Enable SSH on Cisco IOS Devices (Router, Switch, AP, etc)
SSH – Secure Shell is a protocol working with TCP Protocol to provide secured connectivity between two end device. In network we use SSH for secure remote connectivity to CLI of devices (Router, Switches, Firewall, AP, etc).
We have another protocol which provide remote device CLI access – TELNET. Benefit of SSH over Telnet is, SSH is secure communication whereas Telnet is clear-text communication. That means SSH packets are encrypted and only two end devices can understand, any one in-between (man-in-middle) cannot understand what is inside that packet.
We use SSH for various other purposes like File Transfer (SFTP) etc.
SSH is an application layer protocol which use TCP services on port 22.
Prerequisites to enable SSH
- Configure device Hostname other than Router or Switch
- Configure domain name on device
- Create crypto key (for encyption)
- For SSH version 2 or higher, crypto key size should be greater than 768 bits.
Configure device Hostname other than Router or Switch
We need to change device hostname from default hostname (Router / Switch) to any other non-default hostname.
Router(config)# hostname MEL-Core1
Configure Domain Name
To generate an encryption certificate (crypto key) we need to configure a domain-name for this device. Crypto key generates a certificate for you device with name as –
For example – Hostname – MEL-Core1 and Domain Name is – sakunsharma.in – Crypto key will generate an key with device name as – MEL-Core1.sakunsharma.in
MEL-Core1(config)#ip domain-name sakunsharma.in
Create crypto key (for encyption)
In this part we will create an key with RSA algorithm to encrypt the SSH packets. Remember if you want to use SSH ver 2, the key size should be minimum of 768 bits, if you key length is smaller than 768bits you cannot use SSH ver 2.
MEL-Core1(config)#crypto key generate rsa
Key size – 1024
Enable SSH Ver 2
We need to enable SSH on IOS and set which version of SSH you want to use.
MEL-Core1(config)#ip ssh ver 2
Enable IOS to Support SSH Connection
We have fulfilled SSH prerequisites for IOS which enable us to SSH into your device. Now in order to allow login via SSH into CLI of IOS we need to configure few more things.
- Create username and password
- Configure Virtual Terminal Line to allow SSH (vty)
Create username and password
When we use SSH, IOS device authenticate the user before allowing access to CLI of IOS. It uses user based authentication (username and password). By default there is no username and passwords on many IOS devices, so next step is to create a user account in your IOS. We can authenticate using AAA (Authentication, Authorization, Accounting) server (Cisco ACS, Cisco ISE, etc) users as well directly without creating any local user, but best practice is to create a local admin user too.
When we create any user account in IOS using command line, IOS stores that user information in running-configuration file (local database).
When we create a user account in IOS, there are two ways to specify the password – using normal passwords, using secret passwords (MD5 hash), best practice use secret instead of normal passwords.
MEL-Core1(config)# username sakun priv 15 secret sharma1
Note: priv 15 – means create this as an Admin user – maximum rights.
Configure Virtual Terminal Line to allow SSH (vty)
Next step is to configure the terminal lines to allow SSH connections and configure authentication method. Terminal lines (vty) are logical ports or interface via which a user connects to the device. The physical terminal line is your console port, so remote connects are logical connections.
MEL-Core1(config)#line vty 0 4
MEL-Core1(config-line)# login local
login local
– This command instruct IOS that whenever someone connects via VTY lines, authenticate the user using local database (running-config).
Another things you might want to do is, just enable connections via SSH, disable TELNET and other connection.
MEL-Core1(config-line)#transport input ssh
This command allows only SSH connections to your IOS device and will refuse TELNET and other connects on VTY lines.
To see how to enable Telnet and configure password on IOS device you can see my other post or video.
Thank You.