SSH ( Secure Shell ) is a procure method acting for distant access as is includes authentication and encoding. To do this, it uses a RSA public/private keypair .
There are two versions : interpretation 1 and 2. translation 2 is more secure and normally used .
death but not least, to configure SSH you require an IOS prototype that supports crypto features. otherwise you won ’ triiodothyronine be able to configure SSH.
Reading: How to configure SSH on Cisco IOS
To demonstrate SSH, I will use the stick to topology :
We will configure SSH on R1 so that we can entree it from any other device. R2 will be used as a SSH customer .
the name of the RSA keypair will be the hostname and world appoint of the router. Let ’ s configure a hostname :
And a sphere diagnose :
R1(config)#ip domain-name NETWORKLESSONS.LOCAL
now we can generate the RSA keypair :
R1(config)#crypto key generate rsa The name for the keys will be: R1.NETWORKLESSONS.LOCAL Choose the size of the key modulus in the range of 360 to 4096 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus : 2048 % Generating 2048 bit RSA keys, keys will be non-exportable... [OK] (elapsed time was 3 seconds)
When you use the crypto key generate rsa command, it will ask you how many bits you want to use for the key size. How much should you pick ?
It ’ south best to check the next generation encoding article from Cisco for this. At this moment, a key size of 2048 bits is acceptable. Key sizes of 1024 or smaller should be avoided. Larger key sizes besides take longer to calculate .
once the keypair has been generated, the following message will appear :
R1# %SSH-5-ENABLED: SSH 1.99 has been enabled
As you can see above, SSH interpretation 1 is the nonpayment version. Let ’ s switch to version 2 :
R1(config)#ip ssh version 2
SSH is enabled but we besides have to configure the VTY lines :
R1(config)#line vty 0 4 R1(config-line)#transport input ssh R1(config-line)#login local
This ensures that we only want to use SSH ( not telnet or anything else ) and that we want to check the local database for usernames. Let ’ s create a user :
R1(config)#username admin password my_password
Everything is immediately in place. We should be able to connect to R1 through SSH now .
The most common SSH client is credibly putty. The only thing you have to do is to select the SSH protocol, enter the IP cover and leave the default port at 22 :
You will see this on the putty console :
login as: admin Using keyboard-interactive authentication. Password: R1>
You can besides use another Cisco IOS device as a SSH customer. here ’ s how :
R2#ssh ? -c Select encryption algorithm -l Log in using this user name -m Select HMAC algorithm -o Specify options -p Connect to this port -v Specify SSH Protocol Version -vrf Specify vrf name WORD IP address or hostname of a remote system
There are quite some options but as a minimum, we should specify a username and IP address :
R2#ssh -l admin 192.168.12.1 Password: R1>
We are now connected to R1 through SSH .
desire to take a search for yourself ? here you will find the final configuration of each device .
hostname R1 ! ip domain name NETWORKLESSONS.LOCAL ip cef ! username admin password 0 my_password ! interface GigabitEthernet0/1 ip address 192.168.12.1 255.255.255.0 ! ip ssh version 2 ! line vty 0 4 login local transport input ssh ! end
hostname R2 ! ip cef ! interface GigabitEthernet0/1 ip address 192.168.12.2 255.255.255.0 ! end
SSH Server and Client
You have now learned how to configure the SSH server on your Cisco IOS router or switch and how to use the SSH client .
- SSH is a secure method for remote access to your router or switch, unlike telnet.
- SSH requires a RSA public/private key pair.
- SSH version 2 is more secure than version 1.
- Make sure you have an IOS image that supports crypto features, otherwise you can’t use SSH.