5 Replies Latest reply: Feb 15, 2018 7:40 AM by Eduard Gheorghiu RSS

    Cannot import public key into IOS-XRv 9k 6.0.1

    jean-christophe manciot - CCDP

      RP/0/RP0/CPU0:IOS_XRv_9k_1#sh ver
      Mon Jul 24 16:41:56.923 UTC

      Cisco IOS XR Software, Version 6.0.1
      Copyright (c) 2013-2016 by Cisco Systems, Inc.

      Build Information:
      Built By     : ahoang
      Built On     : Mon May  9 04:50:51 PDT 2016
      Build Host   : iox-ucs-021
      Workspace    : /auto/srcarchive16/production/6.0.1/xrv9k/workspace
      Version      : 6.0.1
      Location     : /opt/cisco/XR/packages/

      cisco IOS-XRv 9000 () processor 
      System uptime is 1 hour, 49 minutes

      RP/0/RP0/CPU0:IOS_XRv_9k_1#crypto key import authentication rsa ?
        WORD  Path to RSA pubkey file

      RP/0/RP0/CPU0:IOS_XRv_9k_1#crypto key import authentication rsa admin_rsakey.pub
      Mon Jul 24 16:39:14.269 UTC
      Cannot execute the command : Invalid argument

      RP/0/RP0/CPU0:IOS_XRv_9k_1#more admin_rsakey.pub                               
      Mon Jul 24 16:40:08.757 UTC
      ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCuOOmfdA2B/U6fBVHnHy5aF0pXiGvnais1q2z6woPB8xKgK/hlSlZeI7Axm/Tg1iuIPi69oSoxdYSijp5RRyjtp3YwXDC2+G7n90MEn7fqxB5eihfX+Y7UF/ifJFQGWdD22JKMJxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx root@SAMSUNG-Ubuntu


      Same issue with 2048 and 4096 RSA public keys.

        • 1. Re: Cannot import public key into IOS-XRv 9k 6.0.1
          Mark Holm - 3xCCIE #34763/CCDE #20160020

          Hi Jean-Christophe,

           

          There are two reasons for this.

           

          First of all, IOS XR doesn't support standard formatted OpenSSH keys, so you need to convert them with a one liner. You can do this on the box itself by starting a bash shell - the default working directory (disk0:) is in /misc/scratch:

           

          RP/0/RP0/CPU0:XRv1#bash
          Tue Jul 25 12:08:01.129 UTC
          
          [xr-vm_node0_RP0_CPU0:~]$cd /misc/scratch
          [xr-vm_node0_RP0_CPU0:/misc/scratch]$ls -l
          total 92
          drwx------ 2 root root  4096 Jul 25 11:10 clihistory
          lrwxrwxrwx 1 root root    12 Jul 25 11:09 config -> /misc/config
          drwxr-xr-x 2 root root  4096 Jul 25 11:09 core
          drwxr-xr-x 2 root root  4096 Jul 25 11:10 crypto
          -rw-r--r-- 1 root root   730 Jul 25 11:48 id.rsa
          drwx------ 2 root root 16384 Jul 25 11:09 lost+found
          drwxr-xr-x 2 root root  4096 Jul 25 12:05 nvgen_traces
          -rw-r--r-- 1 root root  1599 Jul 25 11:11 status_file
          -rw-r--r-- 1 root root 34829 Jul 25 11:15 tpa.log
          drwxr-xr-x 7 root root  4096 Jul 25 11:11 ztp
          [xr-vm_node0_RP0_CPU0:/misc/scratch]$cut -d" " -f2 id.rsa | base64 -d > id.rsa.b64
          [xr-vm_node0_RP0_CPU0:/misc/scratch]$ls -l
          total 88
          drwx------ 2 root root  4096 Jul 25 11:10 clihistory
          lrwxrwxrwx 1 root root    12 Jul 25 11:09 config -> /misc/config
          drwxr-xr-x 2 root root  4096 Jul 25 11:09 core
          drwxr-xr-x 2 root root  4096 Jul 25 11:10 crypto
          -rw-r--r-- 1 root root   730 Jul 25 11:48 id.rsa
          -rw-r--r-- 1 root root   535 Jul 25 12:08 id.rsa.b64
          drwx------ 2 root root 16384 Jul 25 11:09 lost+found
          drwxr-xr-x 2 root root  4096 Jul 25 12:05 nvgen_traces
          -rw-r--r-- 1 root root  1599 Jul 25 11:11 status_file
          -rw-r--r-- 1 root root 34829 Jul 25 11:15 tpa.log
          drwxr-xr-x 7 root root  4096 Jul 25 11:11 ztp
          [xr-vm_node0_RP0_CPU0:/misc/scratch]$logout
          
