Cisco Router, SSH, PubKey, ...
Intro
I stumbled across an old Cisco box in the basement. I thought i might have some fun (or frust?) with the aging Device. The Hardware still works fine, right ? And what about the Software ? Let’s give a try !
Hardware
show version
Cisco 1841 (revision 7.0) with 352256K/40960K bytes of memory.
Processor board ID FCZ1234757Y
6 FastEthernet interfaces
1 Virtual Private Network (VPN) Module
DRAM configuration is 64 bits wide with parity disabled.
191K bytes of NVRAM.
125184K bytes of ATA CompactFlash (Read/Write)
Configuration register is 0x2102
Software
dir flash
System image file is "flash:c1841-adventerprisek9-mz.151-4.M10.bin"
System image file is "flash:c1841-advipservicesk9-mz.124-25g.bin"
Factory Reset
r112#wr erase
Erasing the nvram filesystem will remove all configuration files! Continue? [confirm]
[OK]
Erase of nvram: complete
r112#reload
Jan 2 12:10:07.427: %SYS-7-NV_BLOCK_INIT: Initialized the geometry of nvram
System configuration has been modified. Save? [yes/no]: no
Proceed with reload? [confirm]
Jan 2 12:10:17.603: %SYS-5-RELOAD: Reload requested by console. Reload Reason: Reload Command.
System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 2006 by cisco Systems, Inc.
PLD version 0x10
GIO ASIC version 0x127
c1841 platform with 393216 Kbytes of main memory
Main memory is configured to 64 bit mode with parity disabled
Settings
do some basic settings
conf t
no ip domain lookup
hostname router-template
line con 0
logging synchronous
line vty 0 15
logging synchronous
end
DNS
configure dns
conf t
ip name-server 9.9.9.9
ip domain lookup
end
ping 9.9.9.9
ping www.google.com
NTP
add two nameservers
conf t
ntp server time.metas.ch prefer
ntp server 0.ch.pool.ntp.org
end
Time Zone
set the right timezone …
conf t
clock timezone CET +1
clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00
end
Logging
configure logging correctly
conf t
service timestamps log datetime localtime show-timezone
logging console errors
logging buffered 64000
end
Security
encrypt password / set enable password
conf t
service password-encryption
enable secret XxXxXxXxXxXxX
end
Enable SSH
remove old key
conf t
crypto key zeroize rsa
end
2k Keylength
conf t
crypto key generate rsa modulus 2048
end
… or go with 4k …
4k Keylength -> this is gonna take while (5 min) depending on your hardware !
conf t
crypto key generate rsa modulus 4096
end
configure SSH
conf t
ip ssh version 2
ip ssh time-out 60
ip ssh authentication-retries 2
username cisco privilege 15 password xXxXxXxXxXxXx
line vty 0 15
transport input ssh
login local
end
Test ssh
ssh -l cisco 192.168.5.209
user@nixbox$ ssh -l cisco 192.168.5.209
([email protected]) Password:
router-template#
-> sucess !
SSH Keygen on *nix Maschine
i mostly use ed25519 Keys on my Boxes, so, there is no RSA Key at the Moment.
RSA Key, 2048 Bit
ssh-keygen -t rsa -b 2048
user@nixhost$ ssh-keygen -t rsa -b 2048
Generating public/private rsa key pair.
Enter file in which to save the key (/home/user/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/user/.ssh/id_rsa
Your public key has been saved in /home/user/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:cfLCL3kZCJaodgAA9TTpnN/O2BkYjw6exvXU7px96eg user@nixhost
The key's randomart image is:
+---[RSA 2048]----+
|*.. o. |
| . o.o . |
| .oo.+ o . |
| o+..o * |
| o .. *S.o |
| . .. = =+.o |
| o = Bo++ . |
| = o *+.o .o |
| . .+.Eo. |
+----[SHA256]-----+
Format KeyString
the Cisco Box needs the Key with special line length. There is no Chance to copy/paste the public key in just one line (thanks for that, cisco)
cat ~/.ssh/id_rsa.pub |cut -d" " -f 2 |fold -b -w 64
user@nixbox$ cat ~/.ssh/id_rsa.pub |cut -d" " -f 2 |fold -b -w 64
AAAAB3NzaC1yc2EAAAADAQABAAABAQC8UxE839WIIXVlwqn/X6NrRMoesuQMYozS
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Add Pubkey to Router
create a user called “user” and add the public key like this
conf t
ip ssh pubkey-chain
username user
key-string
AAAAB3NzaC1yc2EAAAADAQABAAABAQC8UxE839WIIXVlwqn/X6NrRMoesuQMYozS
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
exit
exit
exit
exit
Confirm Pubkey
confirm that your key got installed correctly …
show running-config | section pubkey
router-template#show running-config | section pubkey
ip ssh pubkey-chain
username user
key-hash ssh-rsa 80ADCCB62636783A0A6B5E1E28F23CE0
quit
Login with Key Only
and try to login with Key only. unfortunately that does not work as expected …
ssh -o PreferredAuthentications=pubkey -o KexAlgorithms=+diffie-hellman-group-exchange-sha1 -o HostKeyAlgorithms=+ssh-rsa -c aes128-cbc -l user 192.168.5.209
-> the router just supports really old crypto ciphers so we have to downgrade and update our ssh config file :(
update .ssh/config
cat << 'EOF' >> ~/.ssh/config
Host 192.168.5.209
KexAlgorithms +diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
HostKeyAlgorithms +ssh-rsa
Ciphers +aes128-cbc
EOF
user@nixbox$ ssh -l user 192.168.5.209
[email protected]: Permission denied (publickey,keyboard-interactive,password).
