Enabeling SSH on CISCO IOS (Quick and Easy)

Aaron StreetTechnical Infrastructure Architecture and Global Network Manager
Published:
Setting up SSH Cisco

We are all told that you should not use Telent for connecting to devices because it is unsecure and all clear text. Much better is to use SSH, but it can seem a bit of a challenge setting it all up and especially in a small network you might not think it's worth the effort.

Below are the instructions to enable SSH on Cisco switches and routers, apply this to the VTY lines and use a client software to connect up.

You will need:

1)      A Cisco device running a IOS that supports SSH, this means any IOS with Crypto features. (if you have an IOS that is not crypto you can upgrade for free as long as you keep the same feature set, ask a Cisco reseller more about this if you need to get hold of one)

2)      A client that can support SSH such as Tera term or Putty.

First Step.  We need to generate some RSA Keys. These are used by the SSH session to encrypt the data. This requires first setting a hostname and a domain for the Device.

Any thing in bold is commands that need to be entered.

Router(config)#hostname test   (set a host name)
test(config)#ip domain-name test.com  (sets the domain the keys will be used for, this does not have to be the same as your windows AD domain, although often it will be)

test(config)#crypto key generate rsa
The name for the keys will be: test.test.com
Choose the size of the key modulus in the range of 360 to 2048 for your
  General Purpose Keys. Choosing a key modulus greater than 512 may take
  a few minutes.


How many bits in the modulus [512]: 1024
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]

test(config)#

this generates keys that are 1024 bits, this is plenty of security, any more and the performance of the device will start to suffer.

Next we need to set up a data base of local user names and and passwords.

test(config)#username Aaron privilege 15 secret Passw0rd

Setting a privilege level of 15 means you will log straight in to enable/privilege mode, and using secret is like the enable secret password and stored more securely.

Lastly we need to apply it to the VTY lines.

test(config)#line vty 0 15
test(config-line)#login local
test(config-line)#transport input ssh

So you are setting all VTY lines to use the local data base of usernames and passwords we have set up above, and forcing any incoming connections to require the SSH protocol.

test(config-line)#transport input ssh telnet (would allow both SSH and Telenet)

Don't forget to save your work
test(config-line)#end
test#copy run start
[OK]
test#

And that's it!! Now simply get one of the SSH clients mentioned above. Enter the IP address of the device and make sure SSH is ticked. The first time you will be asked to confirm you wish to connect to the device.

And there you have secure Shell set up and running.

There are many features to be found within SSH and further security mesurses to consider, but at least you now have a secure connection to the device over the network.

For some more info visit the sites below (thank you LRmoore)

For reference, this TechRepublic article goes into a little more detail about the SSH versions, but fails to add the little detail about adding ssh to the vty line.
http://articles.techrepublic.com.com/5100-10878_11-5875046.html

This Cisco Article goes into much more detail
http://www.cisco.com/en/US/tech/tk583/tk617/technologies_tech_note09186a00800949e2.shtml
2
7,400 Views
Aaron StreetTechnical Infrastructure Architecture and Global Network Manager

Comments (2)

Thanks, I'm wondering if there is a way to push out updates/ changing config on multiple Cisco devices at once. Not sure if cisco prime is able to handle this.
Really nice Thanks for sharing....
<a href="http://canli.in/">OTDR</a>
<a href="http://canli.in/">Splicing machine</a>

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.