CCNA RnS Article #19: Configuring Secure Shell (SSH)!
CCNA RnS Article #19: Configuring Secure Shell (SSH)
In this article, we’ll continue where we left off last time “Secure
Switch Management Plane”. We discussed there are multiple ways to manage a
switch – direct console access or remote access using tools like Putty.
Figure 1.1- SSH
Remotely device management requires extra effort to secure
the connection. It is not secure if you talk about the Telnet protocol to manage devices. All the traffic between the user and the device is sent in clear text. I
mean, if someone in between captures the data can easily get what commands you
typed in and the output you get on your screen including the password you type.
This type of attack is called the Man-in-Middle (MIM) where the attacker is seeing what is being transferred between you and the device without your knowledge.
The countermeasure to MIM is to use a secure protocol like Secure Shell also known as SSH. SSH is a client-server application model. Cisco devices by default configured to run the SSH service. This way any cisco device is an SSH server.
The administrator who
is managing/accessing the device needs an SSH client application like Putty, MPutty,
SecureCRT, etc.
Figure 1.2- SSH Client-Server Model
SSH encrypts the communication between the device and the
host. SSH doesn’t ask you to configure a separate username configuration,
whatever you configured initially can be used with SSH with some additional
commands.
- You need to configure a hostname
- You need to configure a domain name
- You need to generate the RSA key
Command example –
Router(config)#hostname
R1
R1(config)#ip domain-name
ccna.com
R1(config)#crypto
key generate rsa
Hostname and the domain name configured in the above examples
are used to create a FQDN by SSH to generate the encryption key used for traffic encryption. This FQDN is a combination of hostname and
domain name – in our case, it will be “R1.ccna.com”. Once you enter the crypto key generate rsa command you will be
asked to specify the key length – you can type 1024 which is stronger and hard
to extract/break the keys by attacker compared to the default value 512.
The third command in the example is to generate the SSH encryption
keys. You can also set the ssh version if old version 1 is running with the following command.
R1(config)#ssh version 2
By default, Cisco devices allow both telnet & SSH on the
device. It is better to use SSH only to harden the device from a security point
of view. The next command you need to execute is defining the access method
using the transport input command.
Syntax – transport input {all | none | telnet | ssh}
Transport input command has 4 options –
- all means telnet and ssh both are allowed
- none means support neither
- ssh means support only ssh
- telnet means support only telnet
So, if you want your device should be accessed only through SSH,
then you need to type below command in line vty mode –
R1(config)#line vty 0
15
R1(config-line)#transport
input ssh
R1(config-line)# end
R1#wr
In summary, you need to follow the following steps to
configure SSH on Cisco devices –
- Configure a hostname
- Configure a domain name
- Generate the RSA keys
- Configure the SSH Version [optional]
- Define the SSH Transport mode in line vty
I hope you find this informative.
- CCNA RnS Article #18: Secure Switch Management Plane!
- CCNA RnS #17: Switching Process
- CCNA RnS #16: Campus vs Data Center Network
- CCNA RnS #15: Memory Types - The Network DNA
- CCNA RnS #14 - CLI Introduction! - The Network DNA
- CCNA RnS #13: CSMA/CD - The Network DNA
- CCNA RnS #12 : Ethernet Frame Type & FCS Field!
- CCNA RnS #11: Ethernet/MAC Addressing - The Network DNA
