In a previous lesson, I explained how you can use telnet for remote access to your Cisco IOS devices. The problem with telnet is that everything is sent in plaintext, for that reason you shouldn’t use it.
SSH (Secure Shell) is a secure method for remote access as is includes authentication and encryption. To do this, it uses a RSA public/private keypair.
There are two versions: version 1 and 2. Version 2 is more secure and commonly used.
Last but not least, to configure SSH you require an IOS image that supports crypto features. Otherwise you won’t be able to configure SSH.
To demonstrate SSH, I will use the following topology:
We will configure SSH on R1 so that we can access it from any other device. R2 will be used as a SSH client.
the name of the RSA keypair will be the hostname and domain name of the router. Let’s configure a hostname:
And a domain name:
R1(config)#ip domain-name NETWORKLESSONS.LOCAL
Now we can generate the RSA keypair:
R1(config)#crypto key generate rsa
The name for the keys will be: R1.NETWORKLESSONS.LOCAL
Choose the size of the key modulus in the range of 360 to 4096 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.
How many bits in the modulus : 2048
% Generating 2048 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 3 seconds)
When you use the crypto key generate rsa command, it will ask you how many bits you want to use for the key size. How much should you pick?
It’s best to check the next generation encryption article from Cisco for this. At this moment, a key size of 2048 bits is acceptable. Key sizes of 1024 or smaller should be avoided. Larger key sizes also take longer to calculate.
Once the keypair has been generated, the following message will appear:
%SSH-5-ENABLED: SSH 1.99 has been enabled
As you can see above, SSH version 1 is the default version. Let’s switch to version 2:
R1(config)#ip ssh version 2
SSH is enabled but we also have to configure the VTY lines:
R1(config)#line vty 0 4
R1(config-line)#transport input ssh
This ensures that we only want to use SSH (not telnet or anything else) and that we want to check the local database for usernames. Let’s create a user:
R1(config)#username admin password my_password
Everything is now in place. We should be able to connect to R1 through SSH now.
The most common SSH client is probably putty. The only thing you have to do is to select the SSH protocol, enter the IP address and leave the default port at 22:
You will see this on the putty console:
login as: admin
Using keyboard-interactive authentication.
You can also use another Cisco IOS device as a SSH client. Here’s how:
-c Select encryption algorithm
-l Log in using this user name
-m Select HMAC algorithm
-o Specify options
-p Connect to this port
-v Specify SSH Protocol Version
-vrf Specify vrf name
WORD IP address or hostname of a remote system
There are quite some options but as a minimum, we should specify a username and IP address:
R2#ssh -l admin 192.168.12.1
We are now connected to R1 through SSH.
Want to take a look for yourself? Here you will find the final configuration of each device.
ip domain name NETWORKLESSONS.LOCAL
username admin password 0 my_password
ip address 192.168.12.1 255.255.255.0
ip ssh version 2
line vty 0 4
transport input ssh
ip address 192.168.12.2 255.255.255.0
You have now learned how to configure the SSH server on your Cisco IOS router or switch and how to use the SSH client.
- SSH is a secure method for remote access to your router or switch, unlike telnet.
- SSH requires a RSA public/private key pair.
- SSH version 2 is more secure than version 1.
- Make sure you have an IOS image that supports crypto features, otherwise you can’t use SSH.