Cisco recommends to use SSH(Secure Shell) application to manage the switches and routers remotely. Telnet traffic in transit if intercepted by a malicious hacker, reveals everything that’s going on in clear text including various passwords we set before. So it’s of prime importance to understand and configure SSH on our switches and routers. I have divided the topic into two parts.
Part I: How SSH works ?
SSH uses public-key cryptography (PKC) so do HTTPS and VPN. So understanding PKC is understanding SSH, HTTPS & VPN communication. PKC is also known as asymmetric encryption since a pair of keys are used for encryption and decryption of data.
The algorithm behind PKC was published in a paper named “Asymmetric-key cryptosystem” by the Stanford University researchers Whitfield Diffie and Martin Hellman in 1976. The strength lies in the “impossibility” (computational impracticality) for a properly generated private key to be determined from its corresponding public key. Thus the public key may be published without compromising security. Security depends only on keeping the private key private.
Following are the typical steps in asymmetric encryption.
Step 3 : The recipient decrypts the message using his private key. That way the private key will not be sent across the network but still be able to decrypt the message only by the intended recipient.
Part II : How to configure SSH ?
Following are the steps to be followed when configuring SSH on a Cisco switch or router.
Step 1 : Configure the hostname
Step 2 : Choose a domain name
Router(config)#ip domain-name wordpress.com
The fully qualified domain name(FQDN) deepakd.wordpress.com will be used as the name for the encryption keys.
Step 3 : Generate encryption keys
The strength of the keys increases with more modulus bits. You can choose between 360-2048 bits. Note that as the bits increase so will be the computational complexity and the processing time. The keys generated is a self-generated certificate which is OK in scenarios where we know the devices involved in the communication such as SSH.
Router(config)#crypto key generate How many bits in the modulus : 2048
Step 4 : Enable SSH version 2
Router(config)#ip ssh version 2
Step 5 : Create local user account(s)
Unlike Telnet, SSH requires user name and password to login.
Router(config)#username deepak secret cisco
Step 6 : Choose to allow SSH and enable login using local user accounts
Router(config)#line vty 0 4 Router(config-line)#transport input ssh Router(config-line)#login local
Note that you can include both telnet & ssh on vty (transport input ssh telnet). The reason being Windows (unlike Linux) doesn’t have ssh client by default. You need to use ssh clients such as PuTTY, SecureCRT etc. to initiate the ssh communication.