          RP/0/RP0/CPU0:XRv1#dir
          Tue Jul 25 12:09:09.492 UTC
          
          Directory of /misc/scratch
          8179 drwxr-xr-x 7  4096 Jul 25 11:11 ztp
             12 drwxr-xr-x 2  4096 Jul 25 11:09 core
          8177 drwx------ 2  4096 Jul 25 11:10 clihistory
          16353 drwxr-xr-x 2  4096 Jul 25 12:05 nvgen_traces
             26 -rw-r--r-- 1   775 Jul 25 11:55 id_fixed.pub
             11 drwx------ 2 16384 Jul 25 11:09 lost+found
             13 lrwxrwxrwx 1    12 Jul 25 11:09 config -> /misc/config
             14 -rw-r--r-- 1  1599 Jul 25 11:11 status_file
             17 -rw-r--r-- 1 34829 Jul 25 11:15 tpa.log
          8178 drwxr-xr-x 2  4096 Jul 25 11:10 crypto
             33 -rw-r--r-- 1   535 Jul 25 12:08 id.rsa.b64
             32 -rw-r--r-- 1   523 Jul 25 11:48 .id.rsa.un~
             31 -rw-r--r-- 1   730 Jul 25 11:48 id.rsa
          
          1012660 kbytes total (942432 kbytes free)
          RP/0/RP0/CPU0:XRv1#
          
          

           

          Next, you need to import the base64 decoded version. However, there's a quirk here too:

           

          RP/0/RP0/CPU0:XRv1#crypto key import authentication rsa id.rsa.b64
          Tue Jul 25 12:11:19.960 UTC
          Cannot execute the command : Invalid argument
          RP/0/RP0/CPU0:XRv1#crypto key import authentication rsa disk0:/id.rsa.b64
          Tue Jul 25 12:11:29.304 UTC
          RP/0/RP0/CPU0:XRv1#
          RP/0/RP0/CPU0:XRv1#show crypto key authentication rsa
          Tue Jul 25 12:11:40.950 UTC
          Key label: admin
          Type     : RSA public key authentication
          Size     : 4096
          Imported : 12:11:29 UTC Tue Jul 25 2017
          Data     :
          <key data omitted>
                   
          RP/0/RP0/CPU0:XRv1#
          
          

           

          If you don't specify the location of the file (disk0:/), the command fails (likely because the parser in the background can't figure out what to do).

           

          Note, I did this with 6.1.2, but I assume the process is the same on 6.0.1.

          • 2. Re: Cannot import public key into IOS-XRv 9k 6.0.1
            jean-christophe manciot - CCDP

            Thanks.

             

            I have a few comments:

            • using the name id_rsa.pub would closely match the common practice: id_rsa is the usual default name of the private key on Linux
            • as you said, "the default working directory (disk0:) is in /misc/scratch", so it shouldn't be necessary to mention it again during the import although it does not work if it's not specified..
            • IOS-XR 9k 6.0.1 does not support public RSA keys of 4096 bits.
            • on IOS-XR (non 9k), the public key import is linked to a username, which seems a better practice and matches the usual & safer Linux practice.
            • both OS are based on Linux, for which importing a .pub SSH key is as simple as adding it to the user's ~/.ssh/authorized_keys file. Both OS should thus accept the common .pub format and do their own internal conversion. Same remark regarding the device output key which appears as a base16 format with "show crypto key mypubkey rsa".
            • Same remarks regarding IOS,  IOS-XE OS & ASA which need another conversion type (from binary DER format --> SSH2 format).
            • in 2015, the new CEO of Cisco Chuck Robbins said that one of its goals was to simplify everything: here's one of many opportunities to deliver ;-)
            • It shouldn't be too difficult to implement: NX-OS & NX-OS 9k already accept .pub key import and also export device key as .pub format..
            • If only there was some synergy between the different Cisco BUs...
            • 3. Re: Cannot import public key into IOS-XRv 9k 6.0.1
              Mark Holm - 3xCCIE #34763/CCDE #20160020

              I absolutely do agree with you. It's really a lot of work to get something as simple as SSH pubkey authentication to work - especially when the XRv runs OpenSSH, which is almost the de facto standard.

