Cisco Cisco Email Security Appliance X1070 Manual Técnico
Introduction
This document describes how to generate a private secure shell (SSH) key and use that for username and
authentication when logging into the command line interface (CLI) on the Cisco Email Security Appliance
(ESA).
authentication when logging into the command line interface (CLI) on the Cisco Email Security Appliance
(ESA).
How to configure SSH Public Key Authentication for login
to the ESA without a password
to the ESA without a password
Public−key authentication (PKI) is an authentication method that relies on a generated public/private keypair.
With PKI, a special "key" is generated which has a very useful property: Anyone who can read the public half
of the key is able encrypt data which can then only be read by a person who has access to the private half of
the key. In this way, having access to the public half of a key allows you to send secret information to anyone
with the private half, and to also verify that a person does in fact have access to the private half. It's easy to
see how this technique could be used to authenticate.
With PKI, a special "key" is generated which has a very useful property: Anyone who can read the public half
of the key is able encrypt data which can then only be read by a person who has access to the private half of
the key. In this way, having access to the public half of a key allows you to send secret information to anyone
with the private half, and to also verify that a person does in fact have access to the private half. It's easy to
see how this technique could be used to authenticate.
As a user, you can generate a keypair and then place the public half of the key on a remote system, such as
your ESA. That remote system is then able to authenticate your user ID, and allow you to login just by having
you demonstrate that you have access to the private half of the keypair. This is done at the protocol level
inside SSH and happens automatically.
your ESA. That remote system is then able to authenticate your user ID, and allow you to login just by having
you demonstrate that you have access to the private half of the keypair. This is done at the protocol level
inside SSH and happens automatically.
It does, however, mean that you need to protect the privacy of the private key. On a shared system where you
do not have root this can be accomplished by encrypting the private key with a passphrase, which functions
similarly to a password. Before SSH can read your private key in order to perform the public key
authentication you'll be asked to supply the passphrase so that the private key can be decrypted. On more
secure systems (like a machine where you are the only user, or a machine at your home where no strangers
will have physical access) you can simplify this process either by creating an unencrypted private key (with
no passphrase) or by entering your passphrase once and then caching the key in memory for the duration of
your time at the computer. OpenSSH contains a tool called ssh−agent which simplifies this process.
do not have root this can be accomplished by encrypting the private key with a passphrase, which functions
similarly to a password. Before SSH can read your private key in order to perform the public key
authentication you'll be asked to supply the passphrase so that the private key can be decrypted. On more
secure systems (like a machine where you are the only user, or a machine at your home where no strangers
will have physical access) you can simplify this process either by creating an unencrypted private key (with
no passphrase) or by entering your passphrase once and then caching the key in memory for the duration of
your time at the computer. OpenSSH contains a tool called ssh−agent which simplifies this process.
ssh−keygen example for Linux/Unix
Complete the following steps to set up your a linux/unix workstation (or server) to connect to the
ESA without a password. In this example, we will not specify as passphrase.
ESA without a password. In this example, we will not specify as passphrase.
1) On your workstation (or server), generate a private key using the Unix command ssh−keygen:
$ ssh−keygen −b 2048 −t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/[USERID]/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/[USERID]/.ssh/id_rsa.
Your public key has been saved in /home/[USERID]/.ssh/id_rsa.pub.
The key fingerprint is:
00:11:22:77:f6:a9:1e:19:f0:ca:28:9c:ff:00:11:22 [USERID]@hostname.com
The key's randomart image is:
+−−[ RSA 2048]−−−−+
| +... +|
| o= o+|
| o o ..|
| . ..o . + |
| . ES. o + |
| o + . . |
| o . . |