i enabled “debug ip ssh” and got some wired Debug Message on the Cisco Box. Couldn’t find a Solution on Google & Friends :(
wired debug messages
SSH0: Session disconnected - error 0x00
Upgrade/Downgrade IOS Image
Let’s switch to another IOS Image …
First approach is to copy the Image from the UnixBox to the Router. I’d preferre SSH/SCP and not the legacy TFTP/FTP Stuff.
enable scp server on the router
conf t
ip scp server enable
end
push the Image to the Router
scp ~/c181x-adventerprisek9-mz.151-4.M12a.bin [email protected]:c181x-adventerprisek9-mz.151-4.M12a.bin
-> not sucessfull. couldn’t copy the “old” Image from my UnixBox to the Router via scp :(
2nd try: pull the image from the Router. also with scp !
update /etc/ssh/sshd_config on the Unix ox
Ciphers aes256-ctr,aes192-ctr,aes128-ctr,aes256-cbc,aes128-cbc,3des-cbc
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key
HostKeyAlgorithms ssh-ed25519,[email protected],[email protected],[email protected],rsa-sha2-512,rsa-sha2-256,ssh-rsa,ssh-rsa
and restart the ssh daemon
rcctl restart sshd
ssh from router to server
router-template#ssh -l user 192.168.5.1
Password:
Last login: Tue Jul 26 20:41:16 2022 from 192.168.5.209
OpenBSD 7.1 (GENERIC.MP) #3: Sun May 15 10:27:01 MDT 2022
-> ssh login works from the router
try to copy from the server to router
user@nixbox$ ll /home/user/c181x-adventerprisek9-mz.151-4.M12a.bin
-rw-r--r-- 1 user user 30583572 Jul 26 20:32 /home/user/c181x-adventerprisek9-mz.151-4.M12a.bin
router-template#copy scp://[email protected]:/c181x-adventerprisek9-mz.151-4.M12a.bin flash:/c181x-adventerprisek9-mz.151-4.M12a.bin
Destination filename [c181x-adventerprisek9-mz.151-4.M12a.bin]?
Password:
scp: debug1: fd 3 clearing O_NONBLOCK
Sending file modes: C0644 30583572 c181x-adventerprisek9-mz.151-4.M12a.bin
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
-> this seems working and needs a few minutes …
set Boot Variable
conf t
boot system flash:c181x-adventerprisek9-mz.151-4.M12a.bin
end
wr
reboot
… and the router stop in rommon :(
System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 2006 by cisco Systems, Inc.
PLD version 0x10
GIO ASIC version 0x127
c1841 platform with 393216 Kbytes of main memory
Main memory is configured to 64 bit mode with parity disabled
Readonly ROMMON initialized
program load complete, entry point: 0x8000f000, size: 0xcb80
program load complete, entry point: 0x8000f000, size: 0xcb80
loadprog: error - Invalid image for platform
e_machine = 147, cpu_type = 134
boot: cannot load "flash:"
-> Invalid image for platform
let’s boot the previous image (always keep more then one image on the flash if possible !)
boot flash:c1841-adventerprisek9-mz.151-4.M10.bin
Try again with 12.4
another try with an Image for the 1841, v12.4-25G
copy scp://[email protected]:/c1841-advipservicesk9-mz.124-25g.bin flash:/c1841-advipservicesk9-mz.124-25g.bin
conf t
no boot system
boot system flash c1841-advipservicesk9-mz.124-25g.bin
end
wr
show flash content
router-template#dir flash:
Directory of flash:/
2 -rw- 47454756 Jun 7 2015 14:07:44 +02:00 c1841-adventerprisek9-mz.151-4.M10.bin
3 -rw- 2732032 Jul 26 2022 21:16:26 +02:00 c1841-advipservicesk9-mz.124-25g.bin
downgrade of Software aborted … Version 12.4 handle SSH & Cryptographie kind of different. Not interested to go another step back in history …
Summary
so, it was quite interesting to see how many “botches, work arounds and Downgrades” needs to implemented and i still was note able to Login with SSH & Pubkey to my old Router Box. I think i should give them away to someone who want’s to learn and make his hands dirty.
