automating username/password when ssh to cisco router
in [Cisco]
|
Prev: nat problem
Next: Logging issue in CiscoSecure ACS 4.2
From: Tilman Schmidt on 21 Apr 2008 07:55 BertieBigBollox(a)gmail.com schrieb: > On Apr 18, 4:38 pm, Tilman Schmidt <ts-usenet0...(a)pxnet.com> wrote: [...] >> ts(a)r2d2:~> scp ~/.ssh/id_dsa.pub gw1:.ssh/authorized_keys >> ts(a)gw1's password: >> >> ts(a)r2d2:~> ssh gw1 show session >> ts(a)gw1's password: >> % No connections opents(a)r2d2:~> >> >> The scp command does nothing, it just terminates immediately (as can be seen >> from the lack of the progress line), and the router still asks for my >> password afterwards. > > Yes, my point exactly. The Cisco box does not have a file system to > SCP a file to anyway? Its not UNIX or anything similar - its Cisco > IOS.... Actually, this is not true. The Cisco box does have a file system, and it is accessible via scp. Quote from the Fine Manual ("Cisco IOS Security Configuration Guide, Release 12.4", chapter "Secure Copy", http://www.cisco.com/en/US/docs/ios/12_4/secure/configuration/guide/hscp.html): "Relying on SSH for security, SCP support allows the secure and authenticated copying of anything that exists in the Cisco IOS File Systems." The reason the scp command above didn't work is simply that ".ssh/authorized_keys" is not a valid file name in IOS. The IOS file system contains the software images in flash, pseudo files like "startup-config" and "running-config", and more. For an introduction, see the document "Using the Cisco IOS Integrated File System", to be found at http://www.cisco.com/en/US/docs/ios/fundamentals/configuration/guide/cf_filesystem.html All these can be transferred from and to the box via tftp, ftp, rcp, or scp, should you feel the need. But again, all this is beside the point. Even if you would somehow store your SSH public key in the Cisco IOS file system (no matter if flash, NVRAM, RAM, or somewhere in the config) that wouldn't achieve anything, because the SSH implementation in IOS just won't use it. This too can be found in the Fine Manual, chapter "Configuring Secure Shell" this time (http://www.cisco.com/en/US/docs/ios/12_4/secure/configuration/guide/schssh.html) which has the following to say, under the aptly named heading "Restrictions": "RSA authentication available in SSH clients is not supported in the SSH server for Cisco IOS software." Sad, but true. And no change in sight. HTH T. -- Please excuse my bad English/German/French/Greek/Cantonese/Klingon/...
From: Ivan Marsh on 21 Apr 2008 16:05 On Sat, 19 Apr 2008 17:51:47 -0400, Richard B. Gilbert wrote: > Ivan Marsh wrote: >> On Fri, 18 Apr 2008 18:04:29 -0400, Richard B. Gilbert wrote: >> >>> Dave Uhring wrote: >>>> On Fri, 18 Apr 2008 18:58:31 +0000, Greg Andrews wrote: >>>>> Dave Uhring <daveuhring(a)yahoo.com> writes: >>>>>> You are quite right. Cisco is certainly entitled to break >>>>>> generally accepted protocols. >>>>>> >>>>>> >>>>> Perhaps you and I are talking about different things. I would agree >>>>> that a previous poster's description of scp failure is a bad thing. >>>>> However, I've been talking about the storage of a public key. Which >>>>> part of the SSH protocol says that public key storage must be in a >>>>> file in a filesystem? >>>> If not in a file then where? RFC4252 states that public key >>>> authentication is *required* in any SSH implementation and that key >>>> must be kept someplace. >>>> >>>> I suppose that Cisco could, at least theoretically, keep the public >>>> key stored in a condom attached to an RJ45 port : > >>> The last time I looked, routers did not come equipped with disk >>> drives! >>> No file system! Or, at least, none in the usual sense of the >>> expression. It does have flash PROM, NVRAM, or some reasonable >>> facsimile where it can store things like passwords and public or >>> private keys, configuration info, etc. I think floppy disks have more >>> storage!! >> >> My routers have considerably more storage space than a floppy. >> >> PCMCIA Filesystem Compatibility Matrix and Filesystem Information >> http://www.cisco.com/en/US/products/hw/routers/ps341/products_tech_note09186a00800a7515.shtml >> > Checking the link shows that Cisco uses the expression "file systems" in > discussing their routers. Prices being what they are, the ONLY Cisco > router that I have any experience with is a CMP2A. It appears to have > been designed for broadband cable on the WAN side and Ethernet on the > LAN side. I salvaged it from a trash can. I have been unable to find > ANY documentation for this beast. Trash Cisco... good deal. > I found some general instructions for "password recovery" that allowed > me to break into it. I haven't seen anything resembling a "file system" > on this one but perhaps I just don't know what to look for! If it has NVRAM it has a filesystem... that doesn't necessarily mean you have access to that filesystem. -- "Remain calm, we're here to protect you!"
From: Chris Mattern on 22 Apr 2008 19:27
On 2008-04-20, Tilman Schmidt <ts-usenet0804(a)pxnet.com> wrote: > Dave Uhring schrieb: >> On Sat, 19 Apr 2008 19:16:07 +0200, Tilman Schmidt wrote: >>> Dave Uhring schrieb: >> >>>> LOL! The authors of RFC4252, The Secure Shell (SSH) Authentication >>>> Protocol, which *mandates* public key authentication are T. Ylonen of SSH >>>> Communications Security Corp and C. Lonvick, Ed. of Cisco Systems, Inc. >> >>> OTOH, RFC4252 is only a bit over two years old, so perhaps there's still >>> hope. >> >> Curiously neither Theo deRaadt's name nor any other name from the OpenBSD >> project appears in those documents. > > Not sure why the OpenBSD team should be particularly predestined to > participate in the standardisation of ssh? Um, because they wrote the ssh implementation that's used on vast majority of non-Windows boxes? -- Christopher Mattern NOTICE Thank you for noticing this new notice Your noticing it has been noted And will be reported to the authorities |