Setup SSH key on a Cisco ASA using a long SSH key

Summary

You may have run into this problem that you paste your SSH key and get the reply that your key is too long. The whole idea about long keys is that increase security. As it turns out you can still enter this using the pkf format. This post explains how.

Converting your existing key to the pkf format

The first step is to convert the public key to the pkf format.

$ ssh-keygen -e -f id_rsa.pub
---- BEGIN SSH2 PUBLIC KEY ----
Comment: "4096-bit RSA, converted by fred@nowhere.com from OpenSSH"
AAAAB3NzaC1yc2EAAAABIwAAAgEAsWxXE5zJirDc0QLw11ChW4t21jOk517U/eJ4GSPlTz
yHyUrVkNATCV4muH45woAWlhRwnBHp2tKTDFKPvUoH2cAEDR2wNOYcpdIMiP7a8w1P0244
XMmtpaGLN3tN3npeu9HiMSrrDPNRqcRAcO5zGW9HaHmzKxarrofP3SkZtdSNnECFYmH16d
aXdeQFwvn90AM9hAYZUgAsWBvFfAGKI+fr4bJIH2I+SPS4QciAQNeYHUVGz19gT7kssy/n
Zk2YSe3R24NRAqxxjgA8t/bCc9mO49+5DzejSCVSmzPLUKBqaVuTpUm+eohyMXe7t5BfY3
osLjwl39p5o5kUpCiOQI6YvU8lcE0gFDDFJOw6uJ7N+xdQ+ZpgcqUzGE821qtIv9ZiHkoa
wObT8Hh6VLRy0Wlq1wmpOI01Fw6n7owQfVM1fK1F2gQyWcenI7y6zfyjJqOwmbN2QhDAcr
qUWKWTJz3elJAkD71ke965IYENWfHOILvnmvmGUuhr3lptL776gwfcib9lBHDWLM7GBSu0
9j4WmDOWbWOkP2ptIkf5pkTBBbHJbNJmyJxBoTP/GkftddPw2e+rKU6JGyBmh0b2UFlgfl
rffG8AjuVzKr37P5o8mldKLsABuIXLjup79ob36h1Bv0WfJwY5DGoLjL4HBII0VkxJGHpX
mbzqfznnJJk=---- END SSH2 PUBLIC KEY ----

Uploading it to your Cisco ASA

ciscoasa# conf t ciscoasa(config)#username bob nopassword privilege 15

Next setup the pkf format:

ciscoasa(config)# username bob attributes ciscoasa(config-username)#ssh authentication pkf

Now that the key has been imported you will not find it back when you
look at your configuration. In fact it will store the hashed version in your config:

sh run username bob username bob nopassword privilege 15 username bob attributes service-type admin ssh authentication publickey 92:c0:37:91:56:ab:53:00:3b:04:7d:c0:\ 68:41:99:a8:af:99:d7:94:ec:03:1d:d0:cb:32:ee:4e:83:db:fe:64 hashed

Test your configuration

If it all works out you should be able to login into your asa using:

ssh bob@myasa.somwhere.com