How to configure Cisco Router/Switch to enable SSH (Secure Shell) and How to connect Cisco Router/Switch using SSH (Secure Shell)

Telnet was the protocol which Network Administrators were using for accessing the CLI console of a server or a network device remotely. Telnet is an insecure protocol for remote server configuration. SSH replaced telnet and SSH is much more secure than telnet. SSH supports authentication, confidentiality and integrity for remote administration. Telnet is used only as network testing tool like ping or netstat these days. Network administrators must disable telnet and use only SSH wherever possible.

SSH (Secure Shell) is a protocol which define how to connect securely over a network. SSH (Secure Shell) protocol provides the three main ideas of security authentication, confidentiality (via encryption) and integrity of data transfer over a network.

SSH supports Authentication to reliably determine the identity of the connecting computer, encryption to scramble data so that only the intended recipient only can read it and Integrity to guarantees the data sent over the network is not changed by a third party.

SSH has two main versions, SSH1 and SSH2. Both SSH1 and SSH2 supports secure connection over network, but SSH2 supports for public key certificates and Diffie-Hellman key exchange.

SSH uses TCP as its transport layer protocol and uses well-kown port number 22.

How to configure SSH (Secure Shell) in Cisco Router or Switch for secure remote access

SSH lab topology

Step 1: First step in configuring SSH to securely access the CLI interface of a Cisco Router or Switch remotely is to create a local user database for user authentication. Follow these steps to create a local user with username "jajish" and password as "OmniSecuPass" and with a privilege level 15.

OmniSecuR1#configure terminal
OmniSecuR1(config)#username jajish privilege 15 secret OmniSecuPass

Step 2: Cisco devices use RSA public key encryption algorithm for SSH connectivity. Before generating RSA encryption keys, you must change the default hostname of a Cisco Router or Switch. The default device name of a Cisco Router is "Router" and default device name of a Cisco Switch is "Switch". You must configure a domain name also before generating RSA keys.

Follow these Cisco IOS CLI commands to configure a hostname, a domain name and to generate RSA keys of 1024 bit length. After generating the RSA keys, Cisco Router/Switch will automatically enable SSH 1.99. SSH 1.99 shows that Cisco device supports both SSH 2 and SSH 1. SSH 1.99 is not a version, but an indication of backward compatibility.

Router#configure terminal
Router(config)#hostname OmniSecuR1
OmniSecuR1(config)#ip domain-name
OmniSecuR1(config)#crypto key generate rsa general-keys
The name for the keys will be:
Choose the size of the key modulus in the range of 360 to 2048 for your
  General Purpose Keys. Choosing a key modulus greater than 512 may take
  a few minutes.

How many bits in the modulus [512]: 1024
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
*Nov 15 16:54:20.595: %SSH-5-ENABLED: SSH 1.99 has been enabled

Step 3: Next important step you have to do is to configure router/switch to use local user database for authentication and to disable telnet. Disabling telnet will prevent someone to connect to a Cisco Router or Switch accidentally using telnet and cause a security issue.

Follow these steps to instruct the Cisco Router or Switch to use local user database for SSH authentication and to disable telnet access to Cisco Router or Switch.

OmniSecuR1#configure terminal
OmniSecuR1(config)#line vty 0 1869
OmniSecuR1(config-line)#login local
OmniSecuR1(config-line)#transport input ssh

Step 4: To connect to Cisco Router or Cisco Switch using SSH from a Windows workstation, you must use a SSH client tool (SSH client utility is not packed with Windows Operating Systems up to Windows 7). Follow the link to download PuTTY, one of the best terminal emulator software availabe for free.

Open PuTTY and enter the IP address of the Cisco Router or Cisco Switch which you want to connect to. Select SSH as the desired protocol as shown below.

SSH Connection putty

Step 5: If this is the first time you are connecting to the Cisco Router or Cisco Switch, you will get a warning message as shown below stating that the Router's/Switch's host key is not cached locally. Accept the warning message and click "Yes" to connect to Cisco Router or Switch.

SSH warning server host key not found

Step 6: Enter the userid (jajish) and corresponding password which we have configured in Cisco Router/Switch before and hit "Enter".

SSH userid and password

Step 7: Now you are connected to Cisco Router or Switch using SSH protocol. You can now start configuring the Cisco Router/Switch securely from a remote location. Thanks to SSH and Tatu Ylonen (the genius who developed SSH).

SSH Connected



Related Tutorials