Cisco交换机SSH使用RSA公钥免密登录(IOS与Nexus,服务器以RHEL8为例)

于 2024-08-14 10:31:52 发布
阅读量803 收藏 6
点赞数 7
分类专栏: # 系统服务 网络 Cisco 文章标签: ssh 服务器 Cisco 交换机 RSA 经验分享 linux
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/Tassel_YUE/article/details/141181575
版权
系统服务 同时被 3 个专栏收录
15 篇文章 1 订阅
订阅专栏
网络
15 篇文章 0 订阅
订阅专栏
Cisco
1 篇文章 0 订阅
订阅专栏

目录

需求

在实际工作中,常会遇到自动化的需求,那么在自动采集、配置等对网络设备的自动化需求中,不可避免的会遇到需要登录->采集->录入的流程。
而第一步登录,一般采用ssh进行安全的远程连接。不过每次需要输入密码的远程登陆不便于自动化的应用,因此需要采用免密登录

一般针对服务器如Linux的ssh免密登录,仅需要将需要免密登录进来的其他服务器的rsa公钥放入自己的authorized_keys文件中即可。
详细可以见我之前的笔记:linux下的openssh简介(centos 8)

那么,针对网络设备没有这个文件,应该如何进行rsa公钥的存放和ssh免密登录?
网络上对于华为设备如何配置ssh免密登录的文章很多(同时现网中很多华为真实设备有自动保存登录设备的RSA公钥的功能),但对于Cisco尤其存在IOS和Nexus两种软件版本的交换机反而没有直接可以使用的文章,因此本文将对此进行分享。

Cisco官网上有RSA和X.509两种配置方式,分别是公钥和CA两种方式,这里介绍的是RSA公钥免密登陆方式。
可以参考的官方文档:Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 10.5(x)

实验步骤

  1. 服务器创建rsa密钥对
  2. Cisco交换机保存服务器创建的rsa公钥
  3. 服务器ssh登录Cisco设备进行测试

0. 实验环境

在这里插入图片描述

设备型号IP
LinuxRHEL8192.168.100.141
SwitchCisco IOS192.168.100.100
NXOSCisco Nexus192.168.100.101
NetCLoud0(桥接VMnet8)N/A

1. Linux

Linux上仅需要能ping通两台交换机,申请rsa密钥对并将公钥记录下来即可

# 查看ip
[root@linux ~]# ip a s ens33 | awk 'NR==4 {print $2}'
192.168.100.141/24

# 生成一个2048长度的密钥
# 交换机可能因为版本限制rsa的长度,2048是一个非常稳妥的长度
[root@linux ~]# ssh-keygen -b 2048
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
/root/.ssh/id_rsa already exists.
Overwrite (y/n)? y
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:WwIJVzyTw89Rsp2JVfUbUwjRr0g+LCUqXoXPT4NMC14 root@docker01
The key's randomart image is:
+---[RSA 2048]----+
|    . .+....==.oo|
|     o .B .* oo o|
|      o  Bo.+  +.|
|       .o E o   =|
|       .SX.O . o |
|      . ++B B .  |
|     . o.  + o   |
|      .     .    |
|                 |
+----[SHA256]-----+

# 查看公钥,记录下来,可以用
# 以64字符为一行,因为Cisco IOS的公钥录入有行长度限制,需要多行录入,提前设置好方便录入
# 仅需要记录从ssh-rsa开始到主机名空格前结束
[root@linux ~]# fold -w 64 ~/.ssh/id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCoVHfQEHOq50u7kl5ukfPwwoYn
RHGCaYEHht4Fy8O3pGM3hk9GyT/IsBBquiBR1cxPjvZFlIGUd9gc2v4Xk8JHPIsH
f3IaS/5lhL257N4CZcL+aZh/PWCaY3DSmZqJ3ywFlX1YLUDlUvelcG2fmc/p0brM
LCxawgePkzl/MQq++aiEW/cqfXHR134InlV9nhBYyADGQff7Mmg6ysq+EK+KBMqG
h6dSquXo3i8PnQSI0RwIf8W9oUOWFIFJAzaaauqmMQhwxFbsc6vL+OdctHc9Ndgy
z04O5bmoI7qT0Tgh1yuynHWmkfuUnC+Ci/S83BaFOyOKxn4ymEVA3mJCcA1t roo
t@linux

