I rely on SSH pretty heavily, be it for remotely managing a hanful of Linux systems or connecting to Cisco routers. I do this from my laptop and more recently – my phone. Rather than type passwords all the time (which can be tricky on on-screen keyboards) I decided to setup public key authentication for the Cisco routers I use.
Cisco IOS has supported public key authentication (for RSA keys only) since IOS 15. If you don’t already have a public/private RSA key-pair you can use PuttyGen (free, open-source) to generate them. If you’re a Linux user you can use the “ssh-keygen” command.
To set up RSA public key authentication, enter global configuration mode and issue the “ip ssh pubkey-chain” command. Then specify the username you want to provide a key for:
Router(config)#ip ssh pubkey-chain Router(conf-ssh-pubkey)#username admin Router(conf-ssh-pubkey-user)#key-string
Now, paste the data part of your public key (highlighted in red below).
ssh-rsa AAAAB.....aaa== rsa-key-20130820
If you have a key length greater than 1024 bits you’ll need to split up the data into chunks and paste it. Once you’re done just type “exit”. If you review the configuration for your device you’ll notice the full key isn’t stored – just what’s known as the “fingerprint” is stored:
Router#sh run | section ip ssh pubkey-chain ip ssh pubkey-chain username admin key-hash ssh-rsa AA00BB11CC22DD33EE44FF55AA66BB77
Dig out your favourite SSH client (Putty, Secure CRT etc) and you’ll be able to SSH in using a public/private key-pair.