In this post, I’ll talk about configuring SSH on Cisco Router in 5 easy steps.
Why SSH and not Telnet?
SSH uses encryption keys to secure the data being sent over the channel. Telnet, in comparision to SSH, sends data in clear text over the network. This can be verified using a packet capturing software like Wireshark.
Hence SSH should always be the preferred method for remote access on a Cisco Router.
1. Configure a hostname
2. Configure a domain name
3. Configure a username and password
4. Generate keys for SSH
5. Enable SSH and configure authentication on VTY lines
To enable both telnet and SSH on the VTY lines, use the command transport input telnet ssh.
At this point SSH is configured and enabled, and we’re good to test our configuration:
Restricting to SSH Version 2
By default, both SSH versions 1 and 2 are supported. However, all connections can be restricted to SSH Version 2 using the following command.
Use ip ssh time-out to set the timeout in seconds, and specify the number of allowed authentication attempts using the ip ssh authentication-retries command.
Originally SSH always used the first RSA keypair generated on the router. However starting IOS Release 12.3(4)T, SSH can be configured to use other RSA keypair’s using the ip ssh rsa keypair-name command.
Use ip ssh logging events to configure logging of SSH events. When a new connection attempt is made, following messages should appear in the log:
Mar 24 18:12:21.123: %SSH-5-SSH2_SESSION: SSH2 Session request from 192.168.137.1 (tty = 0) using crypto cipher ‘aes256-cbc’, hmac ‘hmac-sha1’ Succeeded
Mar 24 18:12:33.247: %SSH-5-SSH2_USERAUTH: User ‘shyam’ authentication for SSH2 Session from 192.168.137.1 (tty = 0) using crypto cipher ‘aes256-cbc’, hmac ‘hmac-sha1’ Succeeded
Mar 24 18:12:37.875: %SSH-5-SSH2_CLOSE: SSH2 Session from 192.168.137.1 (tty = 0) for user ‘shyam’ using crypto cipher ‘aes256-cbc’, hmac ‘hmac-sha1’ closed