Cisco ASR-9K – Configuring SSH V2

cisco-asr

Trying to enable ssh on ASR-9K via vrf management interface.
Doesn't seem as straight forward as regular IOS or NX-OS.
Help appreciated.

RP/0/RSP0/CPU0:asr#show run
Tue Apr  4 21:54:55.407 UTC
Building configuration...
!! IOS XR Configuration 5.3.3
!! Last configuration change at Tue Apr  4 17:55:46 2017 by admin
!
hostname asr
domain name cislab.com
username su
 password 7 32221112255
!
vrf mgmt
!
line default
 transport input ssh
!
ipv4 access-list 10
 10 permit ipv4 any any
!
interface MgmtEth0/RSP0/CPU0/0
 vrf mgmt
 ipv4 address 10.7.0.38 255.255.255.0
!
interface MgmtEth0/RSP0/CPU0/1
 shutdown
!
interface GigabitEthernet0/0/0/0
 shutdown
!
interface GigabitEthernet0/0/0/1
 shutdown
!
interface TenGigE0/0/2/2
 shutdown
!
interface TenGigE0/0/2/3
 shutdown
!
router static
 vrf mgmt
  address-family ipv4 unicast
   0.0.0.0/0 10.7.0.1
  !
 !
!
ssh server vrf default
end
RP/0/RSP0/CPU0:asr#

RP/0/RSP0/CPU0:asr#show ssh sess de
Tue Apr  4 22:16:49.281 UTC
SSH version : Cisco-2.0 

id  key-exchange  pubkey  incipher  outcipher  inmac   outmac 
-------------------------------------------------------------------
Incoming Session 

Outgoing connection 
RP/0/RSP0/CPU0:asr#show log

RP/0/RSP0/CPU0:asr#show tcp br
Tue Apr  4 22:18:30.424 UTC
   PCB     VRF-ID     Recv-Q Send-Q Local Address          Foreign Address        State
0x50255d30 0x60000002      0      0  :::22                  :::0                   LISTEN
0x502554ac 0x00000000      0      0  :::22                  :::0                   LISTEN
0x50255b60 0x60000002      0      0  0.0.0.0:22             0.0.0.0:0              LISTEN
0x50195484 0x00000000      0      0  0.0.0.0:22             0.0.0.0:0              LISTEN
RP/0/RSP0/CPU0:asr#


RP/0/RSP0/CPU0:asr#show log | incl ssh
Tue Apr  4 22:18:53.668 UTC
RP/0/RSP0/CPU0:Apr  4 17:45:08.766 : SSHD_[65766]: %SECURITY-SSHD-6-INFO_GENERAL : no matching kex found: client ssh-rsa server ssh-dss 
RP/0/RSP0/CPU0:Apr  4 17:46:41.377 : SSHD_[65857]: %SECURITY-SSHD-6-INFO_GENERAL : no matching kex found: client ssh-rsa server ssh-dss 
RP/0/RSP0/CPU0:Apr  4 17:47:26.352 : SSHD_[65766]: %SECURITY-SSHD-6-INFO_GENERAL : no matching kex found: client ssh-rsa server ssh-dss 
RP/0/RSP0/CPU0:asr#

Best Answer

You configured the SSH server to be active in the default vrf:

ssh server vrf default

So changing the vrf should help:

ssh server vrf mgmt

If that doesn't help, please consider adding more information to your question like debugging results and log messages. "Doesn't seem as straight forward" doesn't explain the exact problem you're running into very well.

SSH Key Generation

ssh-keygen -b 1024 -t rsa -f myrouter_sshkey

This will generate myrouter_sshkey and myrouter_sshkey.pub. When you look into the public key file, it looks like followings:

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDR/ggtknqBZ50pIAyzw0E93wfu2EsGLnft/uF6N4ov6Dsp1H7yoC5ssE+yOcrWHeDEQnD0BsNCLZPW+ye7jjYeE+CUrOINpi04PtD+zx95knpAFnREMV7w8fJ9c7/SMb2L4Jk6KlmTcqtM+lUgrxEnCD7Z1kpCUzkP+0D0N/RG2Q== foo@bar.com

We only need the second part of the public key file separated by space for base64 decoding.

'de'code SSH public key with base64.

cut -d" " -f2 myrouter_sshkey.pub | base64 -d > myrouter_sshkey.pub.b64

This generated file is binary format and can be imported to ASR router.
Note that if you're using MAC, use -D option instead.

Upload 'de'coded public key to the router.

RP/0/RSP0/CPU0:ASR9K#copy ftp:myrouter_sshkey.pub.b64 harddisk:/

I used ftp but you can use tftp or else.

import public key to a router user.

RP/0/RSP0/CPU0:ASR9K#admin
RP/0/RSP0/CPU0:ASR9K(admin)#crypto key import authentication rsa username admin

Verify key import

RP/0/RSP0/CPU0:ASR9K(admin)#sh crypto key authentication rsa all    
Key label: admin
Type     : RSA public key authentication
Size     : 1024
Imported : 18:39:54 UTC Thu Jul 03 2014
Data     :
 {{intentionally removed}}

Login test

ssh -oIdentitiesOnly=yes -i myrouter_sshkey ${myrouter}

Note that if you have more than one ssh keys, -oIdentitiesOnly=yes must be given or your connection will fail. SSH tries every keys sequentially until one of the keys is accepted or finally falls back to password authentication if applicable. SSH server may allow this multiple key trials even if the first key trial fails. Unfortunately ASR router seems not to allow this. If the first tried key fails, it disconnect the session. To explicitly specify the key you use, give -oIdentitiesOnly=yes option to ssh.

Setting up Cisco TenGig ethernet SFP on ASR 1001-x

Problem solved: Somewhere along the troubleshooting path the SFP was removed and reinserted without rebooting the router. We tried a reboot today and the interface came up successfully. I don't know if this is a documented behavior or not, but it makes sense - try a reboot if all else fails.