If not in a file then where? RFC4252 states that public key authentication is *required* in any SSH implementation and that key must be kept someplace.
I suppose that Cisco could, at least theoretically, keep the public key stored in a condom attached to an RJ45 port : >
The last time I looked, routers did not come equipped with disk drives! No file system! Or, at least, none in the usual sense of the expression. It does have flash PROM, NVRAM, or some reasonable facsimile where it can store things like passwords and public or private keys, configuration info, etc. I think floppy disks have more storage!!
My routers have considerably more storage space than a floppy.
PCMCIA Filesystem Compatibility Matrix and Filesystem Information
In a database, for example. As long as the ssh server code can retrieve the key when needed, I don't see where the protocol cares what form the key storage takes.
I'm not saying that would be a *good* place to store a private key, just that one could be stored there, and it wouldn't be updatable by merely uploading a file.
-Greg
Greg Andrews schrieb:
Sorry to disappoint you but no. Cisco does not support public key authentication for ssh, period.
Yes, indeed I have.
LOL! The authors of RFC4252, The Secure Shell (SSH) Authentication Protocol, which *mandates* public key authentication are T. Ylonen of SSH Communications Security Corp and C. Lonvick, Ed. of Cisco Systems, Inc.
Even back in the 10baseT days Cisco routers had nvram to which configs could be saved, plenty of room for keys if they couldn't be stored in the running-config for some reason.
Gregm
Yes. Sad, isn't it? One of my most longstanding gripes with Cisco. But technically they do not claim conformance with that RFC, so you can't sue them for it.
OTOH, RFC4252 is only a bit over two years old, so perhaps there's still hope.
Curiously neither Theo deRaadt's name nor any other name from the OpenBSD project appears in those documents. Is this another OOXML-like attempt at establishing a single provider standard?
Checking the link shows that Cisco uses the expression "file systems" in discussing their routers. Prices being what they are, the ONLY Cisco router that I have any experience with is a CMP2A. It appears to have been designed for broadband cable on the WAN side and Ethernet on the LAN side. I salvaged it from a trash can. I have been unable to find ANY documentation for this beast.
I found some general instructions for "password recovery" that allowed me to break into it. I haven't seen anything resembling a "file system" on this one but perhaps I just don't know what to look for!
Not sure why the OpenBSD team should be particularly predestined to participate in the standardisation of ssh?
The hallmark of a good conspiracy theory is that it can be neither proved nor disproved.
HTH T.
Arguably, their version of ssh is the one most widely adopted, particularly in the Linux and BSD distributions. Solaris itself uses a slightly modified version of OpenBSD's ssh.
[duhring@einstein ~]$ what /usr/lib/ssh/sshd | grep OpenBSD | wc -l 61
Yes, my point exactly. The Cisco box does not have a file system to SCP a file to anyway? Its not UNIX or anything similar - its Cisco IOS....
OK. Thats that then....
Actually, this is not true. The Cisco box does have a file system, and it is accessible via scp. Quote from the Fine Manual ("Cisco IOS Security Configuration Guide, Release 12.4", chapter "Secure Copy",
The reason the scp command above didn't work is simply that ".ssh/authorized_keys" is not a valid file name in IOS. The IOS file system contains the software images in flash, pseudo files like "startup-config" and "running-config", and more. For an introduction, see the document "Using the Cisco IOS Integrated File System", to be found at
But again, all this is beside the point. Even if you would somehow store your SSH public key in the Cisco IOS file system (no matter if flash, NVRAM, RAM, or somewhere in the config) that wouldn't achieve anything, because the SSH implementation in IOS just won't use it. This too can be found in the Fine Manual, chapter "Configuring Secure Shell" this time
"RSA authentication available in SSH clients is not supported in the SSH server for Cisco IOS software."
Sad, but true. And no change in sight.
HTH T.
Trash Cisco... good deal.
If it has NVRAM it has a filesystem... that doesn't necessarily mean you have access to that filesystem.
Um, because they wrote the ssh implementation that's used on vast majority of non-Windows boxes?
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.