




详细可以见我之前的笔记:linux下的openssh简介(centos 8)


可以参考的官方文档:Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 10.5(x)


  1. 服务器创建rsa密钥对
  2. Cisco交换机保存服务器创建的rsa公钥
  3. 服务器ssh登录Cisco设备进行测试

0. 实验环境


SwitchCisco IOS192.168.100.100
NXOSCisco Nexus192.168.100.101

1. Linux


# 查看ip [root@linux ~]# ip a s ens33 | awk 'NR==4 {print $2}'  # 生成一个2048长度的密钥 # 交换机可能因为版本限制rsa的长度,2048是一个非常稳妥的长度 [root@linux ~]# ssh-keygen -b 2048 Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa): /root/.ssh/id_rsa already exists. Overwrite (y/n)? y Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/.ssh/id_rsa. Your public key has been saved in /root/.ssh/ The key fingerprint is: SHA256:WwIJVzyTw89Rsp2JVfUbUwjRr0g+LCUqXoXPT4NMC14 root@docker01 The key's randomart image is: +---[RSA 2048]----+ |    . .+....==.oo| |     o .B .* oo o| |      o  Bo.+  +.| |       .o E o   =| |       .SX.O . o | |      . ++B B .  | |     . o.  + o   | |      .     .    | |                 | +----[SHA256]-----+  # 查看公钥,记录下来,可以用 # 以64字符为一行,因为Cisco IOS的公钥录入有行长度限制,需要多行录入,提前设置好方便录入 # 仅需要记录从ssh-rsa开始到主机名空格前结束 [root@linux ~]# fold -w 64 ~/.ssh/ ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCoVHfQEHOq50u7kl5ukfPwwoYn RHGCaYEHht4Fy8O3pGM3hk9GyT/IsBBquiBR1cxPjvZFlIGUd9gc2v4Xk8JHPIsH f3IaS/5lhL257N4CZcL+aZh/PWCaY3DSmZqJ3ywFlX1YLUDlUvelcG2fmc/p0brM LCxawgePkzl/MQq++aiEW/cqfXHR134InlV9nhBYyADGQff7Mmg6ysq+EK+KBMqG h6dSquXo3i8PnQSI0RwIf8W9oUOWFIFJAzaaauqmMQhwxFbsc6vL+OdctHc9Ndgy z04O5bmoI7qT0Tgh1yuynHWmkfuUnC+Ci/S83BaFOyOKxn4ymEVA3mJCcA1t roo t@linux  

2. CiscoIOS


# 查看版本 Switch#show version Cisco IOS Software, vios_l2 Software (vios_l2-ADVENTERPRISEK9-M), Experimental Version 15.2(20200924:215240) [sweickge-sep24-2020-l2iol-release 135]  # 修改主机名 test>en test#configure terminal test(config)#hostname Switch  # 设置svi1 ip Switch(config-if)#int vlan 1 Switch(config-if)#ip add  # ping测试 Switch#ping Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds: .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 4/4/5 ms  