2. CiscoIOS

基础设置

# 查看版本
Switch#show version
Cisco IOS Software, vios_l2 Software (vios_l2-ADVENTERPRISEK9-M), Experimental Version 15.2(20200924:215240) [sweickge-sep24-2020-l2iol-release 135]

# 修改主机名
test>en
test#configure terminal
test(config)#hostname Switch

# 设置svi1 ip
Switch(config-if)#int vlan 1
Switch(config-if)#ip add 192.168.100.100 255.255.255.0

# ping测试
Switch#ping 192.168.100.141
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.100.141, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 4/4/5 ms

保存密钥

# 均在配置模式下配置

# 设置域名,不设置不能启用ssh和rsa
Switch(config)#ip domain-name test

# 创建rsa密钥,用于开始ssh
Switch(config)#crypto key generate rsa
% You already have RSA keys defined named Switch.test.
Choose the size of the key modulus in the range of 360 to 4096 for your
  General Purpose Keys. Choosing a key modulus greater than 512 may take
  a few minutes.
How many bits in the modulus [512]: 2048
% Generating 2048 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 3 seconds)

# 启用sshv2
Switch(config)#ip ssh version 2

# 启用ssh登录
Switch(config)#line vty 0 4
Switch(config-line)#transport input ssh
Switch(config-line)#login local
Switch(config-line)#exit

# 设置无密码账号linux
Switch(config)#username linux privilege 15

# 导入linux的公钥
Switch(config)#ip ssh pubkey-chain
Switch(conf-ssh-pubkey)#username linux
Switch(conf-ssh-pubkey-user)#key-string
# 以下是录入密钥,将前面录入的复制下来
Switch(conf-ssh-pubkey-data)#$2EAAAADAQABAAABAQCoVHfQEHOq50u7kl5ukfPwwoYn
Switch(conf-ssh-pubkey-data)#$k9GyT/IsBBquiBR1cxPjvZFlIGUd9gc2v4Xk8JHPIsH
Switch(conf-ssh-pubkey-data)#$Zh/PWCaY3DSmZqJ3ywFlX1YLUDlUvelcG2fmc/p0brM
Switch(conf-ssh-pubkey-data)#$/cqfXHR134InlV9nhBYyADGQff7Mmg6ysq+EK+KBMqG
Switch(conf-ssh-pubkey-data)#$8W9oUOWFIFJAzaaauqmMQhwxFbsc6vL+OdctHc9Ndgy
Switch(conf-ssh-pubkey-data)#$HWmkfuUnC+Ci/S83BaFOyOKxn4ymEVA3mJCcA1t
#录入完后退出,即完成录入
Switch(conf-ssh-pubkey-data)#exit
Switch(conf-ssh-pubkey-user)#exit
Switch(conf-ssh-pubkey)#exit

登陆测试

在linux上ssh Cisco交换机

# 登录后,可以看到回显有“永久将主机(RSA)添加入已知列表“
[root@docker01 ~]# ssh linux@192.168.100.100
The authenticity of host '192.168.100.100 (192.168.100.100)' can't be established.
RSA key fingerprint is SHA256:1DfhYAi7UO9ZocSjUhqnF6zCSYrAhXKrSI21J9+b+HE.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.100.100' (RSA) to the list of known hosts.

IOSv - Cisco Systems Confidential -

Supplemental End User License Restrictions

This IOSv software is provided AS-IS without warranty of any kind. Under no circumstances may this software be used separate from the Cisco Modeling Labs Software that this software was provided with, or deployed or used as part of a production environment.

By using the software, you agree to abide by the terms and conditions of the Cisco End User License Agreement at http://www.cisco.com/go/eula. Unauthorized use or distribution of this software is expressly prohibited.

IOSv - Cisco Systems Confidential -

Supplemental End User License Restrictions

This IOSv software is provided AS-IS without warranty of any kind. Under no circumstances may this software be used separate from the Cisco Modeling Labs Software that this software was provided with, or deployed or used as part of a production environment.

