How towards Configure SSH (Safe and sound Shell) for Distant Login upon a Cisco Router

Past towards the arrival of SSH inside the Cisco IOS, the basically distant login protocol was Telnet. Even though pretty realistic, Telnet is a non-safe protocol in just which the complete consultation, like authentication, is inside of distinct terms and therefore make any difference in direction of snooping.

SSH is equally a protocol and an software that replaces Telnet and gives an encrypted marriage for distant management of a Cisco community system this sort of as a router, replace, or basic safety equipment.

The Cisco IOS features each an SSH server and an SSH patient. This record is anxious simply just with the configuration of the SSH server factor.


Software package

The SSH server factor can take that your self incorporate an IPSec (DES or 3DES) encryption software package impression in opposition to Cisco IOS Launch 12.1(1)T or later on set up upon your router. Sophisticated IP expert services visuals consist of the IPSec part. This report was published working with c2800nm-advipservicesk9-mz.123-14.T5.bin.


By yourself need to configure a hostname and a area track record upon your router. For case in point:

router#conf t
Input configuration instructions, one particular for each line. Stop with CNTL/Z.
router01(config)#hostname router01
router01(config)#ip area-status wide web

Yourself really should as well crank out an RSA keypair for your router which mechanically lets SSH. Inside of the soon after instance, take note how the keypair is identified as for the mixture of hostname and area track record that had been currently configured. The modulus signifies the primary duration. Cisco suggests a minimal major period of 1024 bits (even although the default primary period is 512 bits):

router01(config)#crypto principal create rsa
The track record for the keys will be: router01.soundtraining.internet
Consider the measurement of the solution modulus in just the amount of 360 towards 2048 for your All round Explanation Keys. Picking a principal modulus better than 512 might choose a pair minutes.

How a great number of bits within just the modulus [512]: 1024
% Making 1024 little bit RSA keys …[Okay]

Inevitably, on your own really should both seek the services of an AAA server this sort of as a RADIUS or TACACS+ server or produce a nearby person databases toward authenticate distant people and make it possible for authentication upon the terminal traces. For the explanation of this record, we’ll generate a community consumer databases upon the router. Inside of the soon after case in point, the consumer “donc” was intended with a privilege point of 15 (the most authorized) and specified an encrypted password of “p@ss5678”. (The regulate “top secret” adopted as a result of “0” tells the router toward encrypt the soon after plaintext password. Inside the router’s functioning configuration, the password would not be human readable.) We in addition utilized line configuration manner toward convey to the router toward employ its community consumer databases for authentication (login community) upon terminals traces 0-4.

router01(config)#username donc privilege 15 solution 0 p@ss5678
router01(config)#line vty 0 4
router01(config-line)#login area

Allowing SSH

Towards make it possible for SSH, yourself ought to inform the router which keypair in direction of retain the services of. Optionally, your self can configure the SSH edition (it defaults toward SSH model 1), authentication timeout values, and various other parameters. Within just the soon after case in point, we advised the router in the direction of employ the by now constructed keypair and in the direction of hire SSH edition 2:

router01(config)#ip ssh model 2
router01(config)#ip ssh rsa keypair-status

On your own can already log upon towards your router properly applying an SSH affected individual these as TeraTerm.

Visiting SSH Options and Connections

Your self can seek the services of the fortunate method instructions “impression ssh” and “perspective ip ssh” in direction of belief SSH settings and connections (if any). Inside the right after instance, the SSHv1 configuration in opposition to a Cisco 871 router is established having “present ip ssh” and a one SSHv1 marriage is exhibited taking the regulate “exhibit ssh”. Awareness that we did not allow for SSHv2 upon this router, hence it defaulted toward SSH edition 1.99. Too observe inside of the generation of the “present ssh” regulate that SSH model 1 defaults in the direction of 3DES. SSHv2 supports AES, a further more powerful and helpful encryption technological know-how. SSHv2 is as well not make any difference toward the exact same protection exploits as SSHv1. soundtraining.web suggests the seek the services of of SSHv2 and disabling a dropback toward SSHv1. Permitting SSHv2 disables SSHv1. This instance is integrated basically towards explain backwards compatibility:

router04#exhibit ip ssh
SSH Enabled – model 1.99
Authentication timeout: 120 secs; Authentication retries: 3
router04#clearly show ssh
Romance Variation Encryption Region Username
2 1.5 3DES Consultation begun donc
%No SSHv2 server connections functioning.

By yourself can furthermore employ the regulate “debug ip ssh” in the direction of troubleshoot SSH settings.

Copyright (c) 2008 Dress in R. Crawley

Leave a Reply

Your email address will not be published. Required fields are marked *