CCNA RnS Article #19: Configuring Secure Shell (SSH)!


CCNA RnS Article #19: Configuring Secure Shell (SSH)

In this article, we’ll continue where we left off last time “Secure Switch Management Plane”. We discussed there are multiple ways to manage a switch – direct console access or remote access using tools like Putty.

Remotely device management requires extra effort to secure the connection. It is not secure if you talk about the Telnet protocol to manage devices. All the traffic between the user and the device is sent in clear text. I mean, if someone in between captures the data can easily get what commands you typed in and the output you get on your screen including the password you type. This type of attack is called the Man-in-Middle (MIM) where the attacker is seeing what is being transferred between you and the device without your knowledge.

The countermeasure to MIM is to use a secure protocol like Secure Shell also known as SSH. SSH is a client-server application model. Cisco devices by default configured to run the SSH service. This way any cisco device is an SSH server.  The administrator who is managing/accessing the device needs an SSH client application like Putty, MPutty, SecureCRT, etc.

Figure 1: SSH Client-Server Model

SSH encrypts the communication between the device and the host. SSH doesn’t ask you to configure a separate username configuration, whatever you configured initially can be used with SSH with some additional commands.

  1. You need to configure a hostname
  2. You need to configure a domain name
  3. You need to generate the RSA key

Command example –

Router(config)#hostname R1

R1(config)#ip domain-name ccna.com

R1(config)#crypto key generate rsa

Hostname and the domain name configured in the above examples are used to create a FQDN by SSH to generate the encryption key used for traffic encryption. This FQDN is a combination of hostname and domain name – in our case, it will be “R1.ccna.com”. Once you enter the crypto key generate rsa command you will be asked to specify the key length – you can type 1024 which is stronger and hard to extract/break the keys by attacker compared to the default value 512.

The third command in the example is to generate the SSH encryption keys. You can also set the ssh version if old version 1 is running with the following command.

R1(config)#ssh version 2

By default, Cisco devices allow both telnet & SSH on the device. It is better to use SSH only to harden the device from a security point of view. The next command you need to execute is defining the access method using the transport input command.

Syntax – transport input {all | none | telnet | ssh}

Transport input command has 4 options –

all means telnet and ssh both are allowed

none means support neither

ssh means support only ssh

telnet means support only telnet

So, if you want your device should be accessed only through SSH, then you need to type below command in line vty mode –

R1(config)#line vty 0 15

R1(config-line)#transport input ssh

R1(config-line)# end


In summary, you need to follow the following steps to configure SSH on Cisco devices –

  1. Configure a hostname
  2. Configure a domain name
  3. Generate the RSA keys
  4. Configure the SSH Version [optional]
  5. Define the SSH Transport mode in line vty

I hope you find this informative.

  Continue Reading...


No comments