0C029272CF23E61C4315A0D59E565B76”.

Login using your SSH Keys!

References

SSH RSA authentication works in IOS release 15.0M
Secure Shell Version 2 Support in IOS 15
TAC Security Podcast Episode #25 – GETVPN and DMVPN
SSH/OpenSSH/Keys – A good Ubuntu article on OpenSSH
How to create ssh keys with putty to connect to a virtual private server (VPS) – The Digital Ocean Tutorial. They have a lot of good tutorials.
Using SSH/SCP on Mac OS X in the Terminal app
Kali Linux remote SSH – How to configure openSSH server – A great tutorial.
SSH using public key authentication to IOS and big outputs – A Cisco Support Forum article. It includes a Bash script for remotely executing commands.

Camtasia studio 8 free serial key generator. Using this application, you might run without problems amazing video displays through PowerPoint, applications program samples, TechSmith Camtasia 2019.0.8 License Key The interface of TechSmith Camtasia Studio Free Download looks overwhelming because it can offer a lot of tools for the users. Camtasia Studio is an application that records desktop images, webcam video, and audio. Camtasia Studio 8 Crack is a trusted screenshot and audio-video editing tool which helps clients in directing their thought effectively and efficiently from any device. Camtasia Studio gives you the tools to record.Aug 16, 2019  Camtasia Studio 8 Crack + Serial Key Free Download 2019.

SSH with key authentication on Cisco IOS devices – A good blog for Windows users
How To Protect SSH with fail2ban on Ubuntu 12.04
Synchronise remote SSH authorised_keys

Set up your first SSH keys

Use SSH keys for authentication when you are connecting to your server, or even between your servers. They can greatly simplify and increase the security of your login process. When keys are implemented correctly they provide a secure, fast, and easy way of accessing your cloud server.

Follow our guide and learn how to set up your first SSH keys for authentication using OpenSSH or PuTTYTray.

Preparing your server

To add an SSH key pair, first, create a hidden folder to your user account home directory on your cloud server with the following command.

Then restrict the permissions to that directory to just yourself with the command below.

This creates a secure location for you to save your SSH keys for authentication. However, note that since the keys are stored in your user home directory, every user that wishes to connect using SSH keys for authentication has to repeat these steps on their own profile.

Using OpenSSH to generate a key pair

Now continue on your own computer if you are using Linux or any other OS that has OpenSSH. PuTTY users should skip to the next section.

1. Generate a new key pair in a terminal with the next command

The key generator will ask for location and file name to which the key is saved to. Enter a new name or use the default by pressing enter.

2. (Optional) Create a passphrase for the key when prompted

This is a simple password that will protect your private key should someone be able to get their hands on it. Enter the password you wish or continue without a password. Press enter twice. Note that some automation tools might not be able to unlock passphrase-protected private keys.

3. Copy the public half of the key pair to your cloud server using the following command

Replace the user and server with your username and the server address you wish to use the key authentication on.

This also assumes you saved the key pair using the default file name and location. If not, just replace the key path ~/.ssh/id_rsa.pub above with your own key name.

Enter your user account password for that SSH server when prompted.

You can now authenticate to your server with the key pair, but at the moment you would need to enter the passphrase every time you connect.

Rsa

4. (Optional) Set up SSH Agent to store the keys to avoid having to re-enter passphrase at every login

Enter the following commands to start the agent and add the private SSH key.

Type in your key’s current passphrase when asked. If you saved the private key somewhere other than the default location and name, you’ll have to specify it when adding the key.

Afterwards, you can connect to your cloud server using the keys for authentication, and only having to unlock the key by repeating the last 2 steps once after every computer restart.

Using PuTTYTray to generate a key pair

Generate random string api key. If you are running Windows and PuTTYTray for SSH, you can use the built-in key generator from PuTTY to create a new key pair.

1. Click the Keygen button at the bottom of the PuTTY Configuration window to get started.

Then in the Key Generator window, check that the Type of key to generate at the bottom is set to SSH-2 RSA. The older SSH-1 was the first version on the standard but is now generally considered obsolete. Most modern servers and clients support SSH-2.

2. Click the Generate button to begin.

3. Keep moving your mouse over the blank area in any manner to help generate randomness for a few moments until the progress is complete.

Generate Rsa Key Windows

With the keys finished, PuTTY will show the relative information about the pair along with the public key for easier copying.

4. (Optional) Enter a key passphrase in the 2 empty fields for the added security before continuing. The passphrase will protect your key from unauthorized use should someone be able to copy it. However, some automation tools might not be able to unlock passphrase-protected private keys.

5. Click the Save private key button and store it somewhere safe. Generally anywhere in your user directory is fine as long as your PC is password protected. Before closing the keygen, you may want to copy the public key to your clipboard, but you can always get it later as well.

Now that you have a new key saved on your computer, you’ll need to import it into the PuTTY key agent.

Using Rsa Keys Generated From 4500 Switch Key

6. Click the Agent button to open the key manager in the PuTTY Configuration window.

7. Click Add Key button in the Key List, then browse to the location you saved the private key, select it and click Open.

Enter your key passphrase if asked.

This will import the key to your PuTTY client, but you still need to copy the public key over to your server.

Using Rsa Keys Generated From 4500 Switch Number

8. Open an SSH connection to your cloud server and go to the SSH key directory.

9. Open or create the default file OpenSSH looks for public keys called authorized_keys.

10. Paste the public key into the file by simply right-clicking the SSH client window. Make sure the key goes on a single line for OpenSSH to be able to read it.

When you’ve copied the public key over to the authorized keys list, save the file and exit the editor. You can now test the public key authentication by logging in to your server again. You should not get asked for your password, but instead logged straight in with the key. If it’s not working, check that your private key is unlocked at your SSH Agent and try again.

Turn off password authentication

With SSH key authentication configured and tested, you can disable password authentication for SSH all together to prevent brute-forcing. When logged in to your cloud server.

1. Open the SSH configuration file with the following command.

2. Set the password authentication to no to disable clear text passwords.

3. Check that public key authentication is enabled, just to be safe and not get locked out from your server. If you do find yourself unable to log in with SSH, you can always use the Web terminal at your UpCloud control panel.

Then save and exit the editor.

4. Restart the SSH service to apply the changes by using the command below.

With that done your cloud server is now another step along towards security. Malicious attempts to connect to your server will results in authentication rejection, as plain passwords are not allowed, and brute-forcing an RSA key is practically impossible.

Conclusions

Remember to always keep your private keys safe. You can use the same key from multiple computers if you wish, or generate new ones on each client connecting to your cloud server for added security. Each user should generate their own key pair and passphrase for secure access control. With proper management, even in case one of the private keys gets compromised you won’t have to replace them all.