Skip to content

Cisco IOLでED25519形式の鍵を設定する

Ed25519: high-speed high-security signatures形式の鍵ペアは鍵長は短いのですが強度が強く、パフォーマンス面で優れています。Cisco CML上のIOL-XEにED25519形式の公開鍵をインポートしてみたところ、特に問題なく利用できました。ED25519形式であっても長く使われてきたRSA形式と手順は全く同様なのですが、メモしておきます。

検証環境

対象 バージョン
IOL-XE 17.16.1a

Linux上でED25519形式の鍵ペアを発行する

IOLに設定する公開鍵を用意すべく、CML上に作成したUbuntu 24.04LTSでED25519形式の鍵ペアを生成します。

$ ssh-keygen
Generating public/private ed25519 key pair.
Enter file in which to save the key (/home/cisco/.ssh/id_ed25519):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/cisco/.ssh/id_ed25519
Your public key has been saved in /home/cisco/.ssh/id_ed25519.pub
The key fingerprint is:
SHA256:1mngXgf2G9dhobtZZ2J1IiQhFnrCWDair95pKnCbXvg cisco@localhost
The key's randomart image is:
+--[ED25519 256]--+
|    . + +.o..  . |
|   . * + . o  . .|
|  . . + o o ...oo|
|   .   + + + .o+o|
|    .   S = +.+.+|
|. .o   o o . =+o.|
|..oo.   .   .o   |
|..o+..           |
| o+oE            |
+----[SHA256]-----+

今回、生成された公開鍵の内容は以下でした。

$ cat ~/.ssh/id_ed25519.pub
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAhtFgrHN2hpnnbVi1s9iDt0UT3csIMRn+PSCU98YSMP cisco@localhost

ED25519において公開鍵長は256ビット固定です。WikipediaのEdDSAページの「Performance」項目には以下の記載があります。

Public keys are 256 bits long and signatures are 512 bits long

実際に確認してみると、確かに鍵長は256ビットであることが分かります。

$ ssh-keygen -l -f ~/.ssh/id_ed25519.pub
256 SHA256:1mngXgf2G9dhobtZZ2J1IiQhFnrCWDair95pKnCbXvg cisco@localhost (ED25519)

IOL-XEで対応している暗号化アルゴリズム

今回、IOL-XEはバージョン17.16.1aを利用しました。

IOL# show version
Cisco IOS Software [IOSXE], Linux Software (X86_64BI_LINUX-ADVENTERPRISEK9-M), Version 17.16.1a, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2024 by Cisco Systems, Inc.
Compiled Thu 19-Dec-24 17:54 by mcpre

ROM: Bootstrap program is Linux

IOL uptime is 4 minutes
System returned to ROM by unknown reload cause - suspect boot_data[BOOT_COUNT] 0x9, BOOT_COUNT 0, BOOTDATA 19
System image file is "unix:/x86_64_crb_linux-adventerprisek9-ms.iol"
Last reload reason: Unknown reason



This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

Linux Unix (i686) processor with 799831K bytes of memory.
Processor board ID 131184788
4 Ethernet interfaces
256K bytes of NVRAM.

Configuration register is 0x0

show ip sshでSSH関連の設定値を確認します。

IOL# show ip ssh
SSH Disabled - version 2.0
%Please create EC or RSA keys to enable SSH (and of atleast 2048 bits for SSH v2 in case of RSA).
Authentication methods:publickey,keyboard-interactive,password
Authentication Publickey Algorithms:ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,x509v3-ecdsa-sha2-nistp256,x509v3-ecdsa-sha2-nistp384,x509v3-ecdsa-sha2-nistp521,rsa-sha2-256,rsa-sha2-512,x509v3-rsa2048-sha256
Hostkey Algorithms:ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256
Encryption Algorithms:chacha20-poly1305@openssh.com,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-gcm,aes256-gcm,aes128-ctr,aes192-ctr,aes256-ctr
MAC Algorithms:hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com
KEX Algorithms:curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512
Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 2048 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded): NONE
IOS Keys in SECSH format(ssh-ec, base64 encoded): NONE

各項目の値を書き下すと以下の通りです。

  1. Authentication Publickey Algorithms:
    1. ecdsa-sha2-nistp256
    2. ecdsa-sha2-nistp384
    3. ecdsa-sha2-nistp521
    4. ssh-ed25519
    5. x509v3-ecdsa-sha2-nistp256
    6. x509v3-ecdsa-sha2-nistp384
    7. x509v3-ecdsa-sha2-nistp521
    8. rsa-sha2-256
    9. rsa-sha2-512
    10. x509v3-rsa2048-sha256
  2. Hostkey Algorithms:
    1. ecdsa-sha2-nistp256
    2. ecdsa-sha2-nistp384
    3. ecdsa-sha2-nistp521
    4. rsa-sha2-512
    5. rsa-sha2-256
  3. Encryption Algorithms:
    1. chacha20-poly1305@openssh.com
    2. aes128-gcm@openssh.com
    3. aes256-gcm@openssh.com
    4. aes128-gcm
    5. aes256-gcm
    6. aes128-ctr
    7. aes192-ctr
    8. aes256-ctr
  4. MAC Algorithms:
    1. hmac-sha2-256-etm@openssh.com
    2. hmac-sha2-512-etm@openssh.com
  5. KEX Algorithms:
    1. curve25519-sha256
    2. curve25519-sha256@libssh.org
    3. ecdh-sha2-nistp256
    4. ecdh-sha2-nistp384
    5. ecdh-sha2-nistp521
    6. diffie-hellman-group14-sha256
    7. diffie-hellman-group16-sha512

IOL-XEにED25519形式の公開鍵をインポートする

事前にUbuntu上で発行したED25519形式の公開鍵をIOL-XEへインポートしてみます。

IOL# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
IOL(config)# ip ssh pubkey-chain
Please create EC or RSA keys to enable SSH (and of atleast 2048 bits for SSH v2 in case of RSA).
IOL(conf-ssh-pubkey)# user
IOL(conf-ssh-pubkey)# username USER1
IOL(conf-ssh-pubkey-user)# key-string
IOL(conf-ssh-pubkey-data)# ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAhtFgrHN2hpnnbVi1s9iDt0UT3csIMRn+PSCU98YSMP cisco@localhost
IOL(conf-ssh-pubkey-data)# end
IOL#

コンフィグを確認すると、確かに指定したユーザにED25519形式の公開鍵がインポートされていました。「鍵交換方式でSSHログインできるか?」も試してみましたが、問題なく動作しました。

IOL# show running-config | section ip ssh pubkey-chain
ip ssh pubkey-chain
 username USER1
  key-hash ssh-ed25519 3455042DCCD2FDB7E77DA3EBCA1499D9 cisco@localhost