Re: beware: being old sucks

[Liudvikas Bukys via NANOG <nanog () lists nanog org>]

Dan, good point about Cisco IOS's implementation of ssh pubkey storage.
One typo in your Medium article: You typed 'You’ve “uploaded” your private
key', you meant 'You’ve “uploaded” your public key'.

Indeed, Cisco's implementation is not great.  A quick fix for them (while
still conserving storage) would be to store a salted hash instead, and
while they're at it, make it SHA instead of MD5.

On Sun, Aug 31, 2025 at 5:40 AM Dan Mahoney via NANOG <nanog () lists nanog org>
wrote:

> Randy,
>
> Something else I recently discovered that relates to this issue:
>
> I think there’s a serious flaw in the way ssh key hashes are done on IOS.
> I’ve been in touch with Cisco CSIRT about it, and they’ve approved
> publication, but in short, if you’re using pubkey auth to a cisco device,
> you might want to rethink it.
>
> Short version: Unlike normal pubkeys, IOS only stores an md5 hash of your
> key to auth against, and you can thus use any key that matches that hash.
> Which an attacker now has.
>
>
> https://gushi.medium.com/what-i-learned-from-configuring-ssh-pubkey-auth-on-cisco-ios-cbeb1e5b3b77
>
> (should not be paywalled, email me privately if it is)
>
> > On Aug 30, 2025, at 11:30, Randy Bush via NANOG <nanog () lists nanog org>
> wrote:
> > a fellow nanogger wrote:
> >
> > > I've only *just* gotten to the note from a week or more ago.
> > >
> > > >    + tftp-server nvram:startup-config          <<<<<<======
> > > >      snmp-server community foo 98
> > > >      snmp-server trap-source Vlan1
> > > >      snmp-server location Ashburn VA US
> > >
> > > I, too, got this from a RANCID setup I built a long time ago.
> > >
> > > > and here is the talos report, thanks joe
> > > >
> > > >   https://blog.talosintelligence.com/static-tundra/
> > > >
> > > > set `no vstack` in config.  no, that is not the default.
> > >
> > > I'd told the owner that I didn't think he had control of his gear
> > > anymore, but this helped me to convince him to put a new switch in.
> >
> > moving this to nanog because i did not elaborate on a critical point.
> >
> > when you get this, presume the config of this trivial ancient devic has
> > been snatched.  did the device have any burned in users, a la
> >
> >     username foo privilege 15 password 7 bar
> >
> > and that uid/pass is used on other, presumably more modern, devices,
> > you need to change the passwords everywhere.
> >
> > same for other credentials, snmp, bgpmd5, ...
> >
> > randy
> > _______________________________________________
> > NANOG mailing list
> https://lists.nanog.org/archives/list/nanog () lists nanog org/message/HJ64BOPTJ75K3EX5AEHR4E4LW5OZEEQG/
>
> _______________________________________________
> NANOG mailing list
>
> https://lists.nanog.org/archives/list/nanog () lists nanog org/message/FKCDTX5WO74LJBAE5DDNDBW3V7J76AB7/
_______________________________________________
NANOG mailing list 
https://lists.nanog.org/archives/list/nanog () lists nanog org/message/OQDHFFJ4UUTAWJ7LWOBBUDNCFPQN62CW/