If not in a file then where? RFC4252 states that public key authentication is *required* in any SSH implementation and that key must be kept someplace.
I suppose that Cisco could, at least theoretically, keep the public key stored in a condom attached to an RJ45 port : >
The last time I looked, routers did not come equipped with disk drives! No file system! Or, at least, none in the usual sense of the expression. It does have flash PROM, NVRAM, or some reasonable facsimile where it can store things like passwords and public or private keys, configuration info, etc. I think floppy disks have more storage!!
In a database, for example. As long as the ssh server code can retrieve the key when needed, I don't see where the protocol cares what form the key storage takes.
I'm not saying that would be a *good* place to store a private key, just that one could be stored there, and it wouldn't be updatable by merely uploading a file.
LOL! The authors of RFC4252, The Secure Shell (SSH) Authentication Protocol, which *mandates* public key authentication are T. Ylonen of SSH Communications Security Corp and C. Lonvick, Ed. of Cisco Systems, Inc.
Even back in the 10baseT days Cisco routers had nvram to which configs could be saved, plenty of room for keys if they couldn't be stored in the running-config for some reason.
Yes. Sad, isn't it? One of my most longstanding gripes with Cisco. But technically they do not claim conformance with that RFC, so you can't sue them for it.
OTOH, RFC4252 is only a bit over two years old, so perhaps there's still hope.
Curiously neither Theo deRaadt's name nor any other name from the OpenBSD project appears in those documents. Is this another OOXML-like attempt at establishing a single provider standard?
Checking the link shows that Cisco uses the expression "file systems" in discussing their routers. Prices being what they are, the ONLY Cisco router that I have any experience with is a CMP2A. It appears to have been designed for broadband cable on the WAN side and Ethernet on the LAN side. I salvaged it from a trash can. I have been unable to find ANY documentation for this beast.
I found some general instructions for "password recovery" that allowed me to break into it. I haven't seen anything resembling a "file system" on this one but perhaps I just don't know what to look for!
Arguably, their version of ssh is the one most widely adopted, particularly in the Linux and BSD distributions. Solaris itself uses a slightly modified version of OpenBSD's ssh.
Actually, this is not true. The Cisco box does have a file system, and it is accessible via scp. Quote from the Fine Manual ("Cisco IOS Security Configuration Guide, Release 12.4", chapter "Secure Copy",
formatting link
"Relying on SSH for security, SCP support allows the secure and authenticated copying of anything that exists in the Cisco IOS File Systems."
The reason the scp command above didn't work is simply that ".ssh/authorized_keys" is not a valid file name in IOS. The IOS file system contains the software images in flash, pseudo files like "startup-config" and "running-config", and more. For an introduction, see the document "Using the Cisco IOS Integrated File System", to be found at
formatting link
these can be transferred from and to the box via tftp, ftp, rcp, or scp, should you feel the need.
But again, all this is beside the point. Even if you would somehow store your SSH public key in the Cisco IOS file system (no matter if flash, NVRAM, RAM, or somewhere in the config) that wouldn't achieve anything, because the SSH implementation in IOS just won't use it. This too can be found in the Fine Manual, chapter "Configuring Secure Shell" this time
formatting link
has the following to say, under the aptly named heading "Restrictions":
"RSA authentication available in SSH clients is not supported in the SSH server for Cisco IOS software."
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.