designetwork(EN)

IT technical memo of networking

Cisco ASA SSH login with Public Key Authentication

f:id:daichi703n:20190103195640p:plain

Implement SSH Public Key Authentication on the Cisco ASA, which is common in server operation. This makes it possible to operate more securely and efficiently.

Official information

SSH related configuration guide of Cisco ASA is here

www.cisco.com

In this article, we describe the setting method specialized for SSH public key authentication.

Environment information

Because it is for home use, it does not regularly upgrade the OS version, it is somewhat old .... When applying SSH public key authentication, please verify beforehand with the introduction version. (There are differences depending on version as described below)

ASA5505# sh ver

Cisco Adaptive Security Appliance Software Version 9.2(3)
Device Manager Version 7.2(1)

Compiled on Mon 15-Dec-14 04:10 by builders
System image file is "disk0:/asa923-k8.bin"
...

Authentication is performed only at the ASA local. In a more secure environment, please consider authentication by the RADIUS server. ( ASA5500 SSH using AAA RADIUS - Cisco Community )

ASA5505# sh run | i aaa
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL

Start from the state where you can login with normal password authentication.

ASA5505# sh run | i password
enable password PASSWORD encrypted
username dev password PASSWORD encrypted privilege 15
---

[dev@h-cent-mng01 ~]$ ssh dev@asa5505
dev@asa5505's password: PASSWORD
Type help or '?' for a list of available commands.
ASA5505>

Setting up SSH public key authentication

The setting commands are as follows. (Set by referring to the above document)

ASA5505# conf t
ASA5505(config)# username dev password PASSWORD privilege 15
ASA5505(config)# username dev attributes
ASA5505(config-username)# ssh authentication publickey <PUBLIC_KEY>

PUBLIC_KEY for enter is an SSH public key of the following,

[dev@h-cent-mng01 ~]$ cat ~/.ssh/id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAAD... dev@d-cent-mng01.designet.local

Enter only this part without spaces.

AAAAB3NzaC1yc2EAAAAD...

Log in with SSH private key

.ssh/config etc is set to connect from the local using an appropriate secret key. In the case of Teraterm etc. SSH secret key file is selected.

If you set up an SSH key pair without passphrase, you can log in without a passphrase as follows.

[dev@h-cent-mng01 ~]$ ssh dev@asa5505
Type help or '?' for a list of available commands.
ASA5505>

(Warning) No password User creation

Note that in the verified version, if you create a user as nopassword as below empty password is set.

ASA5505(config)# username dev nopassword privilege 15
[dev@h-cent-doc01 ~]$ ssh asa5505
dev@asa5505's password: [何も入力せずEnter]
Type help or '?' for a list of available commands.
ASA5505>

Verification version can not create passwordless users ...

ASA5505(config)# username hatena ?

configure mode commands/options:
  attributes  Enter the attributes sub-command mode for the specified user
  nopassword  Indicates that this user has no password
  password    The password for this user

ASA5505(config)# username hatena attributes
ERROR: Invalid username

It appears that you can now create password undefined with the following versions. (Unverified)

SSH public key authentication improvements

9.6(2)

In earlier releases, you could enable SSH public key authentication (ssh authentication ) without also enabling AAA SSH authentication with the Local user database (aaa authentication ssh console LOCAL ). The configuration is now fixed so that you must explicitly enable AAA SSH authentication. To disallow users from using a password instead of the private key, you can now create a username without any password defined.

We modified the following commands: ssh authentication, username

(Appendix) Behavior of Privilege

About the operation of Privilege, this exchange was helpful.

serverfault.com

It seems that you can transition to Enable mode by that user (not enable_15 user) instead of going into Enable mode (15) from login time. It's something like sudo on Linux.

ASA5505> show curpriv
Username : dev
Current privilege level : 1
Current Mode/s : P_UNPR
ASA5505> en
Password: ENABLE_PASSWORD

ASA5505# show curpriv
Username : enable_15
Current privilege level : 15
Current Mode/s : P_PRIV

ASA5505# exit
ASA5505> login
Username: dev
Password: PASSWORD
ASA5505# sh curpriv
Username : dev
Current privilege level : 15
Current Mode/s : P_PRIV

Conclusion - Cisco ASA SSH login with Public Key Authentication

I configured SSH public key authentication on the Cisco ASA and implemented login with secret key. For verification purposes, efficiency is improved by using a key-pair without passphrase. By using a newer OS version, password login is prohibited and key authentication is mandatory .


This Blog is English Version of my JP's.

Sorry if my English sentences are incorrect.

designetwork