Let’s go through steps to configure SSH (Secure Shell) in Cisco Router or Switch for secure remote access.
Step 1: First step in configuring SSH to securely access the CLI interface of a Cisco Router or Switch remotely is to create a local user database for user authentication. Follow these steps to create a local user with username “practonet” and password as “practonetpass” and with a privilege level 15.
R1# configure terminal
R1(config)# username ictkb privilege 15 secret ictkbpass
R1(config)# exit
Step 2: Cisco devices use RSA public key encryption algorithm for SSH connectivity. Before generating RSA encryption keys, you must change the default hostname of a Cisco Router or Switch. The default device name of a Cisco Router is “Router” and default device name of a Cisco Switch is “Switch”. You must configure a domain name also before generating RSA keys.
Follow these Cisco IOS CLI commands to configure a hostname, a domain name and to generate RSA keys of 1024 bit length. After generating the RSA keys, Cisco Router/Switch will automatically enable SSH 1.99. SSH 1.99 shows that Cisco device supports both SSH 2 and SSH 1. SSH 1.99 is not a version, but an indication of backward compatibility.
Router#
Router# configure terminal
Router(config)# hostname R1
R1(config)# ip domain-name ictkb.com
R1(config)# crypto key generate rsa general-keys
The name for the keys will be: R1.ictkb.com
Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes.
How many bits in the modulus [512]: 1024
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
*Nov 15 16:54:20.595: %SSH-5-ENABLED: SSH 1.99 has been enabled
R1(config)#exit
R1#
Step 3: Next important step you have to do is to configure router/switch to use local user database for authentication and to disable telnet. Disabling telnet will prevent someone to connect to a Cisco Router or Switch accidentally using telnet and cause a security issue. Follow these steps to instruct the Cisco Router or Switch to use local user database for SSH authentication and to disable telnet access to Cisco Router or Switch.
R1# configure terminal
R1(config)# line vty 0 1869
R1(config-line)# login local
R1(config-line)# transport input ssh
R1(config-line)# exit
R1(config)#
Step 4: To connect to Cisco Router or Cisco Switch using SSH from a Windows workstation, you must use a SSH client tool (SSH client utility is not packed with Windows Operating Systems up to Windows 7). Follow the link to download PuTTY, one of the best terminal emulator software availabe for free.
Open PuTTY and enter the IP address of the Cisco Router or Cisco Switch which you want to connect to. Select SSH as the desired protocol as shown below.
Step 5: If this is the first time you are connecting to the Cisco Router or Cisco Switch, you will get a warning message as shown below stating that the Router’s/Switch’s host key is not cached locally. Accept the warning message and click “Yes” to connect to Cisco Router or Switch.
Step 6: Enter the userid (ictkb) and corresponding password which we have configured in Cisco Router/Switch before and hit “Enter”.
Step 7: Now you are connected to Cisco Router or Switch using SSH protocol. You can now start configuring the Cisco Router/Switch securely from a remote location.
