Cisco Router, SSH, PubKey, ...

Page content

Intro

I stumbled across an old Cisco box in the basement. I thought i might have some fun (or frust?) with the aging Device. The Hardware still works fine, right ? And what about the Software ? Let’s give a try !

Hardware

show version

Cisco 1841 (revision 7.0) with 352256K/40960K bytes of memory.
Processor board ID FCZ1234757Y
6 FastEthernet interfaces
1 Virtual Private Network (VPN) Module
DRAM configuration is 64 bits wide with parity disabled.
191K bytes of NVRAM.
125184K bytes of ATA CompactFlash (Read/Write)

Configuration register is 0x2102

Software

dir flash

System image file is "flash:c1841-adventerprisek9-mz.151-4.M10.bin"
System image file is "flash:c1841-advipservicesk9-mz.124-25g.bin"

Factory Reset

r112#wr erase
Erasing the nvram filesystem will remove all configuration files! Continue? [confirm]
[OK]
Erase of nvram: complete
r112#reload
Jan  2 12:10:07.427: %SYS-7-NV_BLOCK_INIT: Initialized the geometry of nvram

System configuration has been modified. Save? [yes/no]: no
Proceed with reload? [confirm]

Jan  2 12:10:17.603: %SYS-5-RELOAD: Reload requested by console. Reload Reason: Reload Command.
System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 2006 by cisco Systems, Inc.
PLD version 0x10
GIO ASIC version 0x127
c1841 platform with 393216 Kbytes of main memory
Main memory is configured to 64 bit mode with parity disabled

Settings

do some basic settings

conf t
no ip domain lookup
hostname router-template
line con 0
logging synchronous
line vty 0 15
logging synchronous
end

DNS

configure dns

conf t
ip name-server 9.9.9.9
ip domain lookup
end
ping 9.9.9.9
ping www.google.com

NTP

add two nameservers

conf t
ntp server time.metas.ch prefer
ntp server 0.ch.pool.ntp.org
end

Time Zone

set the right timezone …

conf t
clock timezone CET +1
clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00
end

Logging

configure logging correctly

conf t
service timestamps log datetime localtime show-timezone
logging console errors
logging buffered 64000
end

Security

encrypt password / set enable password

conf t
service password-encryption
enable secret XxXxXxXxXxXxX
end

Enable SSH

remove old key

conf t
crypto key zeroize rsa
end

2k Keylength

conf t
crypto key generate rsa modulus 2048
end

… or go with 4k …

4k Keylength -> this is gonna take while (5 min) depending on your hardware !

conf t
crypto key generate rsa modulus 4096
end

configure SSH

conf t
ip ssh version 2
ip ssh time-out 60
ip ssh authentication-retries 2
username cisco privilege 15 password xXxXxXxXxXxXx
line vty 0 15
transport input ssh
login local
end

Test ssh

ssh -l cisco 192.168.5.209
user@nixbox$ ssh -l cisco 192.168.5.209
(cisco@192.168.5.209) Password:
router-template#

-> sucess !

SSH Keygen on *nix Maschine

i mostly use ed25519 Keys on my Boxes, so, there is no RSA Key at the Moment.

RSA Key, 2048 Bit

ssh-keygen -t rsa -b 2048
user@nixhost$ ssh-keygen -t rsa -b 2048
Generating public/private rsa key pair.
Enter file in which to save the key (/home/user/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/user/.ssh/id_rsa
Your public key has been saved in /home/user/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:cfLCL3kZCJaodgAA9TTpnN/O2BkYjw6exvXU7px96eg user@nixhost
The key's randomart image is:
+---[RSA 2048]----+
|*.. o.           |
| . o.o .         |
|  .oo.+ o .      |
|   o+..o *       |
|  o .. *S.o      |
| . .. = =+.o     |
|   o = Bo++    . |
|    = o *+.o .o  |
|   .     .+.Eo.  |
+----[SHA256]-----+

Format KeyString

the Cisco Box needs the Key with special line length. There is no Chance to copy/paste the public key in just one line (thanks for that, cisco)

cat ~/.ssh/id_rsa.pub |cut -d" " -f 2 |fold -b -w 64
user@nixbox$ cat ~/.ssh/id_rsa.pub |cut -d" " -f 2 |fold -b -w 64
AAAAB3NzaC1yc2EAAAADAQABAAABAQC8UxE839WIIXVlwqn/X6NrRMoesuQMYozS
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Add Pubkey to Router

create a user called “user” and add the public key like this

conf t
ip ssh pubkey-chain
username user
key-string
AAAAB3NzaC1yc2EAAAADAQABAAABAQC8UxE839WIIXVlwqn/X6NrRMoesuQMYozS
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
exit
exit
exit
exit

