Monday, July 1, 2013

Enabling SSH "Secure Shell" Access on Cisco IOS

SSH ( Secure Shell ) is a secure protocol used in accessing remote servers. In order to make this tutorial simple, I'll just make it plain and simple without many details.

Let's Begin by configuring R1 to accept only SSH for it's access. By default there are several obligatory components for SSH to configured 
  1. Hostname
  2. Domain
  3. Crypto Key
  4. Allow SSH for input tranport under VTY lines
R1(config)#hostname R1R1(config)#ip domain-name Cisco.com 

Now, let's generate a crypto key

R1(config)#crypto key generate rsa modulus ?  <360-2048>  size of the key modulus [360-2048]
R1(config)#crypto key generate rsa modulus 1024The name for the keys will be: R1.Cisco.com
% The key modulus size is 1024 bits% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
R1(config)#*Mar  1 00:27:48.567: %SSH-5-ENABLED: SSH 1.99 has been enabled
Configuring logging for SSH events will be useful for tracing too

 R1(config)#ip ssh logging events
Of course 2048 would be the the most secure key and it's recommended to use 2048, also i ran into some issues in real life with PAC Manager which is a SSH/Telnet Client with keys smaller than 512.

Now Let's configure a username and a password on R1 and make it accept SSH access only.

R1(config)#username ADMIN privilege 15 password CISCO

R1(config)#line vty 0 4
R1(config-line)#transport input ssh
R1(config-line)#login local

From R2, Let's try to SSH R1

R2#ssh -l ADMIN 10.1.2.1Password:R1#

From R1, let's see how the log looks like

*Mar  1 01:14:40.815: %SSH-5-SSH2_CLOSE: SSH2 Session from 10.1.2.2 (tty = 0) for user 'ADMIN' using crypto cipher 'aes128-cbc', hmac 'hmac-sha1' closedR1(config)#*Mar  1 01:14:43.679: %SSH-5-SSH2_SESSION: SSH2 Session request from 10.1.2.2 (tty = 0) using crypto cipher 'aes128-cbc', hmac 'hmac-sha1' SucceededR1(config)#*Mar  1 01:14:46.051: %SSH-5-SSH2_USERAUTH: User 'ADMIN' authentication for SSH2 Session from 10.1.2.2 (tty = 0) using crypto cipher 'aes128-cbc', hmac 'hmac-sha1' Succeeded
Here's the show command for the logged users on R1

R1#show users    Line       User       Host(s)              Idle       Location*  0 con 0                idle                 00:00:00  98 vty 0     ADMIN      idle                 00:03:09 10.1.2.2
 

No comments:

Post a Comment