Configuring SSH on Cisco routers and switches
Older IOS images on Cisco devices used telnet as default login method for the vty lines. Nowadays using telnet is not safe because all traffic including usernames and passwords is transmitted in clear text. This way anybody using a protocol analyzer can gain access to the data. Lately telnet access method has been replaced by SSH which offers increased security by encrypting all traffic between source and destination. SSH protocol comes in two versions SSH1 and SSH2. Communication between the client and server is encrypted in both versions. You should implement SSH version 2 when possible because it uses a more enhanced security encryption algorithm. SSH1 became available in Cisco’s IOS, starting with release 12.1(1)T. In order to use SSH2 you need a IOS version 12.3(4)T or newer.
Prerequisites for configuring SSH
In order to enable SSH on a Cisco router or switch you must verify first if the IOS image on the device supports it. The easiest way to find out if your IOS images supports SSH is to run the show version command in user exec mode and look at the image name. Find the line that starts with System image file is:. If the image contains k9 in its name then you can use cryptographic features, otherwise you need to upgrade the IOS version.
After you have confirmed your IOS image supports SSH, verify if it’s not already enabled. From user or privileged exec mode run the following command:
Router#show ip ssh
SSH Disabled – version 1.99
%Please create RSA keys (of at least 768 bits size) to enable SSH v2.
The output of this command shows that SSH is supported but it’s disabled. The next step is to configure the hostname and the domain name. Enter global configuration mode and run the following sequence of commands, replacing the hostname (R1) and the domain name (cioby.ro) with your own names:
Router(config)# hostname R1
R1(config)# ip domain-name cioby.ro
After the hostname and domain name have been configured you must generate an RSA key pair for your device. Type the following command in global configuration mode:
R1(config)# crypto key generate rsa
After typing this command you will be asked the length of the key. The key length accepted by the router or switch is between 360 and 2048 bits. Larger keys provide greater security, but affect performance. Using keys shorter than 1024 bits is not recommended. Once the keys are created, they are stored in NVRAM and are inaccessible. The output of this command looks similar to the below:
The name for the keys will be: R1.cioby.ro
Choose the size of the key modulus in the range of 360 to 4096 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.
How many bits in the modulus : 2048
% Generating 2048 bit RSA keys, keys will be non-exportable…[OK]
*Sep 7 11:22:03.131: %SSH-5-ENABLED: SSH 1.99 has been enabled
The above command enables the SSH server for local and remote authentication on the router. The last line shows us that SSH version 2 was enabled. To delete the RSA key-pair, use the following global configuration command:
R1(config)# crypto key zeroize rsa
After the RSA key-pair, is deleted the SSH server is automatically disabled.
In order to access a router or switch by SSH you need to configure authentication for local or remote access. This implies either using a local user database to authenticate remote users or an AAA server such as a RADIUS or TACACS+ server. To enable authentication using a local user database we must type the following sequence of commands:
R1(config)# username cisco privilege 15 secret 0 C!sc0P@ss
R1(config)# line vty 0 4
R1(config-line)# login local
Here we added a username named cisco with full privileges. The secret keyword followed by 0 tells us that the following textplain password will be encrypted in the running configuration. Here access is allowed only to the first 5 virtual terminals.
Configuring SSH parameters
After the key-pair was generated SSH can be used with the default settings. There are some configuration parameters which can be adjusted to our needs. By default, the router will run in compatibility mode, meaning it will enable both versions of SSH. Since SSH Version 2 has significant security advantages over SSH Version 1 it’s highly suggested that you disable SSH Version 1 whenever possible. To enable only SSH Version 2, use the following command:
R1(config)# ip ssh version 2
The ip ssh global configuration command is used to configure Secure Shell (SSH) control parameters on your router. For example to specify the time interval that the router waits for the SSH client to respond we can use the timeout option like below.
R1(config)# ip ssh timeout 60
The timeout is specified in seconds and its default value is 120.
By default SSH allows us 3 attempts to enter a valid username and password. If that number is reached the vty interface is reset. To modify this value change the authentication-retries option like below:
R1(config)# ip ssh authentication-retries 5
Some newer IOS versions allows us to change the default listening port for SSH (port 22). This can be done by using the port option of the ip ssh global configuration command:
R1(config)# ip ssh port 2022
To view the default SSH options or the SSH state we can use the ip show ssh command:
R1# show ip ssh
SSH Enabled – version 1.99
Authentication timeout: 120 secs; Authentication retries: 3
From the previous output we can see that SSH is enabled with the default options. This command must be ran from privileged EXEC mode.
In order to display the status of Secure Shell (SSH) server connections, we can use the show ssh privileged EXEC command.
R1# show ssh
Connection Version Encryption State Username
0 1.99 3DES Session started cisco
From the output of this command we can see that there is one active SSH session on line vty 0, using SSH version 2 and the logged on user is named cisco.
Using the builtin SSH client
Cisco IOS version 12.1(3)T and above began to support SSH client functionality. This feature is available only when the SSH server is enabled. The SSH client allows us to establish a secure, encrypted connection to another Cisco router or to any other device running the SSH server. For example if we want to connect to our router from a Linux server we would run a command similar to the below:
Server# ssh -l cisco R1.cioby.ro
When starting a new SSH session the client allows us to specify several options:
- -l – specifies the username used to log onto the SSH server. If no user is specified the current user is assumed.
- -p – specifies the desired port number for the remote host. The default port number is 22.
- -c – specifies the used algorithm, (DES or 3DES), for encrypting data.
Optionally after the remote IP or domain name we can specify a command to be ran after loggging on.
ssh -l cisco R1 “show ip route”
Some error messages might appear when configuring the RSA key pair:
- No hostname specified – you must configure a host name for the router using the hostname global configuration command.
- No domain specified – you must configure a host domain for the router using the ip domain-name global configuration command.
To perform advanced troubleshooting on SSH you can use the debug ip ssh command.
Disabling telnet access
For security it’s recommended to disable telnet access on the vty lines and allow only SSH. This can be done by running the following sequence of commands:
R1(config)# line vty 0 4
R1(config-line)# transport input ssh
After all these changes have been applied you must save them in the startup configuration by running one of the following two commands:
R1# copy running-config startup-config
R1# write memory
The startup config file is stored on NVRAM so these settings will be available even if the device is rebooted.