Dan, good point about Cisco IOS's implementation of ssh pubkey storage. One typo in your Medium article: You typed 'You’ve “uploaded” your private key', you meant 'You’ve “uploaded” your public key'.
Indeed, Cisco's implementation is not great. A quick fix for them (while still conserving storage) would be to store a salted hash instead, and while they're at it, make it SHA instead of MD5. On Sun, Aug 31, 2025 at 5:40 AM Dan Mahoney via NANOG <[email protected]> wrote: > Randy, > > Something else I recently discovered that relates to this issue: > > I think there’s a serious flaw in the way ssh key hashes are done on IOS. > I’ve been in touch with Cisco CSIRT about it, and they’ve approved > publication, but in short, if you’re using pubkey auth to a cisco device, > you might want to rethink it. > > Short version: Unlike normal pubkeys, IOS only stores an md5 hash of your > key to auth against, and you can thus use any key that matches that hash. > Which an attacker now has. > > > https://gushi.medium.com/what-i-learned-from-configuring-ssh-pubkey-auth-on-cisco-ios-cbeb1e5b3b77 > > (should not be paywalled, email me privately if it is) > > > On Aug 30, 2025, at 11:30, Randy Bush via NANOG <[email protected]> > wrote: > > > > a fellow nanogger wrote: > > > >> I've only *just* gotten to the note from a week or more ago. > >> > >>> + tftp-server nvram:startup-config <<<<<<====== > >>> snmp-server community foo 98 > >>> snmp-server trap-source Vlan1 > >>> snmp-server location Ashburn VA US > >> > >> I, too, got this from a RANCID setup I built a long time ago. > >> > >>> and here is the talos report, thanks joe > >>> > >>> https://blog.talosintelligence.com/static-tundra/ > >>> > >>> set `no vstack` in config. no, that is not the default. > >> > >> I'd told the owner that I didn't think he had control of his gear > >> anymore, but this helped me to convince him to put a new switch in. > > > > moving this to nanog because i did not elaborate on a critical point. > > > > when you get this, presume the config of this trivial ancient devic has > > been snatched. did the device have any burned in users, a la > > > > username foo privilege 15 password 7 bar > > > > and that uid/pass is used on other, presumably more modern, devices, > > you need to change the passwords everywhere. > > > > same for other credentials, snmp, bgpmd5, ... > > > > randy > > _______________________________________________ > > NANOG mailing list > > > https://lists.nanog.org/archives/list/[email protected]/message/HJ64BOPTJ75K3EX5AEHR4E4LW5OZEEQG/ > > _______________________________________________ > NANOG mailing list > > https://lists.nanog.org/archives/list/[email protected]/message/FKCDTX5WO74LJBAE5DDNDBW3V7J76AB7/ _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/[email protected]/message/OQDHFFJ4UUTAWJ7LWOBBUDNCFPQN62CW/
