Secure Shell (SSH)

SSH is a protocol used to remotely access the CLI (the shell) of a remote system. It was developed in 1995 to replace less secure protocols like Telnet.

SSHv2, released in 2006, was a major revision of SSHv1, bringing significant security improvements.

• Devices that support both versions 1 & 2 are said to run ‘version 1.99’

SSH provides security features such as encryption and authentication.

SSH listens for traffic over TCP port 22.

SSH in Cisco IOS

Not all versions of IOS support SSH. To check if a device is running a version that supports SSH, check it’s version (show version) — IOS images that support SSH will have ‘K9’ in their name.

Some nations have legal restrictions on encryption technologies. To these markets, Cisco ships NPE (No Payload Encryption) IOS images. As these images do not support encryption, they cannot support SSH (or any other cryptographic features).

You can also use the show ip ssh command to see if SSH is supported by your device.

RSA Keys

To use SSH you must generate an RSA public and private key pair. These keys are used for data encryption and decryption, authentication, etc.

To generate these keys, a device needs a Fully Qualified Domain Name (FQDN) (host name + domain name) to name the RSA keys. Therefore, a domain name will need to be configured on the router. You’ll also need to change the hostname from its default (usually something like “Router”) to any other hostname.

Connecting Via SSH

On another machine (likely a PC) in a command line use either of the following commands:

• ssh -l username ip-address
• ssh username@ip-address

You’ll be prompted for the user’s password, then you’re in!

Configuration

Cisco IOS

Configuration Steps

1. Configure a host name
2. Configure a DNS domain name
3. Generate RSA Key pair
4. Configure a user and password, and enable password/secret
5. Enable SSH (version 2 only, preferred)
6. Configure VTY Lines

Generating RSA Keys

• (config)#ip domain name domain-name
  • You need a domain name for the FQDN
• (config)#crypto key generate rsa {modulus length}
  • Generate RSA Keys.
  • You will need to choose the size of the key modulus (360 - 4096 bits (768 or greater for SSHv2))
  • You can either specify the modulus length in the command directly, or the console will prompt you for one if you omit the options.
  • Generating keys will also enable SSH automatically.

Configuring SSH

The process here is similar to that of Configuration

• (config)#enable secret password
  • If enable password/secret isn’t configured, you won’t be able to access privileged exec mode when connecting via SSH
• (config)#username name secret password
  • Not strictly necessary, but useful. You can configure SSH to accept logins based on configured users.
• (config)#access-list acl permit host ip-address
  • Again, not necessary, but it’s not a bad idea to limit which devices are allowed to connect to the VTY Lines
• (config)#ip ssh version 2
  • Restrict SSH to version 2
  • Optional but highly recommended
• (config)#line vty low-number high-number
  • Enter line configuration for the selected range of VTY lines. There are 16 lines (0-15) available, i.e. up to 16 people can connect to the same device with Telnet/SSH at once.
  • It is recommended that all VTY Lines have the same configuration (e.g. (config)#line vty 0 15)
• (config-line)#login {local}
  • Enables password verified login. local option will set the device to use configured usernames for login, instead of a global password.
• (config-line)#exec-timeout minutes seconds
  • Set an auto-logout timer. You should do this.
• transport input [telnet | ssh | telnet ssh | all | none]
  • Configure what protocols are allowed to connect to the VTY Lines. Options select the particular protocols.
• (config-line)#access-class acl in
  • Applies an ACL to the VTY Lines
  • Obnoxiously different from ip access-group (applying an ACL to an interface) and access-list (configuring an ACL)