Confirm Pubkey

confirm that your key got installed correctly …

show running-config | section pubkey
router-template#show running-config | section pubkey
ip ssh pubkey-chain
  username user
   key-hash ssh-rsa 80ADCCB62636783A0A6B5E1E28F23CE0
  quit

Login with Key Only

and try to login with Key only. unfortunately that does not work as expected …

ssh -o PreferredAuthentications=pubkey -o KexAlgorithms=+diffie-hellman-group-exchange-sha1 -o HostKeyAlgorithms=+ssh-rsa -c aes128-cbc -l user 192.168.5.209

-> the router just supports really old crypto ciphers so we have to downgrade and update our ssh config file :(

update .ssh/config

cat << 'EOF' >> ~/.ssh/config
Host 192.168.5.209
  KexAlgorithms     +diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1  
  HostKeyAlgorithms +ssh-rsa
  Ciphers           +aes128-cbc
EOF
user@nixbox$ ssh -l user 192.168.5.209
user@192.168.5.209: Permission denied (publickey,keyboard-interactive,password).

i enabled “debug ip ssh” and got some wired Debug Message on the Cisco Box. Couldn’t find a Solution on Google & Friends :(

wired debug messages

SSH0: Session disconnected - error 0x00

Upgrade/Downgrade IOS Image

Let’s switch to another IOS Image …

First approach is to copy the Image from the UnixBox to the Router. I’d preferre SSH/SCP and not the legacy TFTP/FTP Stuff.

enable scp server on the router

conf t
ip scp server enable
end

push the Image to the Router

scp ~/c181x-adventerprisek9-mz.151-4.M12a.bin cisco@192.168.5.209:c181x-adventerprisek9-mz.151-4.M12a.bin

-> not sucessfull. couldn’t copy the “old” Image from my UnixBox to the Router via scp :(

2nd try: pull the image from the Router. also with scp !

update /etc/ssh/sshd_config on the Unix ox

Ciphers                           aes256-ctr,aes192-ctr,aes128-ctr,aes256-cbc,aes128-cbc,3des-cbc
HostKey                           /etc/ssh/ssh_host_ed25519_key
HostKey                           /etc/ssh/ssh_host_rsa_key
HostKeyAlgorithms                 ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ssh-rsa

and restart the ssh daemon

rcctl restart sshd

ssh from router to server

router-template#ssh -l user 192.168.5.1
Password:
Last login: Tue Jul 26 20:41:16 2022 from 192.168.5.209
OpenBSD 7.1 (GENERIC.MP) #3: Sun May 15 10:27:01 MDT 2022

-> ssh login works from the router

try to copy from the server to router

user@nixbox$ ll /home/user/c181x-adventerprisek9-mz.151-4.M12a.bin
-rw-r--r--  1 user  user  30583572 Jul 26 20:32 /home/user/c181x-adventerprisek9-mz.151-4.M12a.bin
router-template#copy scp://user@192.168.5.1:/c181x-adventerprisek9-mz.151-4.M12a.bin flash:/c181x-adventerprisek9-mz.151-4.M12a.bin
Destination filename [c181x-adventerprisek9-mz.151-4.M12a.bin]?
Password:
 scp: debug1: fd 3 clearing O_NONBLOCK
 Sending file modes: C0644 30583572 c181x-adventerprisek9-mz.151-4.M12a.bin
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

-> this seems working and needs a few minutes …

set Boot Variable

conf t
boot system flash:c181x-adventerprisek9-mz.151-4.M12a.bin
end
wr

reboot

… and the router stop in rommon :(

System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 2006 by cisco Systems, Inc.
PLD version 0x10
GIO ASIC version 0x127
c1841 platform with 393216 Kbytes of main memory
Main memory is configured to 64 bit mode with parity disabled


Readonly ROMMON initialized
program load complete, entry point: 0x8000f000, size: 0xcb80
program load complete, entry point: 0x8000f000, size: 0xcb80
loadprog: error - Invalid image for platform
e_machine = 147, cpu_type = 134
boot: cannot load "flash:"

-> Invalid image for platform

let’s boot the previous image (always keep more then one image on the flash if possible !)

boot flash:c1841-adventerprisek9-mz.151-4.M10.bin

Try again with 12.4

another try with an Image for the 1841, v12.4-25G

copy scp://user@192.168.5.1:/c1841-advipservicesk9-mz.124-25g.bin flash:/c1841-advipservicesk9-mz.124-25g.bin
conf t
no boot system
boot system flash c1841-advipservicesk9-mz.124-25g.bin
end
wr

show flash content

router-template#dir flash:
Directory of flash:/

    2  -rw-    47454756   Jun 7 2015 14:07:44 +02:00  c1841-adventerprisek9-mz.151-4.M10.bin
    3  -rw-     2732032  Jul 26 2022 21:16:26 +02:00  c1841-advipservicesk9-mz.124-25g.bin

downgrade of Software aborted … Version 12.4 handle SSH & Cryptographie kind of different. Not interested to go another step back in history …

Summary

so, it was quite interesting to see how many “botches, work arounds and Downgrades” needs to implemented and i still was note able to Login with SSH & Pubkey to my old Router Box. I think i should give them away to someone who want’s to learn and make his hands dirty.