# 均在配置模式下配置  # 设置域名,不设置不能启用ssh和rsa Switch(config)#ip domain-name test  # 创建rsa密钥,用于开始ssh Switch(config)#crypto key generate rsa % You already have RSA keys defined named Switch.test. Choose the size of the key modulus in the range of 360 to 4096 for your   General Purpose Keys. Choosing a key modulus greater than 512 may take   a few minutes. How many bits in the modulus [512]: 2048 % Generating 2048 bit RSA keys, keys will be non-exportable... [OK] (elapsed time was 3 seconds)  # 启用sshv2 Switch(config)#ip ssh version 2  # 启用ssh登录 Switch(config)#line vty 0 4 Switch(config-line)#transport input ssh Switch(config-line)#login local Switch(config-line)#exit  # 设置无密码账号linux Switch(config)#username linux privilege 15  # 导入linux的公钥 Switch(config)#ip ssh pubkey-chain Switch(conf-ssh-pubkey)#username linux Switch(conf-ssh-pubkey-user)#key-string # 以下是录入密钥,将前面录入的复制下来 Switch(conf-ssh-pubkey-data)#$2EAAAADAQABAAABAQCoVHfQEHOq50u7kl5ukfPwwoYn Switch(conf-ssh-pubkey-data)#$k9GyT/IsBBquiBR1cxPjvZFlIGUd9gc2v4Xk8JHPIsH Switch(conf-ssh-pubkey-data)#$Zh/PWCaY3DSmZqJ3ywFlX1YLUDlUvelcG2fmc/p0brM Switch(conf-ssh-pubkey-data)#$/cqfXHR134InlV9nhBYyADGQff7Mmg6ysq+EK+KBMqG Switch(conf-ssh-pubkey-data)#$8W9oUOWFIFJAzaaauqmMQhwxFbsc6vL+OdctHc9Ndgy Switch(conf-ssh-pubkey-data)#$HWmkfuUnC+Ci/S83BaFOyOKxn4ymEVA3mJCcA1t #录入完后退出,即完成录入 Switch(conf-ssh-pubkey-data)#exit Switch(conf-ssh-pubkey-user)#exit Switch(conf-ssh-pubkey)#exit  


在linux上ssh Cisco交换机

# 登录后,可以看到回显有“永久将主机(RSA)添加入已知列表“ [root@docker01 ~]# ssh linux@ The authenticity of host ' (' can't be established. RSA key fingerprint is SHA256:1DfhYAi7UO9ZocSjUhqnF6zCSYrAhXKrSI21J9+b+HE. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '' (RSA) to the list of known hosts.  IOSv - Cisco Systems Confidential -  Supplemental End User License Restrictions  This IOSv software is provided AS-IS without warranty of any kind. Under no circumstances may this software be used separate from the Cisco Modeling Labs Software that this software was provided with, or deployed or used as part of a production environment.  By using the software, you agree to abide by the terms and conditions of the Cisco End User License Agreement at Unauthorized use or distribution of this software is expressly prohibited.  IOSv - Cisco Systems Confidential -  Supplemental End User License Restrictions  This IOSv software is provided AS-IS without warranty of any kind. Under no circumstances may this software be used separate from the Cisco Modeling Labs Software that this software was provided with, or deployed or used as part of a production environment.  By using the software, you agree to abide by the terms and conditions of the Cisco End User License Agreement at Unauthorized use or distribution of this software is expressly prohibited.  Switch#en Switch#conf t Enter configuration commands, one per line.  End with CNTL/Z. Switch(config)# # 作为权限15的账号,可以进入配置模式进行配置 

3. CiscoNexus


# 查看版本,是9.3.8的Nexus OS switch# show version Cisco Nexus Operating System (NX-OS) Software Software   BIOS: version  NXOS: version 9.3(8)   BIOS compile time:   NXOS image file is: bootflash:///nxos.9.3.8.bin   NXOS compile time:  8/4/2021 13:00:00 [08/04/2021 22:25:26]  # 配置设备名 switch# conf t Enter configuration commands, one per line. End with CNTL/Z. switch(config)# hostn NXOS NXOS(config)#  # 设置svi1 ip NXOS(config-if)# ip add NXOS(config-if)# do show ip int bri  IP Interface Status for VRF "default"(1) Interface            IP Address      Interface Status Vlan1       protocol-up/link-up/admin-up   # ping测试 NXOS# ping PING ( 56 data bytes 64 bytes from icmp_seq=0 ttl=63 time=9.11 ms 64 bytes from icmp_seq=1 ttl=63 time=8.318 ms 64 bytes from icmp_seq=2 ttl=63 time=19.181 ms 64 bytes from icmp_seq=3 ttl=63 time=7.7 ms 64 bytes from icmp_seq=4 ttl=63 time=5.08 ms  --- ping statistics --- 5 packets transmitted, 5 packets received, 0.00% packet loss round-trip min/avg/max = 5.08/9.877/19.181 ms   


