[c-nsp] SSH Authoized Keys?

Kevin Graham kgraham at industrial-marshmallow.com
Sat May 10 05:03:12 EDT 2008


(21252 unread) Yahoo! Mail, cepbc
> The answer I have heard from Cisco is that doing so would place a
> runtime dependancy on the storage. 
[...]
> You could put the keys into the config but the config could get messy. 

RSA crypto keyrings are a little noisy, but well organized, hardly anything
new, nor any different failure mode than IPSec PSK or local AAA auth. For
huge chains, obviously there's more appropriate solutions (k5, x509 ssh when
it becomes more prevalent, etc), but one size need not fit all.

This seems perfectly reasonable:

username autotool access-class 50 keyring TOOLS priv 15
access-list 50 permit host 192.0.2.5
crypto keyring TOOLS
 ssh-dsa-pubkey name rancid
   key-string
    30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101
    00CBEE5F F1A0C22C 4676CB80 A544722D 8819D3CC 5B3CC25C 27729F36 E2F98831
    9CDD59DD BDE67C87 8913C9B0 C67B8612 94EABF60 E0527290 0AB6DDD5 EECF94D0
    16137838 49CA5FA9 8D62A8FC 61CBE600 7714F617 ADCEDCFF D6C62E07 8222D75D
    6910F3A2 27C5405A ED97EC81 9873FF3B CDC92B13 5D118E0E 08D2D78F 53F78901
    167CCB1B C7FED675 B54CA739 AC79EB6F 45C77406 13503DB7 B468BBFF 4E4FD339
    792D645F A545521F 730AE2AC D34BA82A 9986722A 42EA5CF7 00403909 4E906932
    7FFC93DF 972F3A34 CA972B47 7C59EB48 E58E81BE E5365D70 669653A4 031CB8C3
    31288E26 47AC7190 FE8FAE7B 160DF077 13050132 F25D5A35 E4C2F976 6F9FDD2A
    75020301 0001

Per-user administration of keys for local authentication is ugly, but that's
the case today with password auth as well (ie. no way to allow a user to
change their password and only their password).

Presently, my gripe with SSH on IOS is the lack of being able to determine
whether its enabled from inspecting the config. Without this or a means
to nondestructively 'crypto key generate rsa general modulus 1024', enabling
ssh is entirely manual.

I can accept that RANCID-style login-in-and-screenscrape approaches already
require enough expect (or similar) interaction that there's little need, but
with NETCONFoSSH, its becoming less acceptable.

[...obcomplaint that with the increasing fragmentation of operating systems
that any requests like this become a shot in the dark with regards to 
consistent implementation or timing, as compared to very nice and very much
appreciated job keeping 12.2SE and 12.2SG frequently resyncing to 12.2S to
bring over non-core CLI and management functionality...]
 



More information about the cisco-nsp mailing list