IINSSecuritySND

Configuring SSH (Secure Shell) on a Cisco device

Secure Shell (SSH) is a protocol that allows us to connect to devices securely by using encryption. Gone are the days were most networking engineers are happy with using plain telnet with it’s clear text transmission of data which could result in an attacker sniffing the line for usernames and passwords.

Configuring SSH on a Cisco device is straight forward and requires very little settings and configuration, it does however require that the IOS that is loaded on the device supports the use of encryption technologies. Cisco IOS 12.1(3)T was the first IOS from Cisco that supported SSH configuration, and since then IOS now supports version 2 of SSH (SSH2).

SSH1 and SSH2, although both are responsible for encrypted transmission, are very different in their design. SSH1 had a few known vulnerabilities and resulted in the protocol been re-written from scratch to form SSH2 which supports more advanced encryption technologies and no longer has the same vulnerabilities found in SSH1

In order to configure SSH on a Cisco device 3 things need to be in place

1/ An IOS that supports SSH – Most IOS that support encryption will support SSH, and any IOS with a ‘k9’ in the file name will.

2/ A host name must be defined on the device

3/ A domain-name must be configured on the device

Once the above is in place, you will need to create the keys that will be used for encryption, this can be achieved using the ‘crypto key generate rsa’ command. You will then be prompted for the modulus size (key size), I tend to use 768 and 1024 for most configurations as they add extra security compared to the default 512 (valid ranges are between 360 – 2048).

Below are the commands to enable SSH on a Cisco Router (most other Cisco devices use the same configuration as the below)


AOIP.ORG(config)# ip domain-name AOIP.ORG

AOIP.ORG(config)# crypto key generate rsa

The name for the keys will be: AOIP.ORG.AOIP.ORG

Choose the size of the key modulus in the range of 360 to 2048 for your

General Purpose Keys. Choosing a key modulus greater than 512 may take

a few minutes.

How many bits in the modulus [512]: 768

% Generating 768 bit RSA keys …[OK]

AOIP.ORG(config)#

00:05:26: %SSH-5-ENABLED: SSH 1.5 has been enabled

After the device has generated the key, I received a message that it has automatically enabled SSH 1.5 on the router (SSH1).

Other possible options could have been;

SSH1.99 (The router has support for both SSH1 and SSH2)

SSH2.0 (Only SSH2 has been enabled)

The above configuration would have enabled SSH on my Cisco router, however it does not prevent someone from connecting to my router using telnet. In order to force SSH as the only available connection protocol, I need to reconfigure the vty lines using the below configuration.

AOIP.ORG(config)#line vty 0 4

AOIP.ORG(config-line)#transport input ssh

Below is a live demonstration of the full configuration.


If you can see this, then you might need a Flash Player upgrade or you need to install Flash Player if it's missing. Get Flash Player from Adobe.

3 thoughts on “Configuring SSH (Secure Shell) on a Cisco device

  1. Hi ,
    Nice explanation ! but i just want to know how that encryption takes place as in routers generate rsa keys , so what does client ( eg. putty ) uses and henceforth how is data encrypted and using symmetric keys or rsa ? it would be great if you can guide me ….

    1. Hi Mitesh,

      The encryption algorithm used for SSH depends on the version of SSH that is been used.

      Version 1 supports: DES and 3DES (for example, there are others)
      Version 2 supports 3DES but does not support DES as it’s no longer considered secure enough for management sessions. (There are other algorithms supported as well).

      As for the keys, when you generate the keys using the crypto key generate command on a Cisco device, you are creating the key that will be used to secure the communication. When you open putty and connect to the device or the first time you should see a message telling you that the key is not currently in your registry and would you like to accept and save the key. This key will be used for the encryption of your session.

      I hope this helps answer your question?

  2. HI Jay ,

    Thanks for your reply ..
    Putty save the router’s public key but what about client’s public key ( putty’s public key ) which needs to be send to the router , that isn’t configured anywhere ..?or both of them uses the same public key ? As in i am thinking from IPSEC VPN method of communication. Is it the same way communication happens with ssh or they use some sort of digital certificates .Kindly help….

Leave a Reply

Your email address will not be published. Required fields are marked *