以前,我写过如何通过启用(how you can enable SSH access to your Cisco switch)GUI界面中的设置来启用对Cisco 交换机的 SSH 访问。如果您想通过加密连接访问您的交换机CLI ,这非常好,但它仍然只依赖于用户名和密码。(CLI)
如果您在需要非常安全的高度敏感的网络中使用此交换机,那么您可能需要考虑为您的SSH连接启用公钥身份验证。实际上,为了获得最大的安全性,您可以启用用户名/密码和公钥身份验证来访问您的交换机。
在本文中,我将向您展示如何在SG300 Cisco(SG300 Cisco)交换机上启用公钥身份验证,以及如何使用 puTTYGen 生成公钥和私钥对。然后,我将向您展示如何使用新密钥登录。此外,我将向您展示如何配置它,以便您可以仅使用密钥登录或强制用户输入用户名/密码以及使用私钥。
注意:在开始学习本教程之前,请确保您已经在交换机上启用了 SSH 服务,我在上面链接的上一篇文章中提到了这一点。 (Note: Before you get started on this tutorial, make sure you have already enabled the SSH service on the switch, which I mentioned in my previous article linked above. )
通过公钥(Public Key)启用SSH 用户身份验证(SSH User Authentication)
总体而言,使公钥身份验证适用于SSH的过程很简单。在我的示例中,我将向您展示如何使用基于 Web 的GUI启用这些功能。我尝试使用CLI界面启用公钥身份验证,但它不接受我的私有RSA密钥的格式。
一旦我开始工作,我将使用CLI命令更新这篇文章,这些命令将完成我们现在通过GUI执行的操作。首先(First),单击安全性(Security),然后单击SSH 服务器( SSH Server),最后单击SSH 用户身份验证( SSH User Authentication)。
在右侧窗格中,继续并选中SSH User Authentication by Public Key 旁边的 Enable 框( Enable box next to SSH User Authentication by Public Key)。单击应用(Apply)按钮以保存更改。不要(Don)检查自动登录(Automatic login)旁边的启用(Enable)按钮,因为我将在下面进一步解释。
现在我们必须添加一个SSH用户名。在我们开始添加用户之前,我们首先必须生成一个公钥和私钥。在此示例中,我们将使用 puTTYGen,它是 puTTY 附带的一个程序。
生成私钥和公钥
要生成密钥,请先打开 puTTYGen。您将看到一个空白屏幕,并且您真的不必更改下面显示的默认设置中的任何设置。
单击“生成(Generate)”按钮,然后在空白区域周围移动鼠标,直到进度条一直穿过。
生成密钥后,您需要输入密码,这基本上就像解锁密钥的密码。
使用长密码来保护密钥免受暴力攻击是个好主意。一旦您输入了两次密码,您应该单击保存公钥(Save public key)和保存私钥(Save private key)按钮。确保这些文件保存在安全的位置,最好是在某种需要密码才能打开的加密容器中。查看我关于使用VeraCrypt 创建加密卷的(VeraCrypt to create an encrypted volume)帖子。
添加用户和密钥
现在回到我们之前的 SSH 用户身份验证( SSH User Authentication)屏幕。在这里,您可以从两个不同的选项中进行选择。首先,转到管理(Administration)-用户帐户( User Accounts)以查看您当前拥有哪些帐户用于登录。
如您所见,我有一个名为 akishore 的帐户用于访问我的交换机。目前(Currently),我可以使用此帐户访问基于 Web 的GUI和CLI。返回(Back)SSH 用户身份验证(SSH User Authentication)页面,您需要添加到SSH 用户身份验证表(通过公钥)(SSH User Authentication Table (by Public Key))的 用户可以与您在管理 - 用户帐户(Administration – User Accounts)下的用户相同,也可以不同。
如果您选择相同的用户名,则可以选中自动登录下的(Automatic Login)启用(Enable)按钮,当您登录交换机时,您只需输入私钥的用户名和密码即可登录.
如果您决定在这里选择不同的用户名,那么您将收到一个提示,您必须在其中输入SSH私钥用户名和密码,然后您必须输入您的正常用户名和密码(在Admin – User Accounts下列出) . 如果您想要额外的安全性,请使用不同的用户名,否则只需将其命名为与当前用户名相同。
单击(Click)添加(Add)按钮,您将弹出添加SSH 用户窗口。(Add SSH User)
确保将密钥类型(Key Type)设置为RSA,然后继续打开您之前使用记事本(Notepad)之类的程序保存的公共SSH密钥文件。复制全部内容并将其粘贴到公钥(Public Key)窗口中。如果您在顶部收到成功(Success)消息,请单击应用(Apply),然后单击关闭。(Close)
使用私钥登录
现在我们要做的就是使用我们的私钥和密码登录。此时,当您尝试登录时,您需要输入两次登录凭据:一次用于私钥,一次用于普通用户帐户。一旦我们启用自动登录,您只需输入私钥的用户名和密码即可进入。
打开 puTTY 并像往常一样在主机名框中输入交换机的 IP 地址。( Host Name)但是,这一次,我们还需要将私钥加载到 puTTY 中。为此,请展开Connection,然后展开SSH,然后单击Auth。
单击“用于身份验证的私钥文件”下的“(Private key file for authentication)浏览(Browse)”按钮,然后选择您之前从 puTTY 中保存的私钥文件。现在单击“打开(Open)”按钮进行连接。
第一个提示将是login as,这应该是您在SSH用户下添加的用户名。如果您使用与主用户帐户相同的用户名,则没关系。
就我而言,我对两个用户帐户都使用了 akishore,但我为私钥和我的主用户帐户使用了不同的密码。如果您愿意,您也可以使密码相同,但实际上这样做没有任何意义,尤其是在您启用自动登录的情况下。
现在,如果您不想双重登录才能进入交换机,请选中SSH 用户身份验证(SSH User Authentication)页面上自动登录( Automatic login)旁边的启用框。(Enable)
启用此功能后,您现在只需输入SSH用户的凭据即可登录。
这有点复杂,但一旦你玩弄它就有意义了。就像我之前提到的,一旦我能够以正确的格式获取私钥,我也会写出CLI命令。(CLI)按照此处的说明,通过SSH(SSH)访问您的交换机现在应该更加安全。如果您遇到问题或有疑问,请在评论中发表。享受!
