Cisco Router, SSH, PubKey, ...
I stumbled across an old Cisco box in the basement. I thought i might have some fun (or frust?) with the aging Device. The Hardware still works fine, right ? And what about the Software ? Let’s give a try !
Cisco 1841 (revision 7.0) with 352256K/40960K bytes of memory. Processor board ID FCZ1234757Y 6 FastEthernet interfaces 1 Virtual Private Network (VPN) Module DRAM configuration is 64 bits wide with parity disabled. 191K bytes of NVRAM. 125184K bytes of ATA CompactFlash (Read/Write) Configuration register is 0x2102
System image file is "flash:c1841-adventerprisek9-mz.151-4.M10.bin" System image file is "flash:c1841-advipservicesk9-mz.124-25g.bin"
r112#wr erase Erasing the nvram filesystem will remove all configuration files! Continue? [confirm] [OK] Erase of nvram: complete r112#reload Jan 2 12:10:07.427: %SYS-7-NV_BLOCK_INIT: Initialized the geometry of nvram System configuration has been modified. Save? [yes/no]: no Proceed with reload? [confirm] Jan 2 12:10:17.603: %SYS-5-RELOAD: Reload requested by console. Reload Reason: Reload Command. System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 2006 by cisco Systems, Inc. PLD version 0x10 GIO ASIC version 0x127 c1841 platform with 393216 Kbytes of main memory Main memory is configured to 64 bit mode with parity disabled
do some basic settings
conf t no ip domain lookup hostname router-template line con 0 logging synchronous line vty 0 15 logging synchronous end
conf t ip name-server 18.104.22.168 ip domain lookup end ping 22.214.171.124 ping www.google.com
add two nameservers
conf t ntp server time.metas.ch prefer ntp server 0.ch.pool.ntp.org end
set the right timezone …
conf t clock timezone CET +1 clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00 end
configure logging correctly
conf t service timestamps log datetime localtime show-timezone logging console errors logging buffered 64000 end
encrypt password / set enable password
conf t service password-encryption enable secret XxXxXxXxXxXxX end
remove old key
conf t crypto key zeroize rsa end
conf t crypto key generate rsa modulus 2048 end
… or go with 4k …
4k Keylength -> this is gonna take while (5 min) depending on your hardware !
conf t crypto key generate rsa modulus 4096 end
conf t ip ssh version 2 ip ssh time-out 60 ip ssh authentication-retries 2 username cisco privilege 15 password xXxXxXxXxXxXx line vty 0 15 transport input ssh login local end
ssh -l cisco 192.168.5.209
[email protected]$ ssh -l cisco 192.168.5.209 ([email protected]) Password: router-template#
-> sucess !
SSH Keygen on *nix Maschine
i mostly use ed25519 Keys on my Boxes, so, there is no RSA Key at the Moment.
RSA Key, 2048 Bit
ssh-keygen -t rsa -b 2048
[email protected]$ ssh-keygen -t rsa -b 2048 Generating public/private rsa key pair. Enter file in which to save the key (/home/user/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/user/.ssh/id_rsa Your public key has been saved in /home/user/.ssh/id_rsa.pub The key fingerprint is: SHA256:cfLCL3kZCJaodgAA9TTpnN/O2BkYjw6exvXU7px96eg [email protected] The key's randomart image is: +---[RSA 2048]----+ |*.. o. | | . o.o . | | .oo.+ o . | | o+..o * | | o .. *S.o | | . .. = =+.o | | o = Bo++ . | | = o *+.o .o | | . .+.Eo. | +----[SHA256]-----+
the Cisco Box needs the Key with special line length. There is no Chance to copy/paste the public key in just one line (thanks for that, cisco)
cat ~/.ssh/id_rsa.pub |cut -d" " -f 2 |fold -b -w 64
[email protected]$ cat ~/.ssh/id_rsa.pub |cut -d" " -f 2 |fold -b -w 64 AAAAB3NzaC1yc2EAAAADAQABAAABAQC8UxE839WIIXVlwqn/X6NrRMoesuQMYozS xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Add Pubkey to Router
create a user called “user” and add the public key like this
conf t ip ssh pubkey-chain username user key-string AAAAB3NzaC1yc2EAAAADAQABAAABAQC8UxE839WIIXVlwqn/X6NrRMoesuQMYozS xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx exit exit exit exit
confirm that your key got installed correctly …
show running-config | section pubkey
router-template#show running-config | section pubkey ip ssh pubkey-chain username user key-hash ssh-rsa 80ADCCB62636783A0A6B5E1E28F23CE0 quit
Login with Key Only
and try to login with Key only. unfortunately that does not work as expected …
ssh -o PreferredAuthentications=pubkey -o KexAlgorithms=+diffie-hellman-group-exchange-sha1 -o HostKeyAlgorithms=+ssh-rsa -c aes128-cbc -l user 192.168.5.209
-> the router just supports really old crypto ciphers so we have to downgrade and update our ssh config file :(
cat << 'EOF' >> ~/.ssh/config Host 192.168.5.209 KexAlgorithms +diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 HostKeyAlgorithms +ssh-rsa Ciphers +aes128-cbc EOF
[email protected]$ ssh -l user 192.168.5.209 [email protected]: Permission denied (publickey,keyboard-interactive,password).
