[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Cisco ip ssh rsa keypair-name command

Posted on 2014-08-22
7
Medium Priority
?
1,556 Views
Last Modified: 2014-08-28
I am moving from telnet to SSH remote access for all of my Cisco routers and switches. According to Cisco, with the latest IOS, the ip ssh rsa keypair-name command allows the user to specify the rsa key that is used for SSH connection. Previously, SSH was linked to the first RSA keys that were generated; so there is no way to know which key is used for SSH connection. My questions are:
- What is the security implication if I let the SSH connection linked to the default RSA key?
- What is the advantage to link the SSH connection to a known rsa key?

Thanks
0
Comment
Question by:leblanc
  • 4
  • 3
7 Comments
 
LVL 65

Expert Comment

by:btan
ID: 40280214
1. Default is SSHv1, 3DES and 512bit length is considered very weak and not recommended. SSHv2 supports AES, a more robust and efficient encryption technology.  SSHv2 is also not subject to the same security exploits as SSHv1. Should go for min 2048, if not 1024 bits min (RSA key pair size must be greater than or equal to 768 bits.)

2. If you configure the ip ssh rsa keypair-name command with a key pair name, SSH is enabled if the key pair exists or SSH will be enabled if the key pair is generated later. If you use this command to enable SSH, you are not forced to configure a hostname and a domain name, which was required in SSH Version 1 of the Cisco software.
It is recommended to go for user authentication besides relying on host authentication which the latter is likely the only default key pair while the former is specific to whom is attempting SSH.

Overall do also note -
)Also storing public keys on a server uses memory; therefore, the number of public keys configurable on an SSH server is restricted to ten users, with a maximum of two public keys per user.
)RSA-based user authentication is supported by the Cisco server, but Cisco clients cannot propose public key as an authentication method. If the Cisco server receives a request from an open SSH client for RSA-based authentication, the server accepts the authentication request
)For server authentication, configure the RSA public key of the server manually and configure the ip ssh stricthostkeycheck command on the Cisco SSH client.

http://www.cisco.com/c/en/us/td/docs/routers/asr920/configuration/guide/sec-usr-ssh/sec-usr-ssh-xe-3-13s-asr-920-book/sec-secure-shell-v2.pdf
0
 
LVL 1

Author Comment

by:leblanc
ID: 40281188
Thank you for the reply. So what is the advantage to link the rsa key that I created with the ssh connection. The link is done with the keypair comand.
0
 
LVL 65

Expert Comment

by:btan
ID: 40281235
For client auth, you knowing allow only those coming in client request to connect and for server auth, it serves the first layer of check unique to your server and of a stronger strength. This also helps if you are having many site and just making a backup copy with unique key pair assigned will make each site "unique" and not one site key compromised (due to abuse etc)  rendering whole of other sites compromised as well.
Nonetheless, either way works but we want to be more aware and deterministic especially dealing with crypto related activities. Revocation or renewal of affected keys will be unique to the site
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 1

Author Comment

by:leblanc
ID: 40281557
So from the switches management perspective, especially ssh connection from my PC to the switches, it does not matter if I use the default key or a specific key that I created. Correct? The reason I ask is because I have 30 switches that do not support the keypair command with the existing IOS. I do want to upgrade the IOS. But I need to validate the reason for using the keypair command before management approves the upgrade.  Thx
0
 
LVL 65

Expert Comment

by:btan
ID: 40282190
yes the default key generated onboard can still be used then - requirement include the Cisco IOS image used must be a k9(crypto) image in order to support SSH. For example c3750e-universalk9-tar.122-35.SE5.tar is a k9 (crypto) image.

If your SSH configuration commands are rejected as illegal commands, you have not successfully generated a RSA key pair for your router. Make sure you have specified a host name and domain. Then use the crypto key generate rsa command to generate an RSA key pair and enable the SSH server.

http://www.cisco.com/c/en/us/support/docs/security-vpn/secure-shell-ssh/4145-ssh.html#req
0
 
LVL 1

Author Comment

by:leblanc
ID: 40282316
"yes the default key generated onboard can still be used then"
ok so there is no need to upgrade the IOS to support  the keypair command. Correct? But if I want to upgrade the IOS, how do I justify the upgrade? Thx
0
 
LVL 65

Accepted Solution

by:
btan earned 2000 total points
ID: 40282394
if you need SSH access, pls  the Cisco IOS image used must be a k9(crypto) image in order to support SSH. Pls see below requirements on the IOS
http://www.cisco.com/c/en/us/support/docs/security-vpn/secure-shell-ssh/4145-ssh.html#req

SSH was introduced into these Cisco IOS platforms and images:
SSH Version 1.0 (SSH v1) server was introduced in some Cisco IOS platforms and images that start in Cisco IOS Software Release 12.0.5.S.
SSH client was introduced in some Cisco IOS platforms and images starting in Cisco IOS Software Release 12.1.3.T.
SSH terminal-line access (also known as reverse-Telnet) was introduced in some Cisco IOS platforms and images starting in Cisco IOS Software Release 12.2.2.T.
SSH Version 2.0 (SSH v2) support was introduced in some Cisco IOS platforms and images starting in Cisco IOS Software Release 12.1(19)E.
As for the justification for upgrade is better security compared to Telnet and newer IOS for higher secure version and update as per any recurrence maintenance etc.

Do also check the below on SSH setting that minimally you can run thru
http://kewney.com/posts/networking/how_to_enable_ssh_on_cisco_ios
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This month, Experts Exchange’s free Course of the Month is focused on CompTIA IT Fundamentals.
This article will show you step-by-step instructions to build your own NTP CentOS server.  The network diagram shows the best practice to setup the NTP server farm for redundancy.  This article also serves as your NTP server documentation.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question