Implement SSH Public Key Authentication on the Cisco ASA, which is common in server operation. This makes it possible to operate more securely and efficiently.
- Official information
- Environment information
- Setting up SSH public key authentication
- (Warning) No password User creation
- (Appendix) Behavior of Privilege
- Conclusion - Cisco ASA SSH login with Public Key Authentication
Official information
SSH related configuration guide of Cisco ASA is here
In this article, we describe the setting method specialized for SSH public key authentication.
Environment information
Because it is for home use, it does not regularly upgrade the OS version, it is somewhat old .... When applying SSH public key authentication, please verify beforehand with the introduction version. (There are differences depending on version as described below)
ASA5505# sh ver Cisco Adaptive Security Appliance Software Version 9.2(3) Device Manager Version 7.2(1) Compiled on Mon 15-Dec-14 04:10 by builders System image file is "disk0:/asa923-k8.bin" ...
Authentication is performed only at the ASA local. In a more secure environment, please consider authentication by the RADIUS server. ( ASA5500 SSH using AAA RADIUS - Cisco Community )
ASA5505# sh run | i aaa aaa authentication ssh console LOCAL aaa authentication telnet console LOCAL
Start from the state where you can login with normal password authentication.
ASA5505# sh run | i password enable password PASSWORD encrypted username dev password PASSWORD encrypted privilege 15 --- [dev@h-cent-mng01 ~]$ ssh dev@asa5505 dev@asa5505's password: PASSWORD Type help or '?' for a list of available commands. ASA5505>
Setting up SSH public key authentication
The setting commands are as follows. (Set by referring to the above document)
ASA5505# conf t ASA5505(config)# username dev password PASSWORD privilege 15 ASA5505(config)# username dev attributes ASA5505(config-username)# ssh authentication publickey <PUBLIC_KEY>
PUBLIC_KEY for enter is an SSH public key of the following,
[dev@h-cent-mng01 ~]$ cat ~/.ssh/id_rsa.pub ssh-rsa AAAAB3NzaC1yc2EAAAAD... dev@d-cent-mng01.designet.local
Enter only this part without spaces.
AAAAB3NzaC1yc2EAAAAD...
Log in with SSH private key
.ssh/config etc is set to connect from the local using an appropriate secret key. In the case of Teraterm etc. SSH secret key file is selected.
If you set up an SSH key pair without passphrase, you can log in without a passphrase as follows.
[dev@h-cent-mng01 ~]$ ssh dev@asa5505 Type help or '?' for a list of available commands. ASA5505>
(Warning) No password User creation
Note that in the verified version, if you create a user as nopassword as below empty password is set.
ASA5505(config)# username dev nopassword privilege 15
[dev@h-cent-doc01 ~]$ ssh asa5505 dev@asa5505's password: [何も入力せずEnter] Type help or '?' for a list of available commands. ASA5505>
Verification version can not create passwordless users ...
ASA5505(config)# username hatena ? configure mode commands/options: attributes Enter the attributes sub-command mode for the specified user nopassword Indicates that this user has no password password The password for this user ASA5505(config)# username hatena attributes ERROR: Invalid username
It appears that you can now create password undefined with the following versions. (Unverified)
SSH public key authentication improvements
9.6(2)
In earlier releases, you could enable SSH public key authentication (ssh authentication ) without also enabling AAA SSH authentication with the Local user database (aaa authentication ssh console LOCAL ). The configuration is now fixed so that you must explicitly enable AAA SSH authentication. To disallow users from using a password instead of the private key, you can now create a username without any password defined.
We modified the following commands: ssh authentication, username
(Appendix) Behavior of Privilege
About the operation of Privilege, this exchange was helpful.
It seems that you can transition to Enable mode by that user (not enable_15 user) instead of going into Enable mode (15) from login time. It's something like sudo on Linux.
ASA5505> show curpriv Username : dev Current privilege level : 1 Current Mode/s : P_UNPR ASA5505> en Password: ENABLE_PASSWORD ASA5505# show curpriv Username : enable_15 Current privilege level : 15 Current Mode/s : P_PRIV ASA5505# exit ASA5505> login Username: dev Password: PASSWORD ASA5505# sh curpriv Username : dev Current privilege level : 15 Current Mode/s : P_PRIV
Conclusion - Cisco ASA SSH login with Public Key Authentication
I configured SSH public key authentication on the Cisco ASA and implemented login with secret key. For verification purposes, efficiency is improved by using a key-pair without passphrase. By using a newer OS version, password login is prohibited and key authentication is mandatory .
