Don R. Crawley, Linux+ and CCNA-certified, is president and chief technologist at soundtraining.net, the Seattle training firm specializing in accelerated, task-oriented training for IT professionals. He works with IT pros to enhance their work, lives, and careers. For more information about learning opportunities with soundtraining.net, visit here.
Copyright (c) 2008 Don R. Crawley
Prior to the introduction of SSH in the Cisco IOS, the only remote login protocol was Telnet. Although quite functional, Telnet is a non-secure protocol in which the entire session, including authentication, is in clear text and thus subject to snooping.
SSH is both a protocol and an application that replaces Telnet and provides an encrypted connection for remote administration of a Cisco network device such as a router, switch, or security appliance.
The Cisco IOS includes both an SSH server and an SSH client. This document is concerned only with the configuration of the SSH server component.
Prerequisites
Software
The SSH server component requires that you have an IPSec (DES or 3DES) encryption software image from Cisco IOS Release 12.1(1)T or later installed on your router. Advanced IP services images include the IPSec component. This document was written using c2800nm-advipservicesk9-mz.123-14.T5.bin.
Pre-configuration
You must configure a hostname and a domain name on your router. For example:
router#
router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
router01(config)#hostname router01
router01(config)#ip domain-name soundtraining.net
You must also generate an RSA keypair for your router which automatically enables SSH. In the following example, note how the keypair is named for the combination of hostname and domain name that were previously configured. The modulus represents the key length. Cisco recommends a minimum key length of 1024 bits (even though the default key length is 512 bits):
router01(config)#
router01(config)#crypto key generate rsa
The name for the keys will be: router01.soundtraining.net
Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes.
How many bits in the modulus [512]: 1024
% Generating 1024 bit RSA keys ...[OK]
Finally, you must either use an AAA server such as a RADIUS or TACACS+ server or create a local user database to authenticate remote users and enable authentication on the terminal lines. For the purpose of this document, we'll create a local user database on the router. In the following example, the user "donc" was created with a privilege level of 15 (the maximum allowed) and given an encrypted password of "p@ss5678". (The command "secret" followed by "0" tells the router to encrypt the following plaintext password. In the router's running configuration, the password would not be human readable.) We also used line configuration mode to tell the router to use its local user database for authentication (login local) on terminals lines 0-4.
router01(config)#username donc privilege 15 secret 0 p@ss5678
router01(config)#line vty 0 4
router01(config-line)#login local
Enabling SSH
To enable SSH, you must tell the router which keypair to use. Optionally, you can configure the SSH version (it defaults to SSH version 1), authentication timeout values, and several other parameters. In the following example, we told the router to use the previously created keypair and to use SSH version 2:
router01(config)#
router01(config)#ip ssh version 2
router01(config)#ip ssh rsa keypair-name router01.soundtraining.net
You can now log on to your router securely using an SSH client such as TeraTerm.
Viewing SSH Configurations and Connections
You can use the privileged mode commands "view ssh" and "view ip ssh" to view SSH configurations and connections (if any). In the following example, the SSHv1 configuration from a Cisco 871 router is verified using "show ip ssh" and a single SSHv1 connection is displayed using the command "show ssh". Notice that we did not enable SSHv2 on this router, so it defaulted to SSH version 1.99. Also note in the output of the "show ssh" command that SSH version 1 defaults to 3DES. SSHv2 supports AES, a more robust and efficient encryption technology. SSHv2 is also not subject to the same security exploits as SSHv1. soundtraining.net recommends the use of SSHv2 and disabling a dropback to SSHv1. Enabling SSHv2 disables SSHv1. This example is included only to demonstrate backwards compatibility:
router04#
router04#show ip ssh
SSH Enabled - version 1.99
Authentication timeout: 120 secs; Authentication retries: 3
router04#
router04#show ssh
Connection Version Encryption State Username
2 1.5 3DES Session started donc
%No SSHv2 server connections running.
router04#
You can also use the command "debug ip ssh" to troubleshoot SSH configurations.
- Related Videos
- Related Articles
- Ask / Related Q&A
- How to Configure Ssh (secure Shell) for Remote Login on a Cisco Router
- Understanding the Eight Base Commands on a Cisco Asa Security Appliance
- CCNA Exam Prep: Cisco IOS Router Operation
- Cisco’s CCNA 640-802 Certification Detail
- Cisco CCNA 640-822 Exam Detail
- 642-825 exam Training in Pass4side
- Training Resources for 640-802 Exam
- High quality Cisco 640-822 dumps
Got Gadgets?...Windows Gadgets, That Is
By: Paul Lubic | 24/12/2009One thing I like about using Windows [copyright Microsoft, Inc.] is that you can customize and personalize your computing experience. Like adding gadgets to your desktop. Gadgets are small programs that sit on your Windows desktop. They usually are shortcuts to perform a function, automatically access information, display some control or statistic about your computer, and many other functions.
