Dec 3, 2008

Cisco router how to configure SSH (secure shell) to Telnet

Cisco router how to configure SSH (secure shell) to Telnet
Learn how to configure SSH for defended limited login on a Cisco router in this "how-to" guide. SSH replaces the awfully non-secure Telnet agreement for limited login.

Copyright (c) 2008 Don R. Crawley

Prior to the addition of SSH in the Cisco IOS, the alone limited login agreement was Telnet. Although absolutely functional, Telnet is a non-secure agreement in which the absolute session, including authentication, is in bright argument and appropriately accountable to snooping.

SSH is both a agreement and an apparatus that replaces Telnet and provides an encrypted affiliation for limited administering of a Cisco arrangement accessory such as a router, switch, or aegis appliance.

The Cisco IOS includes both an SSH server and an SSH client. This certificate is anxious alone with the agreement of the SSH server component.



The SSH server basic requires that you accept an IPSec (DES or 3DES) encryption software angel from Cisco IOS Release 12.1(1)T or after installed on your router. Advanced IP casework images cover the IPSec component. This certificate was accounting application c2800nm-advipservicesk9-mz.123-14.T5.bin.


You have to configure a hostname and a area name on your router. For example:


router#conf t

Enter agreement commands, one per line. End with CNTL/Z.

router01(config)#hostname router01

router01(config)#ip domain-name

You have to aswell accomplish an RSA keypair for your router which automatically enables SSH. In the afterward example, agenda how the keypair is called for the aggregate of hostname and area name that were ahead configured. The modulus represents the key length. Cisco recommends a minimum key breadth of 1024 $.25 (even admitting the absence key breadth is 512 bits):


router01(config)#crypto key accomplish rsa

The name for the keys will be:

Choose the admeasurement of the key modulus in the ambit of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may yield a few minutes.

How abounding $.25 in the modulus [512]: 1024

% Generating 1024 bit RSA keys ...[OK]

Finally, you have to either use an AAA server such as a RADIUS or TACACS+ server or actualize a bounded user database to accredit limited users and accredit affidavit on the terminal lines. For the purpose of this document, we'll actualize a bounded user database on the router. In the afterward example, the user "donc" was created with a advantage akin of 15 (the best allowed) and accustomed an encrypted countersign of "p@ss5678". (The command "secret" followed by "0" tells the router to encrypt the afterward plaintext password. In the router's active configuration, the countersign would not be animal readable.) We aswell acclimated band agreement approach to acquaint the router to use its bounded user database for affidavit (login local) on terminals curve 0-4.

router01(config)#username donc advantage 15 abstruse 0 p@ss5678

router01(config)#line vty 0 4

router01(config-line)#login local

Enabling SSH

To accredit SSH, you have to acquaint the router which keypair to use. Optionally, you can configure the SSH adaptation (it defaults to SSH adaptation 1), affidavit abeyance values, and several added parameters. In the afterward example, we told the router to use the ahead created keypair and to use SSH adaptation 2:


router01(config)#ip ssh adaptation 2

router01(config)#ip ssh rsa keypair-name

You can now log on to your router deeply application an SSH applicant such as TeraTerm.

Viewing SSH Configurations and Connections

You can use the advantaged approach commands "view ssh" and "view ip ssh" to appearance SSH configurations and access (if any). In the afterward example, the SSHv1 agreement from a Cisco 871 router is absolute application "show ip ssh" and a individual SSHv1 affiliation is displayed application the command "show ssh". Notice that we did not accredit SSHv2 on this router, so it defaulted to SSH adaptation 1.99. Aswell agenda in the achievement of the "show ssh" command that SSH adaptation 1 defaults to 3DES. SSHv2 supports AES, a added able-bodied and able encryption technology. SSHv2 is aswell not accountable to the aforementioned aegis exploits as SSHv1. recommends the use of SSHv2 and disabling a dropback to SSHv1. Enabling SSHv2 disables SSHv1. This archetype is included alone to authenticate backwards compatibility:


router04#show ip ssh

SSH Enabled - adaptation 1.99

Authentication timeout: 120 secs; Affidavit retries: 3


router04#show ssh

Connection Adaptation Encryption State Username

2 1.5 3DES Affair started donc

%No SSHv2 server access running.


You can aswell use the command "debug ip ssh" to troubleshoot SSH configurations.