i enabled “debug ip ssh” and got some wired Debug Message on the Cisco Box. Couldn’t find a Solution on Google & Friends :(
wired debug messages
SSH0: Session disconnected - error 0x00
Upgrade/Downgrade IOS Image
Let’s switch to another IOS Image …
First approach is to copy the Image from the UnixBox to the Router. I’d preferre SSH/SCP and not the legacy TFTP/FTP Stuff.
enable scp server on the router
conf t ip scp server enable end
push the Image to the Router
scp ~/c181x-adventerprisek9-mz.151-4.M12a.bin [email protected]:c181x-adventerprisek9-mz.151-4.M12a.bin
-> not sucessfull. couldn’t copy the “old” Image from my UnixBox to the Router via scp :(
2nd try: pull the image from the Router. also with scp !
update /etc/ssh/sshd_config on the Unix ox
Ciphers aes256-ctr,aes192-ctr,aes128-ctr,aes256-cbc,aes128-cbc,3des-cbc HostKey /etc/ssh/ssh_host_ed25519_key HostKey /etc/ssh/ssh_host_rsa_key HostKeyAlgorithms ssh-ed25519,[email protected],[email protected],sk-ss[email protected],rsa-sha2-512,rsa-sha2-256,ssh-rsa,ssh-rsa
and restart the ssh daemon
rcctl restart sshd
ssh from router to server
router-template#ssh -l user 192.168.5.1 Password: Last login: Tue Jul 26 20:41:16 2022 from 192.168.5.209 OpenBSD 7.1 (GENERIC.MP) #3: Sun May 15 10:27:01 MDT 2022
-> ssh login works from the router
try to copy from the server to router
[email protected]$ ll /home/user/c181x-adventerprisek9-mz.151-4.M12a.bin -rw-r--r-- 1 user user 30583572 Jul 26 20:32 /home/user/c181x-adventerprisek9-mz.151-4.M12a.bin
router-template#copy scp://[email protected]:/c181x-adventerprisek9-mz.151-4.M12a.bin flash:/c181x-adventerprisek9-mz.151-4.M12a.bin Destination filename [c181x-adventerprisek9-mz.151-4.M12a.bin]? Password: scp: debug1: fd 3 clearing O_NONBLOCK Sending file modes: C0644 30583572 c181x-adventerprisek9-mz.151-4.M12a.bin !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
-> this seems working and needs a few minutes …
set Boot Variable
conf t boot system flash:c181x-adventerprisek9-mz.151-4.M12a.bin end wr
… and the router stop in rommon :(
System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 2006 by cisco Systems, Inc. PLD version 0x10 GIO ASIC version 0x127 c1841 platform with 393216 Kbytes of main memory Main memory is configured to 64 bit mode with parity disabled Readonly ROMMON initialized program load complete, entry point: 0x8000f000, size: 0xcb80 program load complete, entry point: 0x8000f000, size: 0xcb80 loadprog: error - Invalid image for platform e_machine = 147, cpu_type = 134 boot: cannot load "flash:"
-> Invalid image for platform
let’s boot the previous image (always keep more then one image on the flash if possible !)