By using the software, you agree to abide by the terms and conditions of the Cisco End User License Agreement at http://www.cisco.com/go/eula. Unauthorized use or distribution of this software is expressly prohibited.

Switch#en
Switch#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Switch(config)#
# 作为权限15的账号,可以进入配置模式进行配置

3. CiscoNexus

基础配置

# 查看版本,是9.3.8的Nexus OS
switch# show version
Cisco Nexus Operating System (NX-OS) Software
Software
  BIOS: version
 NXOS: version 9.3(8)
  BIOS compile time:
  NXOS image file is: bootflash:///nxos.9.3.8.bin
  NXOS compile time:  8/4/2021 13:00:00 [08/04/2021 22:25:26]

# 配置设备名
switch# conf t
Enter configuration commands, one per line. End with CNTL/Z.
switch(config)# hostn NXOS
NXOS(config)#

# 设置svi1 ip
NXOS(config-if)# ip add 192.168.100.101/24
NXOS(config-if)# do show ip int bri

IP Interface Status for VRF "default"(1)
Interface            IP Address      Interface Status
Vlan1                192.168.100.101 protocol-up/link-up/admin-up


# ping测试
NXOS# ping 192.168.100.141
PING 192.168.100.141 (192.168.100.141): 56 data bytes
64 bytes from 192.168.100.141: icmp_seq=0 ttl=63 time=9.11 ms
64 bytes from 192.168.100.141: icmp_seq=1 ttl=63 time=8.318 ms
64 bytes from 192.168.100.141: icmp_seq=2 ttl=63 time=19.181 ms
64 bytes from 192.168.100.141: icmp_seq=3 ttl=63 time=7.7 ms
64 bytes from 192.168.100.141: icmp_seq=4 ttl=63 time=5.08 ms

--- 192.168.100.141 ping statistics ---
5 packets transmitted, 5 packets received, 0.00% packet loss
round-trip min/avg/max = 5.08/9.877/19.181 ms

保存密钥

# 生成密钥,启用ssh
NXOS(config)# ssh key rsa
NXOS(config)# feature ssh

# 查看ssh server key
NXOS(config)# show ssh key
**************************************
rsa Keys generated:Wed Aug 14 02:22:31 2024

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQC2ag54FDSbAT3Z3uVxHJ5LVEIedz6ximnx1lJr2gC6
r96XcUw2l+3vx704V6nMiFrdjsuMuP+k9cVmuHvdUy09/Q6pPiUD8I0/t+SdMz+PANoAsURLa06J/Gqo
v6RJVPtqKum1DsMR91d8UYXrNFKq62SvCDaNa486bAd8+/qMRw==

bitcount:1024
fingerprint:
SHA256:RGZdz0/waQniT3HN+S+5haHBVst0N7DPHTc1WLadUyc
**************************************
could not retrieve dsa key information
**************************************
could not retrieve ecdsa key information
**************************************

# 创建登陆方式为公钥登录的用户,输入linux的公钥
# 因为为一行输入,所以cat linux的公钥直接复制即可,不要切断换行
NXOS(config)# username linux sshkey ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCoVHfQEHOq50u7kl5ukfPwwoYnRHGCaYEHht4Fy8O3pGM3hk9GyT/IsBBquiBR1cxPjvZFlIGUd9gc2v4Xk8JHPIsHf3IaS/5lhL257N4CZcL+aZh/PWCaY3DSmZqJ3ywFlX1YLUDlUvelcG2fmc/p0brMLCxawgePkzl/MQq++aiEW/cqfXHR134InlV9nhBYyADGQff7Mmg6ysq+EK+KBMqGh6dSquXo3i8PnQSI0RwIf8W9oUOWFIFJAzaaauqmMQhwxFbsc6vL+OdctHc9Ndgyz04O5bmoI7qT0Tgh1yuynHWmkfuUnC+Ci/S83BaFOyOKxn4ymEVA3mJCcA1t

