02 December 2008

Configuring SSH for Cisco

In the CCNA level, we only know how to connect to Cisco devices using console connection and telnet connection.

We know that no one can tap on the console connection since it's directly connected to the Cisco device, but different story for the telnet connection.
Anyone can tap messages from the telnet session.

All messages send in clear text, so it's dangerous to leave default communication with Cisco devices just using telnet.

We can use SSH for secure connection to the Cisco devices. The SSH will encrypt all messages going from your computer to the Cisco devices.

First you're going to need Cisco IOS image that support SSH or IPSec, DES, or 3DES. How would you know that. Well you can just issue the following command:

router> ena
router# show ip ssh
% Invalid input detected at '^' marker.

If it's showing % Invalid input detected at '^' marker., then the IOS does not support SSH.

Now start with the configuration, you have to define a hostname for the Cisco device, and also the domain name for it.
In this example I use hostname of "netrouter" and domain name of "ciscolab.home".

router (config)# hostname netrouter
netrouter (config)# ip domain-name ciscolab.home

Next is to generate the rsa keypair used for the encryption, your device name plus the domain name will be the name of the key.
The modulus is the length of the key, the default value is 512 bits, Cisco recommends a length of 1024 bits.

netrouter (config)# crypto key generate rsa

The name for the keys will be: netrouter.ciscolab.home
Choose the size of the key modulus in the range of 360 to 2048
for your General Purpose Keys. Choosing a key modulus greater than
512 may take a few minutes.

How many bits in the modulus [512]: 1024
% Generating 1024 bit RSA keys ...[OK]

You can also configure some additional parameters for the SSH Connection:

netrouter (config)# ip ssh authentication-retries 5
netrouter (config)# ip ssh time-out 120
netrouter (config)# ip ssh version 2

The first command sets the number of retries if you failed or mistyped the username and password.
The second command sets the time out, the time required to enter the username and password in seconds.
The last command sets the version you want to use for the SSH.

Now we have generated keypair for the encryption, how will the Cisco device authenticates the users coming with SSH connection.
You can either use a AAA server like RADIUS or TACACS+ or you can just use the Cisco device local username and password. For now I'd just use local authentication, first set the username and password then configure the device to accept local authentication for the line vty connections.

netrouter (config)# username Cisco password homelab
netrouter (config)# line vty 0 4
netrouter (config-line)# login local

By now you have successfully configure SSH for Cisco, lets try the SSH, you can use putty for SSH connection, the default port for SSH is 22, you can use other port if you want by issuing ip ssh port 2000 from the global configuration mode.
Change the 2000 with other port ranging from 2000 to 10,000.

Here I'm using the default terminal from Macintosh:

Macintosh:~ krishananda$ ssh Cisco@
Cisco@'s password:


There, the SSH is working. But the telnet session is also still working, now I want to restrict the Cisco device to only accept SSH connection and deny telnet connection.


Do not disconnect from your current connection especially if it's telnet session, in case you messed up with the configuration, you can always undo the changes.

netrouter (config)# line vty 0 4
netrouter (config-line)# transport input ssh

Now if I try to connect using telnet, the router will deny it:

Macintosh:~ krishananda$ telnet
telnet: connect to address Connection refused
telnet: Unable to connect to remote host

Hope this is useful for you.


If you're using macintosh, and you change the rsa key by issuing crypto key generate rsa again on the same device,
Your mac will deny the SSH connection, telling you a warning about a man in the middle attack or the rsa key has changed.
All you need to do is open your text editor, open a file /users/yourname/.ssh/known_hosts
wipe out the content of known_hosts file and save.
That should do the trick.