              • on IOS-XR (non 9k), the public key import is linked to a username, which seems a better practice and matches the usual & safer Linux practice.

              It seems the key is imported and associated to the user who performed the command, unlike the standard IOS-XR, which as you said requires the keys to be imported globally and then manually associated to a specific user.

              • 4. Re: Cannot import public key into IOS-XRv 9k 6.0.1
                jean-christophe manciot - CCDP

                Unfortunately, for some undisclosed reason, I am unable to ssh into the VIRL IOS-XRv 9k 6.0.1 device whereas the user's key is accepted by the server:

                 

                RP/0/RP0/CPU0:IOS_XRv_9k_1#show crypto key authentication rsa
                Wed Jul 26 10:53:36.915 UTC
                Key label: admin
                Type     : RSA public key authentication
                Size     : 2048
                Imported : 10:30:28 UTC Wed Jul 26 2017
                Data     : 
                30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101
                ..


                # ssh -v -o IdentitiesOnly=yes -o KexAlgorithms=diffie-hellman-group1-sha1 -F /dev/null -i ~/.ssh/id_rsa admin@172.21.101.229

                OpenSSH_7.4p1 Ubuntu-10, OpenSSL 1.0.2k  26 Jan 2017

                debug1: Reading configuration data /dev/null

                debug1: Connecting to 172.21.101.229 [172.21.101.229] port 22.

                debug1: Connection established.

                debug1: permanently_set_uid: 0/0

                debug1: identity file /root/.ssh/id_rsa type 1

                debug1: key_load_public: No such file or directory

                debug1: identity file /root/.ssh/id_rsa-cert type -1

                debug1: Enabling compatibility mode for protocol 2.0

                debug1: Local version string SSH-2.0-OpenSSH_7.4p1 Ubuntu-10

                debug1: Remote protocol version 2.0, remote software version Cisco-2.0

                debug1: no match: Cisco-2.0

                debug1: Authenticating to 172.21.101.229:22 as 'admin'

                debug1: SSH2_MSG_KEXINIT sent

                debug1: SSH2_MSG_KEXINIT received

                debug1: kex: algorithm: diffie-hellman-group1-sha1

                debug1: kex: host key algorithm: ssh-rsa

                debug1: kex: server->client cipher: aes128-cbc MAC: hmac-sha1 compression: none

                debug1: kex: client->server cipher: aes128-cbc MAC: hmac-sha1 compression: none

                debug1: sending SSH2_MSG_KEXDH_INIT

                debug1: expecting SSH2_MSG_KEXDH_REPLY

                debug1: Server host key: ssh-rsa SHA256:UGFLzJT5hmypUeH2JNKF0f04iki/1kFVVSXY7/TBtqI

                debug1: Host '172.21.101.229' is known and matches the RSA host key.

                debug1: Found key in /root/.ssh/known_hosts:38

                debug1: rekey after 4294967296 blocks

                debug1: SSH2_MSG_NEWKEYS sent

                debug1: expecting SSH2_MSG_NEWKEYS

                debug1: SSH2_MSG_NEWKEYS received

                debug1: rekey after 4294967296 blocks

                debug1: SSH2_MSG_SERVICE_ACCEPT received

                debug1: Authentications that can continue: password,publickey

                debug1: Next authentication method: publickey

                debug1: Offering RSA public key: /root/.ssh/id_rsa

                debug1: Server accepts key: pkalg ssh-rsa blen 279

                Authentication failed.

                 

                On the target side, the "debug ssh server" has no effect.

                • 5. Re: Cannot import public key into IOS-XRv 9k 6.0.1
                  Eduard Gheorghiu

                  Hello Jean-Christophe,

                   

                  I had the same issue as you do and I discovered that I was trying to ssh from a Linux host being authenticated as a user and trying to access the XR using a different user.

                   

                  As it seems also in your case, you are authenticated as root and try to access the XR with user admin.

                   

                  Hope this helps,

                  Eduard