Cisco交换机SSH使用RSA公钥免密登录（IOS与Nexus，服务器以RHEL8为例）

需求

在实际工作中，常会遇到自动化的需求，那么在自动采集、配置等对网络设备的自动化需求中，不可避免的会遇到需要登录->采集->录入的流程。
而第一步登录，一般采用ssh进行安全的远程连接。不过每次需要输入密码的远程登陆不便于自动化的应用，因此需要采用免密登录。

一般针对服务器如Linux的ssh免密登录，仅需要将需要免密登录进来的其他服务器的rsa公钥放入自己的authorized_keys文件中即可。
详细可以见我之前的笔记：linux下的openssh简介（centos 8）

那么，针对网络设备没有这个文件，应该如何进行rsa公钥的存放和ssh免密登录？
网络上对于华为设备如何配置ssh免密登录的文章很多（同时现网中很多华为真实设备有自动保存登录设备的RSA公钥的功能），但对于Cisco尤其存在IOS和Nexus两种软件版本的交换机反而没有直接可以使用的文章，因此本文将对此进行分享。

Cisco官网上有RSA和X.509两种配置方式，分别是公钥和CA两种方式，这里介绍的是RSA公钥免密登陆方式。
可以参考的官方文档：Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 10.5(x)

实验步骤

1. 服务器创建rsa密钥对
2. Cisco交换机保存服务器创建的rsa公钥
3. 服务器ssh登录Cisco设备进行测试

0. 实验环境

1. Linux

Linux上仅需要能ping通两台交换机，申请rsa密钥对并将公钥记录下来即可

# 查看ip
[root@linux ~]# ip a s ens33 | awk 'NR==4 {print $2}'
192.168.100.141/24# 生成一个2048长度的密钥
# 交换机可能因为版本限制rsa的长度，2048是一个非常稳妥的长度
[root@linux ~]# ssh-keygen -b 2048
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
/root/.ssh/id_rsa already exists.
Overwrite (y/n)? y
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:WwIJVzyTw89Rsp2JVfUbUwjRr0g+LCUqXoXPT4NMC14 root@docker01
The key's randomart image is:
+---[RSA 2048]----+
|    . .+....==.oo|
|     o .B .* oo o|
|      o  Bo.+  +.|
|       .o E o   =|
|       .SX.O . o |
|      . ++B B .  |
|     . o.  + o   |
|      .     .    |
|                 |
+----[SHA256]-----+# 查看公钥,记录下来，可以用
# 以64字符为一行，因为Cisco IOS的公钥录入有行长度限制，需要多行录入，提前设置好方便录入
# 仅需要记录从ssh-rsa开始到主机名空格前结束
[root@linux ~]# fold -w 64 ~/.ssh/id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCoVHfQEHOq50u7kl5ukfPwwoYn
RHGCaYEHht4Fy8O3pGM3hk9GyT/IsBBquiBR1cxPjvZFlIGUd9gc2v4Xk8JHPIsH
f3IaS/5lhL257N4CZcL+aZh/PWCaY3DSmZqJ3ywFlX1YLUDlUvelcG2fmc/p0brM
LCxawgePkzl/MQq++aiEW/cqfXHR134InlV9nhBYyADGQff7Mmg6ysq+EK+KBMqG
h6dSquXo3i8PnQSI0RwIf8W9oUOWFIFJAzaaauqmMQhwxFbsc6vL+OdctHc9Ndgy
z04O5bmoI7qT0Tgh1yuynHWmkfuUnC+Ci/S83BaFOyOKxn4ymEVA3mJCcA1t roo
t@linux

2. CiscoIOS

基础设置

# 查看版本
Switch#show version
Cisco IOS Software, vios_l2 Software (vios_l2-ADVENTERPRISEK9-M), Experimental Version 15.2(20200924:215240) [sweickge-sep24-2020-l2iol-release 135]# 修改主机名
test>en
test#configure terminal
test(config)#hostname Switch# 设置svi1 ip
Switch(config-if)#int vlan 1
Switch(config-if)#ip add 192.168.100.100 255.255.255.0# ping测试
Switch#ping 192.168.100.141
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.100.141, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 4/4/5 ms

