Configuring SSH (Secure Shell) on a Cisco device
SSH (Secure Shell) provides a secure way to connect to and manage network devices remotely. Unlike Telnet, which sends data in plain text, SSH encrypts all communication between the client and server, making it the preferred method for remote administration. This guide will show you how to configure SSH on Cisco devices.
Prerequisites
Before configuring SSH, ensure your Cisco device meets these requirements:
- IOS version that supports SSH (typically 12.1(1)T or later)
- Device has a hostname configured
- Domain name is configured
- RSA keys are generated
Basic SSH Configuration Steps
Step 1: Configure Hostname and Domain Name
SSH requires both a hostname and domain name to generate RSA keys:
Router(config)# hostname R1
R1(config)# ip domain-name anythingoverip.comStep 2: Generate RSA Key Pair
Generate the RSA keys that SSH will use for encryption. The key size should be at least 1024 bits:
R1(config)# crypto key generate rsa
The name for the keys will be: R1.anythingoverip.com
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.
How many bits in the modulus [512]: 1024
% Generating 1024 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 1 seconds)Step 3: Configure User Authentication
Create local user accounts for SSH access:
R1(config)# username admin privilege 15 secret cisco123
R1(config)# username operator privilege 1 secret operator123Step 4: Configure VTY Lines for SSH
Configure the virtual terminal (VTY) lines to accept SSH connections:
R1(config)# line vty 0 4
R1(config-line)# transport input ssh
R1(config-line)# login local
R1(config-line)# exec-timeout 5 0Step 5: Enable SSH Version 2
For better security, enable SSH version 2:
R1(config)# ip ssh version 2
R1(config)# ip ssh time-out 60
R1(config)# ip ssh authentication-retries 3Verification Commands
Use these commands to verify your SSH configuration:
R1# show ip ssh
SSH Enabled - version 2.0
Authentication timeout: 60 secs; Authentication retries: 3
R1# show ssh
Connection Version Mode Encryption Hmac State Username
0 2.0 IN aes128-cbc hmac-sha1 Session started admin
%No SSHv1 server connections running.
R1# show crypto key mypubkey rsa
% Key pair was generated at: 15:30:45 UTC Mar 15 2024
Key name: R1.anythingoverip.com
Storage Device: not specified
Usage: General Purpose Key
Key is not exportable.
Key Data:
305C300D06092A864886F70D0101010500034B0030480241...Testing SSH Connection
Test the SSH connection from a client device or another router:
PC> ssh -l admin 192.168.1.1
Password:
R1>Advanced SSH Configuration
Configuring SSH Access Lists
Restrict SSH access to specific IP addresses:
R1(config)# access-list 10 permit 192.168.1.0 0.0.0.255
R1(config)# line vty 0 4
R1(config-line)# access-class 10 inSSH Key Management
To remove existing RSA keys and generate new ones:
R1(config)# crypto key zeroize rsa
R1(config)# crypto key generate rsa modulus 2048Common SSH Issues and Troubleshooting
- SSH not working: Verify hostname, domain name, and RSA keys are configured
- Authentication failures: Check username/password configuration and SSH version compatibility
- Connection timeouts: Verify network connectivity and firewall rules
- Key generation fails: Ensure sufficient entropy is available on the device
Use debug ip ssh to troubleshoot SSH connection issues, but remember to disable debugging when finished:
R1# debug ip ssh
R1# undebug allSecurity Best Practices
- Always use SSH version 2
- Use strong passwords for user accounts
- Implement access control lists to restrict SSH access
- Set appropriate timeout values
- Regularly update RSA keys
- Monitor SSH connection logs
- Disable unused services and protocols
SSH configuration is essential for secure network device management. By following these steps and best practices, you can ensure secure remote access to your Cisco devices while maintaining proper security controls.