Public Key authentication on Cisco IOS

I rely on SSH pretty heavily, be it for remotely managing a hanful of Linux systems or connecting to Cisco routers. I do this from my laptop and more recently – my phone. Rather than type passwords all the time (which can be tricky on on-screen keyboards) I decided to setup public key authentication for the Cisco routers I use.

Cisco IOS has supported public key authentication (for RSA keys only) since IOS 15. If you don’t already have a public/private RSA key-pair you can use PuttyGen (free, open-source) to generate them. If you’re a Linux user you can use the “ssh-keygen” command.

To set up RSA public key authentication, enter global configuration mode and issue the “ip ssh pubkey-chain” command. Then specify the username you want to provide a key for:

Router(config)#ip ssh pubkey-chain
Router(conf-ssh-pubkey)#username admin
Router(conf-ssh-pubkey-user)#key-string

Now, paste the data part of your public key (highlighted in red below).

ssh-rsa AAAAB.....aaa== rsa-key-20130820


If you have a key length greater than 1024 bits you’ll need to split up the data into chunks and paste it. Once you’re done just type “exit”. If you review the configuration for your device you’ll notice the full key isn’t stored – just what’s known as the “fingerprint” is stored:

Router#sh run | section ip ssh pubkey-chain
ip ssh pubkey-chain
  username admin
   key-hash ssh-rsa AA00BB11CC22DD33EE44FF55AA66BB77

Dig out your favourite SSH client (Putty, Secure CRT etc) and you’ll be able to SSH in using a public/private key-pair.

Published by

Dave Hope

Dave is a Principal Software Analyst for a UK based retirement developer, in his spare time he enjoys digital photography and rock climbing.

One thought on “Public Key authentication on Cisco IOS”

Leave a Reply

Your email address will not be published. Required fields are marked *