Follup Up with AAA

got some support from a nice Cisco Guy and tried a few things …

conf t
crypto key generate rsa usage-keys label router-key
aaa new-model
aaa authentication login default local
aaa authorization exec default local if-authenticated
end

Error Messages on the Router …

router-template#
Jul 29 08:47:30.671: SSH0: starting SSH control process
Jul 29 08:47:30.671: SSH0: sent protocol version id SSH-2.0-Cisco-1.25
Jul 29 08:47:30.675: SSH0: protocol version id is - SSH-2.0-OpenSSH_9.0
Jul 29 08:47:30.679: SSH2 0: SSH2_MSG_KEXINIT sent
Jul 29 08:47:30.683: SSH2 0: SSH2_MSG_KEXINIT received
Jul 29 08:47:30.683: SSH2:kex: client->server enc:aes128-cbc mac:hmac-sha1 
Jul 29 08:47:30.683: SSH2:kex: server->client enc:aes128-cbc mac:hmac-sha1 
Jul 29 08:47:30.879: SSH2 0: SSH2_MSG_KEX_DH_GEX_REQUEST received
Jul 29 08:47:30.879: SSH2 0: Range sent by client is - 2048 < 4096 < 8192 
Jul 29 08:47:30.879: SSH2 0:  Modulus size established : 4096 bits
Jul 29 08:47:31.499: SSH2 0: expecting SSH2_MSG_KEX_DH_GEX_INIT
Jul 29 08:47:31.503: SSH2 0: SSH2_MSG_KEXDH_INIT received
Jul 29 08:47:33.050: SSH2: kex_derive_keys complete
Jul 29 08:47:33.050: SSH2 0: SSH2_MSG_NEWKEYS sent
Jul 29 08:47:33.050: SSH2 0: waiting for SSH2_MSG_NEWKEYS
Jul 29 08:47:33.082: SSH2 0: SSH2_MSG_NEWKEYS received
Jul 29 08:47:33.286: SSH2 0: Using method = none
Jul 29 08:47:33.290: SSH2 0: SSH ERROR closing the connection
Jul 29 08:47:33.390: SSH0: Session disconnected - error 0x00

stupid double fault :(

oh man … what a stupid error. User “user” must also exists on the router. And OpenBSD is still not able to login. A Standrd Debian Box is doing fine …

add user ‘user’

conf t
username user privilege 15 password xXxXxXxXxXxXx
end

OpenBSD SSH Debug

OpenBSD still refuses to work, so, need some more investigation.

ssh -vvv

debug1: Found key in /home/user/.ssh/known_hosts:1
debug1: rekey out after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 4294967296 blocks
debug1: Will attempt key: .ssh/id_rsa RSA SHA256:wbJ/kzgZ5jpAGo56/f4MMsqUO3IgBc1o8l1X7UwEx90 explicit
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,keyboard-interactive,password
debug1: Next authentication method: publickey
debug1: Offering public key: .ssh/id_rsa RSA SHA256:wbJ/kzgZ5jpAGo56/f4MMsqUO3IgBc1o8l1X7UwEx90 explicit
debug1: send_pubkey_test: no mutual signature algorithm
debug1: Next authentication method: keyboard-interactive
(user@192.168.5.209) Password: 

send_pubkey_test: no mutual signature algorithm

SSH FIXED !

finally did it …

cat << 'EOF' >> .ssh/config
Host 192.168.5.209
  KexAlgorithms           +diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1  
  HostKeyAlgorithms       +ssh-rsa
  Ciphers                 +aes128-cbc
  MACs                    +hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96
  PubkeyAcceptedKeyTypes  +ssh-rsa
EOF

-> PubkeyAcceptedKeyTypes +ssh-rsa this was the missing Line …

Best do add this Part the the /etc/ssh_config, so, it will be valid for all upcomming SSH Sessions.

ok, at least fixed and documented. for me or for someone else ;)

sha256: 29d09153c4851f1e64a1291762cf2a80ae79053cf421ac60fb443fd49c21cdbb