Try again with 12.4
another try with an Image for the 1841, v12.4-25G
copy scp://[email protected]:/c1841-advipservicesk9-mz.124-25g.bin flash:/c1841-advipservicesk9-mz.124-25g.bin conf t no boot system boot system flash c1841-advipservicesk9-mz.124-25g.bin end wr
show flash content
router-template#dir flash: Directory of flash:/ 2 -rw- 47454756 Jun 7 2015 14:07:44 +02:00 c1841-adventerprisek9-mz.151-4.M10.bin 3 -rw- 2732032 Jul 26 2022 21:16:26 +02:00 c1841-advipservicesk9-mz.124-25g.bin
downgrade of Software aborted … Version 12.4 handle SSH & Cryptographie kind of different. Not interested to go another step back in history …
so, it was quite interesting to see how many “botches, work arounds and Downgrades” needs to implemented and i still was note able to Login with SSH & Pubkey to my old Router Box. I think i should give them away to someone who want’s to learn and make his hands dirty.
Follup Up with AAA
got some support from a nice Cisco Guy and tried a few things …
conf t crypto key generate rsa usage-keys label router-key aaa new-model aaa authentication login default local aaa authorization exec default local if-authenticated end
Error Messages on the Router …
router-template# Jul 29 08:47:30.671: SSH0: starting SSH control process Jul 29 08:47:30.671: SSH0: sent protocol version id SSH-2.0-Cisco-1.25 Jul 29 08:47:30.675: SSH0: protocol version id is - SSH-2.0-OpenSSH_9.0 Jul 29 08:47:30.679: SSH2 0: SSH2_MSG_KEXINIT sent Jul 29 08:47:30.683: SSH2 0: SSH2_MSG_KEXINIT received Jul 29 08:47:30.683: SSH2:kex: client->server enc:aes128-cbc mac:hmac-sha1 Jul 29 08:47:30.683: SSH2:kex: server->client enc:aes128-cbc mac:hmac-sha1 Jul 29 08:47:30.879: SSH2 0: SSH2_MSG_KEX_DH_GEX_REQUEST received Jul 29 08:47:30.879: SSH2 0: Range sent by client is - 2048 < 4096 < 8192 Jul 29 08:47:30.879: SSH2 0: Modulus size established : 4096 bits Jul 29 08:47:31.499: SSH2 0: expecting SSH2_MSG_KEX_DH_GEX_INIT Jul 29 08:47:31.503: SSH2 0: SSH2_MSG_KEXDH_INIT received Jul 29 08:47:33.050: SSH2: kex_derive_keys complete Jul 29 08:47:33.050: SSH2 0: SSH2_MSG_NEWKEYS sent Jul 29 08:47:33.050: SSH2 0: waiting for SSH2_MSG_NEWKEYS Jul 29 08:47:33.082: SSH2 0: SSH2_MSG_NEWKEYS received Jul 29 08:47:33.286: SSH2 0: Using method = none Jul 29 08:47:33.290: SSH2 0: SSH ERROR closing the connection Jul 29 08:47:33.390: SSH0: Session disconnected - error 0x00
stupid double fault :(
oh man … what a stupid error. User “user” must also exists on the router. And OpenBSD is still not able to login. A Standrd Debian Box is doing fine …
add user ‘user’
conf t username user privilege 15 password xXxXxXxXxXxXx end
OpenBSD SSH Debug
OpenBSD still refuses to work, so, need some more investigation.
debug1: Found key in /home/user/.ssh/known_hosts:1 debug1: rekey out after 4294967296 blocks debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: rekey in after 4294967296 blocks debug1: Will attempt key: .ssh/id_rsa RSA SHA256:wbJ/kzgZ5jpAGo56/f4MMsqUO3IgBc1o8l1X7UwEx90 explicit debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey,keyboard-interactive,password debug1: Next authentication method: publickey debug1: Offering public key: .ssh/id_rsa RSA SHA256:wbJ/kzgZ5jpAGo56/f4MMsqUO3IgBc1o8l1X7UwEx90 explicit debug1: send_pubkey_test: no mutual signature algorithm debug1: Next authentication method: keyboard-interactive ([email protected]) Password:
send_pubkey_test: no mutual signature algorithm
SSH FIXED !
finally did it …
cat << 'EOF' >> .ssh/config Host 192.168.5.209 KexAlgorithms +diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 HostKeyAlgorithms +ssh-rsa Ciphers +aes128-cbc MACs +hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96 PubkeyAcceptedKeyTypes +ssh-rsa EOF
-> PubkeyAcceptedKeyTypes +ssh-rsa this was the missing Line …
Best do add this Part the the /etc/ssh_config, so, it will be valid for all upcomming SSH Sessions.
ok, at least fixed and documented. for me or for someone else ;)
Any Comments ?