Enable Public Key Authentication for SSH on Cisco SG300 Switches
Preνiously, I wrote аboυt how you can enable SSH access to your Cisco switch by enabling the setting in the GUI interface. This is great if you want to access your switch CLI over an encrypted connection, but it still relies on just a username and password.
If you are using this switch in a highly sensitive network that needs to be very secure, then you might want to consider enabling public key authentication for your SSH connection. Actually, for maximum security, you can enable a username/password and public key authentication for access to your switch.
In this article, I’ll show you how to enable public key authentication on an SG300 Cisco switch and how to generate the public and private key pairs using puTTYGen. I’ll then show you how to login using the new keys. In addition, I’ll show you how to configure it so that you can either use just the key to login or force the user to type in a username/password along with using the private key.
Note: Before you get started on this tutorial, make sure you have already enabled the SSH service on the switch, which I mentioned in my previous article linked above.
Enable SSH User Authentication by Public Key
Overall, the process for getting public key authentication to work for SSH is straightforward. In my example, I’ll show you how to enable the features using the web-based GUI. I tried to use the CLI interface to enable public key authentication, but it would not accept the format for my private RSA key.
Once I get that working, I’ll update this post with the CLI commands that will accomplish what we will do through the GUI for now. First, click on Security, then SSH Server and finally SSH User Authentication.
In the right-hand pane, go ahead and check the Enable box next to SSH User Authentication by Public Key. Click the Apply button to save the changes. Don’t check the Enable button next to Automatic login just yet as I’ll explain that further down.
Now we have to add a SSH user name. Before we get into adding the user, we first have to generate a public and private key. In this example, we’ll be using puTTYGen, which is a program that comes with puTTY.
Generate Private and Public Keys
To generate the keys, go ahead and open puTTYGen first. You’ll see a blank screen and you really shouldn’t have to change any of the settings from the defaults shown below.
Click on the Generate button and then move your mouse around the blank area until the progress bar go all the way across.
Once the keys have been generated, you need to type in a passphrase, which is basically like a password to unlock the key.
It’s a good idea to use a long passphrase to protect the key from brute-force attacks. Once you have typed in the passphrase twice, you should click the Save public key and Save private key buttons. Make sure these files are saved in a secure location, preferably in an encrypted container of some sort that requires a password to open. Check out my post on using VeraCrypt to create an encrypted volume.
Add User & Key
Now back to the SSH User Authentication screen we were on earlier. Here’s where you can choose from two different options. Firstly, go to Administration – User Accounts to see what accounts you currently have for login.
As you can see, I have one account called akishore for accessing my switch. Currently, I can use this account to access the web-based GUI and the CLI. Back on the SSH User Authentication page, the user you need to add to the SSH User Authentication Table (by Public Key) can either be the same as what you have under Administration – User Accounts or different.
If you choose the same user name, then you can check the Enable button under Automatic Login and when you go to log into the switch, you’ll simply have to type the username and password for the private key and you’ll be logged in.
If you decide to choose a different username here, then you will get a prompt where you have to enter the SSH private key user name and password and then you’ll have to enter your normal username and password (listed under Admin – User Accounts). If you want the extra security, use a different username, otherwise just name it the same as your current one.
Click the Add button and you’ll get the Add SSH User window pop up.
Make sure the Key Type is set to RSA and then go ahead and open your public SSH key file that you saved earlier using a program like Notepad. Copy the entire contents and paste it into the Public Key window. Click Apply and then click Close if you get a Success message at the top.
Login Using Private Key
Now all we have to do is login using our private key and password. At this point, when you try to login, you’ll need to enter login credentials twice: once for the private key and once for the normal user account. Once we enable automatic login, you’ll just have to enter the username and password for the private key and you’ll be in.
Open puTTY and enter in the IP address of your switch in the Host Name box as usual. However, this time, we’ll need to load up the private key into puTTY also. To do this, expand Connection, then expand SSH and then click on Auth.
Click on the Browse button under Private key file for authentication and select the private key file you saved out of puTTY earlier. Now click the Open button to connect.
The first prompt will be login as and that should be the username you added under SSH users. If you used the same username as your main user account, then it won’t matter.
In my case, I used akishore for both user accounts, but I used different passwords for the private key and for my main user account. If you like, you can make the passwords the same too, but there’s no point in really doing that, especially if you enable automatic login.
Now if you don’t want to have to double login to get into the switch, check the Enable box next to Automatic login on the SSH User Authentication page.
When this is enabled, you’ll now just have to type in the credentials for the SSH user and you’ll be logged in.
It’s a bit complicated, but makes sense once you play around with it. Like I mentioned earlier, I’ll also write out the CLI commands once I can get the private key in the proper format. Following the instructions here, accessing your switch via SSH should be a lot more secure now. If you run into problems or have questions, post in the comments. Enjoy!