Saturday, September 24, 2016

Configuring SSH on IOS Devices

 on  with No comments 
In , ,  
According to Wikipedia, "Secure Shell (SSH) is a cryptographic network protocol for operating network services securely over an unsecured network.  The best known example is application is for remote login to computer systems by users."  SSH was designed to be a secure replacement for protocols such as telnet, rlogin, and rsh, which transmits data in clear text across the wire.  SSH support a number of additional use cases such as file transfer and forwarding the X protocol, but we'll focus on remote logins as used on Cisco IOS devices here.

SSH comes in two versions, 1 and 2.  Version 1 was found to be susceptible to a remote integer overflow vulnerability, so the newer but incompatible Version 2 was developed.   You'll sometimes see "Version 1.99" used, however this isn't another version but instead it indicates that the SSH server supports both versions 1 and 2.

Moving along to the SSH specific configuration, you want to begin by configuring a hostname for the device.  This is accomplished with the hostname command.  Give this some thought now, because you can't change it once your keys are generated.

Router# configure terminal
Router (config)# hostname R1
R1 (config)#

Next, you need to configure a domain name for the device.  Ideally, you would want to be a valid DNS domain, however, not everyone owns one.  Microsoft has the domain name that it uses for documentation and help files, I'm not sure if Cisco has a similar domain.  Use your own domain, use contoso, or just make one up here.

R1 (config)# ip domain-name

Next, generate or import a certificate for your device.  This certificate will be used to encrypt the SSH packets that your device will send out on the wire.

R1 (config)# crypto key generate rsa
The name for the keys will be:
Choose the size of the key modulus in the range of 36o to 2048 for your
   General Purpose keys. Choosing a key modulus greater than 512 may take
    a few minutes.

How many bits in the modulus [512]: 1024
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]

Note the name of the keys, which corresponds to the FQDN of this device.  Also note the default key length is 512 bits. 

Now that we've generated the key, we'll move on to configuring the VTY lines for SSH access.

R1 (config)# line vty 0 4
R1 (config-line)# login local
R1 (config-line)# transport input ssh

You can configure the VTY lines to accept telent as well as SSH if you have devices that will be accessing this device via the VTY lines that does not support SSH. 

Now we'll need a user.  In this example, we'll keep it simple and use a local user contained within the local device's database.  In addition to the local user database, we can use either RADIUS or TACACS+ as well.

R1 (config)# username alan privilege 15 secret **********

And then finally, let's look at some advanced parameters for SSH.

Configure the switch to run SSH version 1 or 2.  By default IOS devices are set for SSH Version 1.99.

ip ssh version [1 | 2]

Configure the SSH control parameters.  The SSH timeout is for the negation phase. It has a range of 0 to 120 seconds, with a default of 120.  The number of authentication-retries is the number of times a client can re-authenticate to the server.  The range is 0 to 5, with a default of 3.

ip ssh timeout seconds authentication retries number 

After authenticating via SSH, the device will use the default time-out value for CLI sessions.  This is set on the VTY lines with the exec-timeout command.

R1 (config-line)# exec-timeout 15 0

And finally, you have two show commands to monitor SSH.

show ip ssh - shows the version and configuration of the SSH server
show ssh - shows the status of the SSH server



Post a Comment

Discuss this post!