My Journey with Ansible, Cisco IOS, and SSH Public Keys

/ Ansible, Cisco, Networking / By

Introduction

Ansible is a great automation and configuration tool that can be used for almost anything connected to a network. I recently started using it to manage some of my systems and I’m trying to broaden it’s scope of management. Something that’s interested me is SDN or Software Defined Networking. I like the concept that you can quickly expand or change the network on demand instead of manually configuring each device.

I was recently thinking about adding a couple new VLANs to the network and I figured this was the best time to start managing my switch with Ansible! What a journey this has been… Most of my Cisco experience has come from my 3750 switch I use in my server rack and therefore I don’t spend much time messing with it since it needs to work. I hit a couple hurdles on this one, some my fault, and some caused by the old hardware and OS.

Let me walk you through the setup process to create the ansibleadmin account and add the private key from my ansible server to the switch. There’s also some interesting configs to be made on the server to allow the SSH connection to happen. (Old OS issues.)

Cisco Configs

On the switch we’re going to make sure we have a couple things set in place first. We’re going for secure as possible.. ignoring the outdated encryption standards. This is probably best setup with a local console connection to the switch but I managed to set this all up over ssh without anything breaking.
All the commands will have to be issued in an EXEC enabled session.

  1. I set the default authentication to be local with this command but there are other ways:
    aaa new-model
  2. Set a hostname for your device:
    hostname coreswitch
  3. Set the domain name:
    ip domain-name home.domain
  4. Create the user account if you haven’t already. You want to use secret instead of password when entering the password for the user:
    username ansibleadmin secret password
  5. Generate a new keypair with at least 768 bits:
    crypto key generate rsa modulus 2048
  6. Enable SSH version 2:
    ip ssh version 2
  7. Set some limits on ssh logins:
    ip ssh time-out 60
    ip ssh authentication-retries 2
  8. Configure the switch to only accept SSH:
    line vty 0 4
    transport input ssh
  9. If you haven’t already you need to generate the rsa ssh keys on the host you will be connecting from. It’s the same command on Linux and PowerShell:
    ssh-keygen -b 2048
  10. There’s a limit to the number of characters per line you can paste into the console when adding public keys on a Cisco device so here’s a cool tip for Linux or Mac users that allows you to display the file on multiple lines:
    fold -b -w100 ~/.ssh/id_rsa.pub
  11. Enter the public key chain configuration mode on the switch:
    ip ssh pubkey-chain
  12. Set the username and enter key-string mode:
    username ansibleadmin
    key-string
    Paste the lines from your public key and type enter after each one. Once you finish, type exit until you’re out of the configuration terminal.

Ubuntu Configs

The issues with Cisco’s OS being older and not updated as often for new cryptographic standards really comes out when you try to ssh into it from Linux. Here’s some of the steps that I had to take to configure the ssh client to allow me to connect.

  1. Create a file under your .ssh folder called config:
    nano ~/.ssh/config
  2. Inside that file we will have to create some host specific configurations to allow the Ciphers, Host Key Algorithms, and Key Algorithms. I tested this by adding them one by one when the errors would come back from the connection. I would advise doing the same so you don’t open anything unnecessarily.
Host 192.168.0.10
    Ciphers +aes256-cbc
    HostKeyAlgorithms +ssh-rsa
    KexAlgorithms +diffie-hellman-group1-sha1
  1. I kept running into issues with ansible not actually being able to ssh into the server when I could manually. I ended up having to install the ansible-pylibssh to correct this issue. Ensure to run this as the ansible user and not root.
    pip install --user ansible-pylibssh
  2. And last but not least you will obviously need the plugin for IOS automation. The documentation is very robust for Cisco IOS so please go check it out if you have any questions! Again please run as the ansible user and not root.
    ansible-galaxy collection install cisco.ios

Windows Configuration

Last but not least, you set up public key authentication on your switch so why not use that to remote in with PuTTY? There’s two options for you, you can use ssh-keygen to create your keys or PuTTYgen can create your keys for you. I prefer using ssh-keygen so that the keys are in a standard format that can be used outside PuTTY.

PuTTYgen Only

Open PuTTYgen and click Generate. You can adjust the comment or add a passphrase if you wish. You also have access to the public key straight from this GUI to paste into your authorized_keys file on the destination system. To use this key with PuTTY, click Save private key and pick somewhere to put it. I always use C:\Users\Michael\.ssh for my keys.

Open PuTTY and browse to Connections -> SSH -> Auth and select the privatekey.ppk file you just created. Now you can connect to the system with the private key file. You can also add the username to Connections -> Data.

Convert standard keys to PuTTY format with PuTTYgen

This is the method that I used since I already authenticate to my systems with public keys. Open PuTTYgen and use the Conversions menu to select Import. Find your private key and select Open. Click Save private key and save the file in the .ppk format. You can now use that file in PuTTY with your standard public key on destination servers.