Follup Up with AAA
got some support from a nice Cisco Guy and tried a few things …
conf t
crypto key generate rsa usage-keys label router-key
aaa new-model
aaa authentication login default local
aaa authorization exec default local if-authenticated
end
Error Messages on the Router …
router-template#
Jul 29 08:47:30.671: SSH0: starting SSH control process
Jul 29 08:47:30.671: SSH0: sent protocol version id SSH-2.0-Cisco-1.25
Jul 29 08:47:30.675: SSH0: protocol version id is - SSH-2.0-OpenSSH_9.0
Jul 29 08:47:30.679: SSH2 0: SSH2_MSG_KEXINIT sent
Jul 29 08:47:30.683: SSH2 0: SSH2_MSG_KEXINIT received
Jul 29 08:47:30.683: SSH2:kex: client->server enc:aes128-cbc mac:hmac-sha1
Jul 29 08:47:30.683: SSH2:kex: server->client enc:aes128-cbc mac:hmac-sha1
Jul 29 08:47:30.879: SSH2 0: SSH2_MSG_KEX_DH_GEX_REQUEST received
Jul 29 08:47:30.879: SSH2 0: Range sent by client is - 2048 < 4096 < 8192
Jul 29 08:47:30.879: SSH2 0: Modulus size established : 4096 bits
Jul 29 08:47:31.499: SSH2 0: expecting SSH2_MSG_KEX_DH_GEX_INIT
Jul 29 08:47:31.503: SSH2 0: SSH2_MSG_KEXDH_INIT received
Jul 29 08:47:33.050: SSH2: kex_derive_keys complete
Jul 29 08:47:33.050: SSH2 0: SSH2_MSG_NEWKEYS sent
Jul 29 08:47:33.050: SSH2 0: waiting for SSH2_MSG_NEWKEYS
Jul 29 08:47:33.082: SSH2 0: SSH2_MSG_NEWKEYS received
Jul 29 08:47:33.286: SSH2 0: Using method = none
Jul 29 08:47:33.290: SSH2 0: SSH ERROR closing the connection
Jul 29 08:47:33.390: SSH0: Session disconnected - error 0x00
stupid double fault :(
oh man … what a stupid error. User “user” must also exists on the router. And OpenBSD is still not able to login. A Standrd Debian Box is doing fine …
add user ‘user’
conf t
username user privilege 15 password xXxXxXxXxXxXx
end
OpenBSD SSH Debug
OpenBSD still refuses to work, so, need some more investigation.
ssh -vvv
debug1: Found key in /home/user/.ssh/known_hosts:1
debug1: rekey out after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 4294967296 blocks
debug1: Will attempt key: .ssh/id_rsa RSA SHA256:wbJ/kzgZ5jpAGo56/f4MMsqUO3IgBc1o8l1X7UwEx90 explicit
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,keyboard-interactive,password
debug1: Next authentication method: publickey
debug1: Offering public key: .ssh/id_rsa RSA SHA256:wbJ/kzgZ5jpAGo56/f4MMsqUO3IgBc1o8l1X7UwEx90 explicit
debug1: send_pubkey_test: no mutual signature algorithm
debug1: Next authentication method: keyboard-interactive
([email protected]) Password:
send_pubkey_test: no mutual signature algorithm
SSH FIXED !
finally did it …
cat << 'EOF' >> .ssh/config
Host 192.168.5.209
KexAlgorithms +diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
HostKeyAlgorithms +ssh-rsa
Ciphers +aes128-cbc
MACs +hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96
PubkeyAcceptedKeyTypes +ssh-rsa
EOF
-> PubkeyAcceptedKeyTypes +ssh-rsa this was the missing Line …
Best do add this Part the the /etc/ssh_config, so, it will be valid for all upcomming SSH Sessions.
ok, at least fixed and documented. for me or for someone else ;)
Any Comments ?
sha256: 29d09153c4851f1e64a1291762cf2a80ae79053cf421ac60fb443fd49c21cdbb