Configuring SSH on Cisco Switch/Router

Cisco recommends to use SSH(Secure Shell) application to manage the switches and routers remotely. Telnet traffic in transit if intercepted by a malicious hacker, reveals everything that’s going on in clear text including various passwords we set before. So it’s of prime importance to understand and configure SSH on our switches and routers. I have divided the topic into two parts.

Part 1 : How SSH works ?

Part 2 : How to configure SSH ?

Part I: How SSH works ?

SSH uses public-key cryptography (PKC) so do HTTPS and VPN. So understanding PKC is understanding SSH, HTTPS & VPN communication. PKC is also known as asymmetric encryption since a pair of keys are used for encryption and decryption of data.

The algorithm behind PKC was published in a paper named “Asymmetric-key cryptosystem” by the Stanford University researchers Whitfield Diffie and Martin Hellman in 1976. The strength lies in the “impossibility” (computational impracticality) for a properly generated private key to be determined from its corresponding public key. Thus the public key may be published without compromising security. Security depends only on keeping the private key private.

Following are the typical steps in asymmetric encryption.

Step 1 : A pair of keys {private, public} are generated by the Certificate Authority (CA) or by the individual himself. The public keys are made available in a public directory.PKC_Key_Generation

PKC_Encryption_DecryptionStep 2 : The sender encrypts the message using the recipient’s public key and sends across the network.

Step 3 : The recipient decrypts the message using his private key. That way the private key will not be sent across the network but still be able to decrypt the message only by the intended recipient.

Part II : How to configure SSH ?

Following are the steps to be followed when configuring SSH on a Cisco switch or router.

Step 1 : Configure the hostname

Router(config)#hostname deepakd

Step 2 : Choose a domain name

Router(config)#ip domain-name

The fully qualified domain name(FQDN) will be used as the name for the encryption keys.

Step 3 : Generate encryption keys
The strength of the keys increases with more modulus bits. You can choose between 360-2048 bits. Note that as the bits increase so will be the computational complexity and the processing time. The keys generated is a self-generated certificate which is OK in scenarios where we know the devices involved in the communication such as SSH.

Router(config)#crypto key generate
How many bits in the modulus [512]: 2048

Step 4 : Enable SSH version 2

Router(config)#ip ssh version 2

Step 5 : Create local user account(s)
Unlike Telnet, SSH requires user name and password to login.

Router(config)#username deepak secret cisco

Step 6 : Choose to allow SSH and enable login using local user accounts

Router(config)#line vty 0 4
Router(config-line)#transport input ssh
Router(config-line)#login local

Note that you can include both telnet & ssh on vty (transport input ssh telnet). The reason being Windows (unlike Linux) doesn’t have ssh client by default. You need to use ssh clients such as PuTTY, SecureCRT etc. to initiate the ssh communication.

SSH configuration on Cisco 7200 router

Connecting to router via SSH from another router

About Deepak Devanand

Seeker of knowledge
This entry was posted in IOS and tagged , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s