This is a tutorial on Setting up Secure Shell on Cisco routers and switches. Previously we talked about how to set Telnet access to Cisco Routers and Switches.SSH is an OpenSSH SSH client used as a remote login program. It is a program for logging into a remote machine and for executing a variety of commands on a remote device. It’s a successor to Telnet and was developed with security of user data in mind.
SSH uses TCP port 22 by default to connect to a remote device.It’s intended to replace rlogin, rsh and to provide secure encrypted communications between two untrusted hosts over an insecure network. The user must prove his identity to a remote machine before he can be allowed to connect.
Secure shell uses encrypted keys to send data hence sensitive information like username and password are protected from an eavesdropper.
List of commands used for ssh on Cisco Routers and Switches
ip domain-name: Used to set domain namecrypto key generate rsa general-keys modulus: Used to generate encryption keys to be used for establishing a secure session between devices.ip ssh time-out: Used to set maximum idler time for SSH session.ip ssh authentication-retries: Used to set maximum number of failed login attempts for a SSH connection.line vty: Used to choose VTY lines to configuretransport input ssh telnet: Tells the router to use ssh and then Telnet if ssh is not configured. SSH is given top priority.
We’ll use the same topology shown below that we used for Telnet Lab.
SSH Access Configuration on GNS3 and Packet Tracer
We’ll setup R1 as ssh client and R2 as our ssh server.
R1 configurations
Login local means any inbound connection trying to come in on the VTY lines, the router prompt for username and the password to validate users. We then added a user “admin” and gave him a password “password!123“. Using secret keyword encrypts the password in the configuration. transport input ssh command is used to restrict access to VTY lines to ssh. By default, both telnet and ssh are allowed on VTY lines.
Generating RSA Keys
Note: To generate public key pair, domain name must be specified. For RSA keys, we’ll specify modulus of 1024 bits. Remember, the bigger the bit size, the tighter the security.
# config terminal
# crypto key generate rsa modulus 1024Now it’s time to connect to R2 using R1 as ssh client. The command to do this is ssh -l username ip-address. In our topology we’ll enter the following command on privileged mode on R1 terminal.
R1# ssh -l admin 192.168.100.2Enter the password and you’re good to go, then confirm that you are connected by using:
R2# show tcp briefTo close ssh session, just type exit.