保存密钥

# 均在配置模式下配置# 设置域名，不设置不能启用ssh和rsa
Switch(config)#ip domain-name test# 创建rsa密钥，用于开始ssh
Switch(config)#crypto key generate rsa
% You already have RSA keys defined named Switch.test.
Choose the size of the key modulus in the range of 360 to 4096 for yourGeneral Purpose Keys. Choosing a key modulus greater than 512 may takea few minutes.
How many bits in the modulus [512]: 2048
% Generating 2048 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 3 seconds)# 启用sshv2
Switch(config)#ip ssh version 2# 启用ssh登录
Switch(config)#line vty 0 4
Switch(config-line)#transport input ssh
Switch(config-line)#login local
Switch(config-line)#exit# 设置无密码账号linux
Switch(config)#username linux privilege 15# 导入linux的公钥
Switch(config)#ip ssh pubkey-chain
Switch(conf-ssh-pubkey)#username linux
Switch(conf-ssh-pubkey-user)#key-string
# 以下是录入密钥，将前面录入的复制下来
Switch(conf-ssh-pubkey-data)#$2EAAAADAQABAAABAQCoVHfQEHOq50u7kl5ukfPwwoYn
Switch(conf-ssh-pubkey-data)#$k9GyT/IsBBquiBR1cxPjvZFlIGUd9gc2v4Xk8JHPIsH
Switch(conf-ssh-pubkey-data)#$Zh/PWCaY3DSmZqJ3ywFlX1YLUDlUvelcG2fmc/p0brM
Switch(conf-ssh-pubkey-data)#$/cqfXHR134InlV9nhBYyADGQff7Mmg6ysq+EK+KBMqG
Switch(conf-ssh-pubkey-data)#$8W9oUOWFIFJAzaaauqmMQhwxFbsc6vL+OdctHc9Ndgy
Switch(conf-ssh-pubkey-data)#$HWmkfuUnC+Ci/S83BaFOyOKxn4ymEVA3mJCcA1t
#录入完后退出，即完成录入
Switch(conf-ssh-pubkey-data)#exit
Switch(conf-ssh-pubkey-user)#exit
Switch(conf-ssh-pubkey)#exit

登陆测试

在linux上ssh Cisco交换机

# 登录后，可以看到回显有“永久将主机(RSA)添加入已知列表“
[root@docker01 ~]# ssh linux@192.168.100.100
The authenticity of host '192.168.100.100 (192.168.100.100)' can't be established.
RSA key fingerprint is SHA256:1DfhYAi7UO9ZocSjUhqnF6zCSYrAhXKrSI21J9+b+HE.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.100.100' (RSA) to the list of known hosts.IOSv - Cisco Systems Confidential -Supplemental End User License RestrictionsThis IOSv software is provided AS-IS without warranty of any kind. Under no circumstances may this software be used separate from the Cisco Modeling Labs Software that this software was provided with, or deployed or used as part of a production environment.By using the software, you agree to abide by the terms and conditions of the Cisco End User License Agreement at http://www.cisco.com/go/eula. Unauthorized use or distribution of this software is expressly prohibited.IOSv - Cisco Systems Confidential -Supplemental End User License RestrictionsThis IOSv software is provided AS-IS without warranty of any kind. Under no circumstances may this software be used separate from the Cisco Modeling Labs Software that this software was provided with, or deployed or used as part of a production environment.By using the software, you agree to abide by the terms and conditions of the Cisco End User License Agreement at http://www.cisco.com/go/eula. Unauthorized use or distribution of this software is expressly prohibited.Switch#en
Switch#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Switch(config)#
# 作为权限15的账号，可以进入配置模式进行配置

3. CiscoNexus

基础配置

# 查看版本，是9.3.8的Nexus OS
switch# show version
Cisco Nexus Operating System (NX-OS) Software
SoftwareBIOS: versionNXOS: version 9.3(8)BIOS compile time:NXOS image file is: bootflash:///nxos.9.3.8.binNXOS compile time:  8/4/2021 13:00:00 [08/04/2021 22:25:26]# 配置设备名
switch# conf t
Enter configuration commands, one per line. End with CNTL/Z.
switch(config)# hostn NXOS
NXOS(config)## 设置svi1 ip
NXOS(config-if)# ip add 192.168.100.101/24
NXOS(config-if)# do show ip int briIP Interface Status for VRF "default"(1)
Interface            IP Address      Interface Status
Vlan1                192.168.100.101 protocol-up/link-up/admin-up# ping测试
NXOS# ping 192.168.100.141
PING 192.168.100.141 (192.168.100.141): 56 data bytes
64 bytes from 192.168.100.141: icmp_seq=0 ttl=63 time=9.11 ms
64 bytes from 192.168.100.141: icmp_seq=1 ttl=63 time=8.318 ms
64 bytes from 192.168.100.141: icmp_seq=2 ttl=63 time=19.181 ms
64 bytes from 192.168.100.141: icmp_seq=3 ttl=63 time=7.7 ms
64 bytes from 192.168.100.141: icmp_seq=4 ttl=63 time=5.08 ms--- 192.168.100.141 ping statistics ---
5 packets transmitted, 5 packets received, 0.00% packet loss
round-trip min/avg/max = 5.08/9.877/19.181 ms

