IINS

Configuring SSH (Secure Shell) on a Cisco device

Jay

Jay

2 min read

Secure Shell (SSH) is a protocol that allows us to connect to devices securely by using encryption. Gone are the days were most networking engineers are happy with using plain telnet with it’s clear text transmission of data which could result in an attacker sniffing the line for usernames and passwords.

Configuring SSH on a Cisco device is straight forward and requires very little settings and configuration, it does however require that the IOS that is loaded on the device supports the use of encryption technologies. Cisco IOS 12.1(3)T was the first IOS from Cisco that supported SSH configuration, and since then IOS now supports version 2 of SSH (SSH2).

SSH1 and SSH2, although both are responsible for encrypted transmission, are very different in their design. SSH1 had a few known vulnerabilities and resulted in the protocol been re-written from scratch to form SSH2 which supports more advanced encryption technologies and no longer has the same vulnerabilities found in SSH1

In order to configure SSH on a Cisco device 3 things need to be in place

1/ An IOS that supports SSH – Most IOS that support encryption will support SSH, and any IOS with a ‘k9’ in the file name will.

2/ A host name must be defined on the device

3/ A domain-name must be configured on the device

Once the above is in place, you will need to create the keys that will be used for encryption, this can be achieved using the ‘crypto key generate rsa’ command. You will then be prompted for the modulus size (key size), I tend to use 768 and 1024 for most configurations as they add extra security compared to the default 512 (valid ranges are between 360 – 2048).

Below are the commands to enable SSH on a Cisco Router (most other Cisco devices use the same configuration as the below)


AOIP.ORG(config)# ip domain-name AOIP.ORG

AOIP.ORG(config)# crypto key generate rsa

The name for the keys will be: AOIP.ORG.AOIP.ORG

Choose the size of the key modulus in the range of 360 to 2048 for your

General Purpose Keys. Choosing a key modulus greater than 512 may take

a few minutes.

How many bits in the modulus [512]: 768

% Generating 768 bit RSA keys …[OK]

AOIP.ORG(config)#

00:05:26: %SSH-5-ENABLED: SSH 1.5 has been enabled

After the device has generated the key, I received a message that it has automatically enabled SSH 1.5 on the router (SSH1).

Other possible options could have been;

SSH1.99 (The router has support for both SSH1 and SSH2)

SSH2.0 (Only SSH2 has been enabled)

The above configuration would have enabled SSH on my Cisco router, however it does not prevent someone from connecting to my router using telnet. In order to force SSH as the only available connection protocol, I need to reconfigure the vty lines using the below configuration.

AOIP.ORG(config)#line vty 0 4

AOIP.ORG(config-line)#transport input ssh

Below is a live demonstration of the full configuration.


If you can see this, then you might need a Flash Player upgrade or you need to install Flash Player if it's missing. Get Flash Player from Adobe.

Read more