ill communications » SSH http://illcommunications.com Wed, 08 Sep 2010 04:12:12 +0000 http://wordpress.org/?v=abc en hourly 1 How to enable SSH on a Cisco Router or Switch http://illcommunications.com/how-to-enable-ssh-on-a-cisco-router-or-switch/ http://illcommunications.com/how-to-enable-ssh-on-a-cisco-router-or-switch/#comments Sat, 25 Apr 2009 01:20:34 +0000 Jeff Dimond http://illcommunications.com/?p=118 I know a lot of network administrators have long used telnet to remotely manage Cisco routers. My preferred method of accessing these routers remotely is SSH. It is secure and encrypted verses telnet, where all data will be transferred in clear text making it easy for ’sniffers’ to reveal important information that can be used in an attack.

Any how let’s get started.

This assumes you have already logged in to your Cisco router and are in enable mode.

First, you want to check whether SSH has already been enabled.

Router# show ip ssh
%SSH has not been enabled

If you see the result above it obviously means that SSH has not already been enabled on this device.

On with the configuration:

You will want to configure a hostname on your router. This will be performed in configuration mode. (note the prompt)

Router(config)# hostname Router1

The hostname has been set. Now we will configure a domain name for the device.

Router1(config)# ip domain-name Domain1

The domain name has been set. Now we want to generate a RSA key pair.

Router1(config)# crypto key generate rsa modulus 1024

Next we will set a timeout interval.

Router1(config)# ip ssh time-out 120

This will set a time limit of 120 seconds for the SSH session to negotiate.
You can also set a maximum number of retry attempts incase of a failed negotiation.

Router1(config)# ip ssh authentication-retries 3

This will set the maximum amount of retries to 3.
The next thing we will do is change the default port for SSH from 22 to 8855. This is not necessary, however I do recommend it for an added level of security.

Router1(config)# ip ssh port 8855

At this time you can log off of the Cisco device and test the connection with a terminal client. In Windows I like to use PuTTY and in Linux or OSX I use the ssh command in the terminal.

Once you’ve logged in and verified the connection is good you can disable telnet access.

Router1(config)# line vty 0 4
Router1(config)# transport input ssh

Now the only way you will be able to remotely access your Cisco device is via SSH on the port you specified earlier, if you opted to change the default port.

Now to save your configuration changes to the Cisco device, you want to save the running-config to the startup config. There are 2 ways of performing this. I will show you both ways, but you should already know this by now.

Option 1

Router1# wr mem

Option 2

Router1# copy running-config startup-config

Now your new configuration should be saved. One last thing we can do to verify SSH configuration is repeat the first command in this tutorial.

Router1# show ip ssh
SSH Enabled - version x.x
Authentication timeout: 120 secs; Authentication retries; 3

We should see the above result with the configuration that we performed.

That concludes setting up SSH access on your Cisco router or switch. I highly recommend using SSH over telnet especially if you will be managing your device remotely. Telnet will give you absolutely no protection from sniffing.

]]> http://illcommunications.com/how-to-enable-ssh-on-a-cisco-router-or-switch/feed/ 2