Secure Shell (SSH) is a protocol that allows us to connect to devices securely by using encryption. Gone are the days were most networking engineers are happy with using plain telnet with it’s clear text transmission of data which could result in an attacker sniffing the line for usernames and passwords.
Configuring SSH on a Cisco device is straight forward and requires very little settings and configuration, it does however require that the IOS that is loaded on the device supports the use of encryption technologies. Cisco IOS 12.1(3)T was the first IOS from Cisco that supported SSH configuration, and since then IOS now supports version 2 of SSH (SSH2).
SSH1 and SSH2, although both are responsible for encrypted transmission, are very different in their design. SSH1 had a few known vulnerabilities and resulted in the protocol been re-written from scratch to form SSH2 which supports more advanced encryption technologies and no longer has the same vulnerabilities found in SSH1
In order to configure SSH on a Cisco device 3 things need to be in place
1/ An IOS that supports SSH – Most IOS that support encryption will support SSH, and any IOS with a ‘k9’ in the file name will.
2/ A host name must be defined on the device
3/ A domain-name must be configured on the device
Once the above is in place, you will need to create the keys that will be used for encryption, this can be achieved using the ‘crypto key generate rsa’ command. You will then be prompted for the modulus size (key size), I tend to use 768 and 1024 for most configurations as they add extra security compared to the default 512 (valid ranges are between 360 – 2048).
Below are the commands to enable SSH on a Cisco Router (most other Cisco devices use the same configuration as the below)
AOIP.ORG(config)# ip domain-name AOIP.ORG
AOIP.ORG(config)# crypto key generate rsa
The name for the keys will be: AOIP.ORG.AOIP.ORG
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.
How many bits in the modulus : 768
% Generating 768 bit RSA keys …[OK]
00:05:26: %SSH-5-ENABLED: SSH 1.5 has been enabled
After the device has generated the key, I received a message that it has automatically enabled SSH 1.5 on the router (SSH1).
Other possible options could have been;
SSH1.99 (The router has support for both SSH1 and SSH2)
SSH2.0 (Only SSH2 has been enabled)
The above configuration would have enabled SSH on my Cisco router, however it does not prevent someone from connecting to my router using telnet. In order to force SSH as the only available connection protocol, I need to reconfigure the vty lines using the below configuration.
AOIP.ORG(config)#line vty 0 4
AOIP.ORG(config-line)#transport input ssh
Below is a live demonstration of the full configuration.