automating username/password when ssh to cisco router
in [Cisco]
|
Prev: nat problem
Next: Logging issue in CiscoSecure ACS 4.2
From: Richard B. Gilbert on 19 Apr 2008 17:51 Ivan Marsh wrote: > On Fri, 18 Apr 2008 18:04:29 -0400, Richard B. Gilbert wrote: > >> Dave Uhring wrote: >>> On Fri, 18 Apr 2008 18:58:31 +0000, Greg Andrews wrote: >>>> Dave Uhring <daveuhring(a)yahoo.com> writes: >>>>> You are quite right. Cisco is certainly entitled to break generally >>>>> accepted protocols. >>>>> >>>>> >>>> Perhaps you and I are talking about different things. I would agree >>>> that a previous poster's description of scp failure is a bad thing. >>>> However, I've been talking about the storage of a public key. Which >>>> part of the SSH protocol says that public key storage must be in a >>>> file in a filesystem? >>> If not in a file then where? RFC4252 states that public key >>> authentication is *required* in any SSH implementation and that key >>> must be kept someplace. >>> >>> I suppose that Cisco could, at least theoretically, keep the public key >>> stored in a condom attached to an RJ45 port : > >> The last time I looked, routers did not come equipped with disk drives! >> No file system! Or, at least, none in the usual sense of the >> expression. It does have flash PROM, NVRAM, or some reasonable >> facsimile where it can store things like passwords and public or private >> keys, configuration info, etc. I think floppy disks have more storage!! > > My routers have considerably more storage space than a floppy. > > PCMCIA Filesystem Compatibility Matrix and Filesystem Information > http://www.cisco.com/en/US/products/hw/routers/ps341/products_tech_note09186a00800a7515.shtml > Checking the link shows that Cisco uses the expression "file systems" in discussing their routers. Prices being what they are, the ONLY Cisco router that I have any experience with is a CMP2A. It appears to have been designed for broadband cable on the WAN side and Ethernet on the LAN side. I salvaged it from a trash can. I have been unable to find ANY documentation for this beast. I found some general instructions for "password recovery" that allowed me to break into it. I haven't seen anything resembling a "file system" on this one but perhaps I just don't know what to look for!
From: Tilman Schmidt on 20 Apr 2008 13:26 Dave Uhring schrieb: > On Sat, 19 Apr 2008 19:16:07 +0200, Tilman Schmidt wrote: >> Dave Uhring schrieb: > >>> LOL! The authors of RFC4252, The Secure Shell (SSH) Authentication >>> Protocol, which *mandates* public key authentication are T. Ylonen of SSH >>> Communications Security Corp and C. Lonvick, Ed. of Cisco Systems, Inc. > >> OTOH, RFC4252 is only a bit over two years old, so perhaps there's still >> hope. > > Curiously neither Theo deRaadt's name nor any other name from the OpenBSD > project appears in those documents. Not sure why the OpenBSD team should be particularly predestined to participate in the standardisation of ssh? > Is this another OOXML-like attempt at > establishing a single provider standard? The hallmark of a good conspiracy theory is that it can be neither proved nor disproved. HTH T.
From: Dave Uhring on 20 Apr 2008 13:54 On Sun, 20 Apr 2008 19:26:50 +0200, Tilman Schmidt wrote: > Dave Uhring schrieb: >> Curiously neither Theo deRaadt's name nor any other name from the OpenBSD >> project appears in those documents. > > Not sure why the OpenBSD team should be particularly predestined to > participate in the standardisation of ssh? Arguably, their version of ssh is the one most widely adopted, particularly in the Linux and BSD distributions. Solaris itself uses a slightly modified version of OpenBSD's ssh. [duhring(a)einstein ~]$ what /usr/lib/ssh/sshd | grep OpenBSD | wc -l 61
From: BertieBigBollox on 21 Apr 2008 04:10 On Apr 18, 4:38 pm, Tilman Schmidt <ts-usenet0...(a)pxnet.com> wrote: > Dave Uhring schrieb: > > > On Fri, 18 Apr 2008 02:16:35 -0700, BertieBigBol...(a)gmail.com wrote: > > >> Just noticed - this isnt going to work, is it? You need to send the > >> authorised key to the router in question. > > >> The router in question is a cisco device, so I dont know how to do > >> this... > > > If you can ssh into the router you can use scp to send the key. > > Heh, no. Not if the router runs something non-unixoid like, say ... Cisco IOS. > See: > > ts(a)r2d2:~> ssh gw1 show session > ts(a)gw1's password: > % No connections opents(a)r2d2:~> > ts(a)r2d2:~> scp ~/.ssh/id_dsa.pub gw1:.ssh/authorized_keys > ts(a)gw1's password: > > ts(a)r2d2:~> ssh gw1 show session > ts(a)gw1's password: > % No connections opents(a)r2d2:~> > > The scp command does nothing, it just terminates immediately (as can be seen > from the lack of the progress line), and the router still asks for my > password afterwards. Yes, my point exactly. The Cisco box does not have a file system to SCP a file to anyway? Its not UNIX or anything similar - its Cisco IOS....
From: BertieBigBollox on 21 Apr 2008 05:06
On Apr 19, 3:04 am, Tilman Schmidt <ts-usenet0...(a)pxnet.com> wrote: > Greg Andrews schrieb: > > > Cisco very likely has a method to store the public key for an account > > to allow non-password logins. It's probably not adding the key text > > to a file in a subdirectory, but something else. > > Sorry to disappoint you but no. Cisco does not support public key > authentication for ssh, period. > > > Has anyone consulted the Cisco documentation yet? (I don't have them > > in front of me at the moment) > > Yes, indeed I have. OK. Thats that then.... |