登陆测试

在linux上ssh Cisco交换机

# 使用创建的用户在linux上ssh登录Cisco交换机
# 登录后,可以看到回显有“永久将主机(RSA)添加入已知列表“
[root@docker01 ~]# ssh linux@192.168.100.101
The authenticity of host '192.168.100.101 (192.168.100.101)' can't be established.
RSA key fingerprint is SHA256:RGZdz0/waQniT3HN+S+5haHBVst0N7DPHTc1WLadUyc.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.100.101' (RSA) to the list of known hosts.
User Access Verification

Cisco NX-OS Software
Copyright (c) 2002-2021, Cisco Systems, Inc. All rights reserved.
Nexus 9000v software ("Nexus 9000v Software") and related documentation,
files or other reference materials ("Documentation") are
the proprietary property and confidential information of Cisco
Systems, Inc. ("Cisco") and are protected, without limitation,
pursuant to United States and International copyright and trademark
laws in the applicable jurisdiction which provide civil and criminal
penalties for copying or distribution without Cisco's authorization.

Any use or disclosure, in whole or in part, of the Nexus 9000v Software
or Documentation to any third party for any purposes is expressly
prohibited except as otherwise authorized by Cisco in writing.
The copyrights to certain works contained herein are owned by other
third parties and are used and distributed under license. Some parts
of this software may be covered under the GNU Public License or the
GNU Lesser General Public License. A copy of each such license is
available at
http://www.gnu.org/licenses/gpl.html and
http://www.gnu.org/licenses/lgpl.html
***************************************************************************
*  Nexus 9000v is strictly limited to use for evaluation, demonstration   *
*  and NX-OS education. Any use or disclosure, in whole or in part of     *
*  the Nexus 9000v Software or Documentation to any third party for any   *
*  purposes is expressly prohibited except as otherwise authorized by     *
*  Cisco in writing.                                                      *
***************************************************************************
NXOS# conf t
Enter configuration commands, one per line. End with CNTL/Z.
# 该用户在创建时没有设置权限,因此没有权限进入接口视图,可以后续根据需求自行设置
NXOS(config)# int mgmt0
% Permission denied for the role
NXOS(config)# vlan 2
% Permission denied for the role