# 生成密钥,启用ssh NXOS(config)# ssh key rsa NXOS(config)# feature ssh  # 查看ssh server key NXOS(config)# show ssh key ************************************** rsa Keys generated:Wed Aug 14 02:22:31 2024  ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQC2ag54FDSbAT3Z3uVxHJ5LVEIedz6ximnx1lJr2gC6 r96XcUw2l+3vx704V6nMiFrdjsuMuP+k9cVmuHvdUy09/Q6pPiUD8I0/t+SdMz+PANoAsURLa06J/Gqo v6RJVPtqKum1DsMR91d8UYXrNFKq62SvCDaNa486bAd8+/qMRw==  bitcount:1024 fingerprint: SHA256:RGZdz0/waQniT3HN+S+5haHBVst0N7DPHTc1WLadUyc ************************************** could not retrieve dsa key information ************************************** could not retrieve ecdsa key information **************************************  # 创建登陆方式为公钥登录的用户,输入linux的公钥 # 因为为一行输入,所以cat linux的公钥直接复制即可,不要切断换行 NXOS(config)# username linux sshkey ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCoVHfQEHOq50u7kl5ukfPwwoYnRHGCaYEHht4Fy8O3pGM3hk9GyT/IsBBquiBR1cxPjvZFlIGUd9gc2v4Xk8JHPIsHf3IaS/5lhL257N4CZcL+aZh/PWCaY3DSmZqJ3ywFlX1YLUDlUvelcG2fmc/p0brMLCxawgePkzl/MQq++aiEW/cqfXHR134InlV9nhBYyADGQff7Mmg6ysq+EK+KBMqGh6dSquXo3i8PnQSI0RwIf8W9oUOWFIFJAzaaauqmMQhwxFbsc6vL+OdctHc9Ndgyz04O5bmoI7qT0Tgh1yuynHWmkfuUnC+Ci/S83BaFOyOKxn4ymEVA3mJCcA1t 


在linux上ssh Cisco交换机

# 使用创建的用户在linux上ssh登录Cisco交换机 # 登录后,可以看到回显有“永久将主机(RSA)添加入已知列表“ [root@docker01 ~]# ssh linux@ The authenticity of host ' (' can't be established. RSA key fingerprint is SHA256:RGZdz0/waQniT3HN+S+5haHBVst0N7DPHTc1WLadUyc. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '' (RSA) to the list of known hosts. User Access Verification  Cisco NX-OS Software Copyright (c) 2002-2021, Cisco Systems, Inc. All rights reserved. Nexus 9000v software ("Nexus 9000v Software") and related documentation, files or other reference materials ("Documentation") are the proprietary property and confidential information of Cisco Systems, Inc. ("Cisco") and are protected, without limitation, pursuant to United States and International copyright and trademark laws in the applicable jurisdiction which provide civil and criminal penalties for copying or distribution without Cisco's authorization.  Any use or disclosure, in whole or in part, of the Nexus 9000v Software or Documentation to any third party for any purposes is expressly prohibited except as otherwise authorized by Cisco in writing. The copyrights to certain works contained herein are owned by other third parties and are used and distributed under license. Some parts of this software may be covered under the GNU Public License or the GNU Lesser General Public License. A copy of each such license is available at and *************************************************************************** *  Nexus 9000v is strictly limited to use for evaluation, demonstration   * *  and NX-OS education. Any use or disclosure, in whole or in part of     * *  the Nexus 9000v Software or Documentation to any third party for any   * *  purposes is expressly prohibited except as otherwise authorized by     * *  Cisco in writing.                                                      * *************************************************************************** NXOS# conf t Enter configuration commands, one per line. End with CNTL/Z. # 该用户在创建时没有设置权限,因此没有权限进入接口视图,可以后续根据需求自行设置 NXOS(config)# int mgmt0 % Permission denied for the role NXOS(config)# vlan 2 % Permission denied for the role 