保存密钥

# 生成密钥，启用ssh
NXOS(config)# ssh key rsa
NXOS(config)# feature ssh# 查看ssh server key
NXOS(config)# show ssh key
**************************************
rsa Keys generated:Wed Aug 14 02:22:31 2024ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQC2ag54FDSbAT3Z3uVxHJ5LVEIedz6ximnx1lJr2gC6
r96XcUw2l+3vx704V6nMiFrdjsuMuP+k9cVmuHvdUy09/Q6pPiUD8I0/t+SdMz+PANoAsURLa06J/Gqo
v6RJVPtqKum1DsMR91d8UYXrNFKq62SvCDaNa486bAd8+/qMRw==bitcount:1024
fingerprint:
SHA256:RGZdz0/waQniT3HN+S+5haHBVst0N7DPHTc1WLadUyc
**************************************
could not retrieve dsa key information
**************************************
could not retrieve ecdsa key information
**************************************# 创建登陆方式为公钥登录的用户，输入linux的公钥
# 因为为一行输入，所以cat linux的公钥直接复制即可，不要切断换行
NXOS(config)# username linux sshkey ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCoVHfQEHOq50u7kl5ukfPwwoYnRHGCaYEHht4Fy8O3pGM3hk9GyT/IsBBquiBR1cxPjvZFlIGUd9gc2v4Xk8JHPIsHf3IaS/5lhL257N4CZcL+aZh/PWCaY3DSmZqJ3ywFlX1YLUDlUvelcG2fmc/p0brMLCxawgePkzl/MQq++aiEW/cqfXHR134InlV9nhBYyADGQff7Mmg6ysq+EK+KBMqGh6dSquXo3i8PnQSI0RwIf8W9oUOWFIFJAzaaauqmMQhwxFbsc6vL+OdctHc9Ndgyz04O5bmoI7qT0Tgh1yuynHWmkfuUnC+Ci/S83BaFOyOKxn4ymEVA3mJCcA1t

登陆测试

在linux上ssh Cisco交换机

# 使用创建的用户在linux上ssh登录Cisco交换机
# 登录后，可以看到回显有“永久将主机(RSA)添加入已知列表“
[root@docker01 ~]# ssh linux@192.168.100.101
The authenticity of host '192.168.100.101 (192.168.100.101)' can't be established.
RSA key fingerprint is SHA256:RGZdz0/waQniT3HN+S+5haHBVst0N7DPHTc1WLadUyc.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.100.101' (RSA) to the list of known hosts.
User Access VerificationCisco NX-OS Software
Copyright (c) 2002-2021, Cisco Systems, Inc. All rights reserved.
Nexus 9000v software ("Nexus 9000v Software") and related documentation,
files or other reference materials ("Documentation") are
the proprietary property and confidential information of Cisco
Systems, Inc. ("Cisco") and are protected, without limitation,
pursuant to United States and International copyright and trademark
laws in the applicable jurisdiction which provide civil and criminal
penalties for copying or distribution without Cisco's authorization.Any use or disclosure, in whole or in part, of the Nexus 9000v Software
or Documentation to any third party for any purposes is expressly
prohibited except as otherwise authorized by Cisco in writing.
The copyrights to certain works contained herein are owned by other
third parties and are used and distributed under license. Some parts
of this software may be covered under the GNU Public License or the
GNU Lesser General Public License. A copy of each such license is
available at
http://www.gnu.org/licenses/gpl.html and
http://www.gnu.org/licenses/lgpl.html
***************************************************************************
*  Nexus 9000v is strictly limited to use for evaluation, demonstration   *
*  and NX-OS education. Any use or disclosure, in whole or in part of     *
*  the Nexus 9000v Software or Documentation to any third party for any   *
*  purposes is expressly prohibited except as otherwise authorized by     *
*  Cisco in writing.                                                      *
***************************************************************************
NXOS# conf t
Enter configuration commands, one per line. End with CNTL/Z.
# 该用户在创建时没有设置权限，因此没有权限进入接口视图，可以后续根据需求自行设置
NXOS(config)# int mgmt0
% Permission denied for the role
NXOS(config)# vlan 2
% Permission denied for the role

实验完毕。