One of the method for authenticating the user in SSH protocol is RSA public-key based user
authentication. The possession of a private key serves as the authentication of the user.
This method works by sending a signature created with a private key of the user. Each user
has a RSA keypair on the client machine. The private key of the RSA keypair remains on the
client machine.
The user generates an RSA public-private key pair on a unix client using a standard key
generation mechanism such as ssh-keygen. The max length of the keys supported is 2048 bits,
and the minimum length is 512 bits. The following example displays a typical key generation
activity:
bash-2.05b$ ssh-keygen –b 1024 –t rsa
Generating RSA private key, 1024 bit long modulus
The public key must be in base64 encoded (binary) format for it to be imported correctly
into the box. You can use third party tools available on the Internet to convert the key to
the binary format.
Once the public key is imported to the router, the SSH client can choose to use the public
key authentication method by specifying the request using the “-o” option in the SSH
client. For example:
client$ ssh -o PreferredAuthentications=publickey 1.2.3.4
If a public key is not imported to a router using the RSA method, the SSH server initiates
the password based authentication. If a public key is imported, the server proposes the use
of both the methods. The SSH client then chooses to use either method to establish the
connection. The system allows only 10 outgoing SSH client connections.
Currently, only SSH version 2 and SFTP server support the RSA based authentication. For
more information on how to import the public key to the router, see the Implementing
Certification Authority Interoperability on
the Cisco IOS XR Software chapter in this
guide.
Note |
The preferred method of authentication would be as stated in the SSH RFC. The RSA based
authentication support is only for local authentication, and not for TACACS/RADIUS
servers.
|
Authentication, Authorization, and Accounting (AAA) is a suite of network security services
that provide the primary framework through which access control can be set up on your Cisco
router or access server. For more information on AAA, see the Authentication,
Authorization, and Accounting Commands on
the Cisco IOS XR Software module in the
Cisco IOS XR System Security
Command Reference for the Cisco XR 12000 Series Router
publication and the Configuring AAA Services on
the Cisco IOS XR Software
Softwaremodule in the
Cisco IOS XR System Security
Configuration Guide for the Cisco XR 12000 Series Router
publication.