实验完毕。

Tassel_YUE
关注
专栏目录
cisco配置ssh登陆
weixin_34007906的博客
08-29 323
cisco SSH配置 1. 配置hostname和ip domain-name Router#configure terminal Router(config)#hostname R2 //配置ssh的时候路由器的名字不能为router R2(config)#ip domain-name puzzled.com //配置SSH必需 R2(con...
cisco交换机配置ssh远程登陆
热门推荐
chouzhi7161的博客
07-23 3万+
前言: 最近整理一些以前的学习笔记(有部分缺失,会有些乱,日后再补)。 过去都是存储在本地,此次传到网络留待备用。 cisco SSH远程登陆配置 0.配置ip,启动端口 Switch>enable //进入特权模式 Switch#config...
cisco设备配置SSH
iamxzz的专栏
01-14 6706
cisco设备配置SSH
Cisco--telnet、ssh远程登录
网络工程技术小白
01-28 1万+
Cisco -- telnet、ssh远程登录
华为交换机SSH使用RSA公钥免密登录配置
06-06
要华为交换机使用RSA公钥进行SSH免密登录,需要进行以下配置: 1. 生成RSA密钥对 ``` <HUAWEI> system-view [HUAWEI] sysname Switch ...这些步骤将配置华为交换机使用RSA公钥进行SSH免密登录
批量配置服务器ssh免密rsa登录
05-25
综上所述,批量配置服务器SSH免密RSA登录是运维工作中常见的任务,它涉及到了非对称加密、公钥认证、脚本编程以及服务器安全管理等多个方面的知识。正确实现和使用这些技术可以显著提升工作效率,同时保证系统安全。
Cisco MDS交换机配置ssh 免密登录
白衬衫的博客
08-15 2118
前两天领导突然说交换机要做ssh免密,找了好多文档都不适用,然后去官网看了下官方手册。 其实主要就两步: (1)在服务器端生成一个公钥/秘钥对; (2)复制拷贝秘钥添加到switch中,最后验证登录。 以下是Linux ssh-keygen 生成示例: 1、[root@ecs ~]# ssh-keygen -b 2048 -t rsaEnter file in which to sav...
Linux使用ssh公钥实现免密码登录实例
01-11
linux下可以用用ssh-keygen生成公钥/私钥对,下面我以CentOS为例。 有机器A(192.168.1.155),B(192.168.1.181)。现想A通过ssh免密码登录到B。 首先以root账户登陆为例。 1.在A机下生成公钥/私钥对。 [root@A ~]# ...
linux ssh连接交换机_使用SSH登录交换机RSA方式)
weixin_39535287的博客
12-20 3069
由于原来使用rsa key convert下载不到了,不能将公钥转换成DER格式,而老式的VRP只支持DER格式,不支持OPENSSL以及PEM编码格式的公钥。本文介绍了在Linux及puttygen上生成密钥对,并上传公钥交换机,实现私钥登录的过程。这种方式的话,用于验证的私钥存放在用户端,并且可以使用密码保护公钥,比使用用户密码认证方式更安全。一、密钥对的生成,两种方法任选其一。(一)、在...
Cisco 交换机 路由器 ssh 配置_packet tracer - 为系统日志、ntp 和 ssh 操作配置思科路由器
2401_84240554的博客
04-12 1228
PS:在Cisoc中rsa支持360-2048位密钥,该算法的原理是:主机将自己的公用密钥分发给相关的客户机,客户机在访问主机时则使用该主机的公开密钥来加密数据,主机则使用自己的私有的密钥来解密数据,从而实现主机密钥认证,确定客户机的可靠身份。How many bits in the modulus [512]: 1024 ----------设置密钥为1024位。为交换机/路由器配置一个域名,也可以认为该交换机/路由器属于这个域。7.可查看以上配置(可跳过,需要时查看)3.进入全局配置模式。
在思科设备中配置SSH服务
最新发布
2301_76462724的博客
04-23 2263
思科设备基础配置----ssh加密服务(适合初学网络的朋友)
secure CRT SSH登录交换机提示没有兼容的主机密钥
fei231的博客
08-21 1万+
主题:Key exchange failed.Key exchange failed. No compatible hostkey. The server supports these methods: rsa-sha2-512,rsa-sha2-256,#SecureCRT SSH 登录交换机报错Key exchange failed. No compatible hostkey. The server supports these methods: rsa-sha2-512,rsa-sha2-256,
【交换篇】05. 远程 SSH 访问 ❀ C3750-E ❀ CISCO 交换机
防火墙技术专栏
09-29 5262
要想远程管理访问交换机,就必须为交换机配置IP地址和子网掩码,还要配置默认网关。这与主机设备上配置IP地址信息非常相似。
思科设备SSH登录配置
weixin_40802763的博客
08-17 1万+
某公司有一台核心设备R1,为了方便进行管理,配置SSH远程登录,使用路由器R2模拟客户端,配置SSH协议登录R1。 实验拓扑如下: ![在这里插入图片描述](https://img-blog.csdnimg.cn/ff96c30153b14190a297aa778f8ff11c.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80MD
思科(Cisco交换机ssh远程登陆配置(计算机网络实验)
m0_54028344的博客
04-26 3339
画拓扑图: 配置ssh:
CiSCO 交换机配置 SSH 登陆
weixin_34072637的博客
03-10 1万+
CiSCO 交换机配置 SSH 登陆 题目:在三层交换机上仅运行 SSH 服务,且用户名和密码的方式登录交换机。 (一)了解主机名与域名 ​ 1、"主机名" 为该设备的名称 ​ 2、"域名" 为该设备所属的所属者 (二)配置主机名与域名 ​ 1、进入特权模式 ESW1#configure terminal Enter configuration commands, one per line. ...
cisco ssh 配置 也解释
大任的网络专栏
05-30 1万+
cisco SSH配置 1. 配置hostname和ip domain-name SW#configure terminal SW(config)#hostname R2      //配置ssh的时候路由器的名字不能为router SW(config)#ip domain-name cisco.com    //配置SSH必需 SW(config)aaa new-model
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值