REAnti is Malware – Don't Count On It For Security
By: Carl Haugen | 24/12/2009REAnti is a rogue security program that will try to fool you. Through misleading security warnings and fake system notifications, this application will try to convince you that it has detected malware. It will then try to persuade you to download the scan, so that infected files can be located, and you can remove them with the program. What they do not tell you is that you must purchase the full product in order to remove the threats.
Why Is PC So Slow; What To Do About It!
By: Paul Tooley | 23/12/2009Does your PC have you singing the Blues? Get to rockin' and a rollin' with these few tips.
Software For Removal Virus From Your Computer: What to Know?
By: A.Noton | 23/12/2009As technology advances so do computer viruses. Computer viruses have become a real concern for many companies and individuals. Viruses infect computer systems causing them to slow down and even crash. Any person or business using computers needs to be aware of computer viruses and the severe effects they can...
The Why PC Slow Blues: and what to do about it
By: Paul Tooley | 23/12/2009Do you need to go for a cup of coffee while your PC boots up? You may be singing the Why PC Slow blues. Read on to see what can be done to get you back to rockin' and rollin' with your PC.
Psp Go Game Download-Find Out Where to Find The best Psp Go Downloads
By: Sarah Brown | 23/12/2009Well the Sony Company is one of the greatest gaming companies the world has ever seen with many popular gaming devices available from the Sony psp to the To the Playstation 3 This Company really knows its stuff about gaming. Well when they release the Sony psp and it was extremely popular so they brought out the new version the Sony PSP go. Well many people have been trying to get the most out of their Sony PSP go and try to figure out on how to download Sony PSP go games on to it. So they go t
PSP Go Download Centre: Down load free psp go & psp games
By: Sarah Brown | 23/12/2009There are many sites online that help you make the most of the PSP or PSP go you just bought, PSP Go Download Center is just one of them. It is not just about the kind of services a site offers anymore though. There are quite a few sites that offer decent variety and range of downloads.
DSi Download Center – A Scam Website?
By: Sarah Brown | 23/12/2009If you are looking to download Nintendo DS and DSi downloads you probably have come across about a website called ‘DSi Download Center’. You might probably wonder if the DSi Download Center program is a scam or a legitimate site. This article will review what I found out about DSi Download Center.
Configuring a Site-to-site Vpn Between Two Cisco Routers
By: Don R. Crawley | 10/12/2008 | ComputersLearn the steps for configuring a secure site-to-site Virtual Private Network (VPN) with Cisco routers.
Understanding the Fundamentals of Ethernet
By: Don R. Crawley | 06/09/2008 | ComputersIn this brief article, you'll learn the basics of how Ethernet works in modern computer networks and cabling options for your network.
How to Get Help in Linux
By: Don R. Crawley | 04/09/2008 | ComputersThe Linux operating system includes substantial built-in help systems. In this article, veteran I.T. guy Don R. Crawley explains how to find and use Linux help systems.
The Three Secrets to Profitable Email Marketing
By: Don R. Crawley | 21/05/2008 | BusinessLegitimate email marketing is a very powerful tool for your business...if you use it correctly. In this concise article, you'll learn the three keys for profitable email marketing and how you can use it successfully in your business.
How to Create and Manage Access-control Lists on Cisco Asa and Pix Firewalls
By: Don R. Crawley | 30/04/2008 | ComputersLearn the fundamentals of building and managing access-control lists on a Cisco ASA or PIX firewall in this soundtraining.net "How-to" guide.
How to Create and Exchange Digital Documents
By: Don R. Crawley | 27/04/2008 | BusinessDigital documents are safer, more secure, easier to search, easier to send, and infinitely easier to store. In this article, you'll learn about the benefits of using digital documents and gain some practical ideas about how to start using digital documents in your business.
Automating Appointment Scheduling
By: Don R. Crawley | 24/04/2008 | BusinessLearn how to let your customers and clients manage their own appointments by automating the appointment scheduling process with free or low cost online tools. In this brief article, automation evangelist Don R. Crawley show you how to automate appointment scheduling with another way to go digital without going postal.