Configuration on the IOS router:
hostname R1
ip domain-name networkology.net
!
crypto key generate rsa general-keys label SSH-KEYS exportable modulus 1024
crypto key encrypt write rsa name SSH-KEYS passphrase cisco123
!
ip ssh version 2
ip ssh rsa keypair-name SSH-KEYS
ip ssh pubkey-chain
username admin
key-string
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDiAYCMQauVa3SL4x256cWed7PCmSoO4Qq+ONaq
CVlBtVK3deu7G2+JBdY3nn9YagpULOVJQv60irqpeo8UtC3Obwoz8mP4C/Y4AB7IP3AA
X2QqbzboyRGFEvfqvNVT1diDVMrAe1TIXeiiFa/wogsR8oFxu1oR8NUUbPW9HS4BAw==
exit
exit
exit
– The RSA key is configured as exportable so you can copy and save it to a secure location for future use.
– The ‘key-string’ used under the username ‘admin’ is the public key of the users PC.
Generating public keys on a Windows host machine:
Note: I have used SecureCRT to generate the key pair. You can also use puttygen to achieve the same.
1. Quick Connect to the IOS router, select PublicKey for authentication and click on Properties…
2. Click on Create Identity File…
4. Select RSA from the drop down menu
5. Enter a Passphrase to encrypt the Private key. This is not required but recommended. Also the comment can either be ignored or you can put anything in there.
6. Specify the key length
7. Move your cursor in the blank space of the window to generate random input which will be used during key generation.
8. You cannot change the location of the public key, but you specify where you want to save the private key. Default location for public and private key (Windows XP);
C:\Documents and Settings\Administrator\Application Data\VanDyke\Identity
C:\Documents and Settings\Administrator\Application Data\VanDyke\Identity.pub
9. Say ‘No’ to upload the key to the router.
10. Open the Public key Identity.pub
11. Add ssh-rsa to the encrypted string as shown below and copy the selected text.
12. Paste the key-string as shown below;
13. Click on Connect in the Quick Connect window
14. You have now successfully authenticated to the IOS router using RSA keys. Make sure you have saved the session so you won’t be prompted for an authentication again.