How to setup public key authentication and ssh into Cisco ASA

It is always best to add an extra layer of security when connecting to your ASA over SSH using Putty.

First thing we need to do is create a public/private keypair. There are many ways to do it. Using puttygen.exe is one of the simplest. You can download it from here.

Generating a public/private key pair

After downloading and installing putty, you can start puttygen.exe from start menu. (in windows 10, you can just search for puttygen.exe) Now, in the puttygen windows, select RSA and put 2048 as number of bits. This is the default value. Then click ‘Generate’ button and move your mouse around until the progress bar fills up. Once it fills up, puttygen will generate a public/private key pair. It is best to secure your keys with a key passphrase (password). Then click on save private key to save the private key and save public key to save the public key.

Setting up ASA user to use public key authentication

For starters, it’s best to setup a new user to use public key. You will need to ssh into the ASA and run the following command.
username <user> [nopassword] [privilege <priv-lvl>]
then , run the following command to assign the public key to the user,
username <user> attributes
ssh authentication publickey <key> [hashed]

So setting up a new user named FOO will be like this,
conf t
username FOO nopassword privilege 15
username FOO attributes
ssh authentication publickey ………

How to connect to the ASA using public key and Putty

Once this is done, you can connect to the ASA using your new account and private key.
Open putty and put the hostname and port number.
Open Auth in SSH and load the private key.
Then, click connect.
You will be asked to type in the password if you had setup a Key Passphrase previously.

It is important that you run the following command after making sure it all works.
no aaa authentication ssh console LOCAL
If you have ssh setup then it is most likely that you will already have command “aaa authentication ssh console LOCAL”. This combined with the command “username FOO nopassword privilege 15” means that if you don’t present the SSH private key then you will be logged in without any passwords. The key “nopassword” does not mean only ssh keys but literally means a blank password. This is why you should remove this command.

Recommended Posts