Cisco SSH Configuration
Course Contents
1. What is SSH and Why Use It in Cisco Networks
Secure Shell (SSH) is a protocol that enables secure remote communication to network devices.
When working with Cisco devices, you need to know how to configure SSH on Cisco device in order to manage your network devices.
Unlike older protocols like Telnet, SSH encrypts data to ensure confidentiality and integrity.
Imagine this case, you are a network administrator and you need to configure a interface on your router. SSH ensures that the commands you send are encrypted and protected against unauthorized access.
Benefits of Using SSH
SSH offers several important advantages :
1. Enhanced Security: Encrypting of data reduces the risk of traffic interception .
2. User Authentication: Only authenticated users can access network devices.
3. Remote Device Management: SSH allows network administrator to have a secure remote access to Cisco routers and switches.
SSH vs Telnet
SSH is often compared to Telnet, an older protocol but here are the real differences.
- Encryption:
- SSH: Encrypts all data, preventing eavesdropping and unauthorized access.
- Telnet: Transmits data in plain text making it vulnerable !!
2. Default Port Numbers:
- SSH operates on TCP port 22
- Telnet uses TCP port 23
Make sure to know theses ports for your ccna exam ! 🙂
Comparison Table
Here a comparisation table you can review over time to help you remember the differences.
| Feature | SSH | Telnet |
|---|---|---|
| Encryption | Yes | No |
| Port | TCP 22 | TCP 23 |
| Security | High | Low |
| Use Case | Secure device management | Rarely used due to insecurity |
Okay, now we will cover how to prepare and configure SSH on Cisco devices step by step !
2. Preparing Cisco Devices for SSH Access
Device Requirements for SSH
To enable SSH on your Cisco device we need to meet one crucial requirement :
Compatible IOS Version: Your Cisco IOS image name must include a “k” in its name (example : c1900-universalk9-mz.SPA.152-4.M3.bin)
💡 You can check your ios version by using the show version command on your device.
When you are sure your cisco device can use SSH, we can begin and use this topology below as our example for this course :
Setting the Hostname
Before configuring SSH, ensure the device has a hostname. The hostname is required to generate cryptographic keys as it uniquely identifies the device within the network.
R1(config)# hostname MyRouter
Enabling IP Domain Name
SSH requires an IP domain name in addition to the hostname to generate RSA keys.
R1(config)# ip domain-name pingmynetwork.com
Configuring User Accounts
Create user accounts for SSH access with appropriate privilege levels to control access.
R1(config)# username admin privilege 15 secret strong_password
Now that your device is ready, we will move on to the detailed SSH configuration in the next chapter.
3. Configuring SSH on Cisco Devices
This chapter walks you through the essential steps to enable SSH on Cisco devices, including generating cryptographic keys, enabling SSH on Virtual Teletype (VTY) lines, and setting the SSH version for enhanced security.
Generating RSA Keys
To establish a secure SSH connection, you first need to generate RSA keys. These keys create a unique encrypted “handshake” between the device and the user.
Prerequisite: Ensure the device has a hostname and domain name configured, as they are required for RSA key generation.
🔹 Enter global configuration mode and generate RSA keys:
R1(config)# crypto key generate rsa modulus 2048
Important: A modulus size of 2048 bits is recommended for better security. Larger keys provide stronger encryption but may require more processing power.
Enabling SSH on VTY Lines
Once RSA keys are generated, configure the VTY lines (0 to 4) to accept only SSH connections, ensuring Telnet is disabled for security purposes.
🔹 Access VTY line configuration:
R1(config)# line vty 0 4
🔹 Set the transport protocol to SSH only:
R1(config-line)# transport input ssh
💡 Tip: Limiting VTY lines to SSH only prevents unencrypted Telnet access, enhancing device security.
Setting SSH Version
Configuring the device to use SSH version 2 is recommended for improved security and compatibility, as SSH v2 includes enhancements and fixes not available in version 1.
🔹 Set the SSH version to 2:
R1(config)# ip ssh version 2
4. Verifying SSH Configuration
After configuring SSH on your Cisco device, it’s essential to test the connection and verify the setup to ensure secure access. This section illustrates SSH access from a PC to the router (R1), all within a single CLI session.
Accessing Router R1 via SSH
In this example, the PC connects to R1 using SSH, allowing for secure, remote management.
- Initiating SSH Access:
- On the PC terminal, start an SSH session by connecting to R1’s IP address with the configured username:
ssh admin@192.168.1.1
- Authenticating and Verifying Access:
- When prompted, enter the password for the
adminuser.
Example output:
admin@192.168.1.1's password: [Password entered] R1> enable Password: R1#
Entering Configuration Mode:
R1# configure terminal Enter configuration commands, one per line. End with CNTL/Z. R1(config)#
Using show Commands to Verify Configuration
Several show commands can help verify the current SSH configuration, confirm active settings, and identify potential issues.
🔹 Check SSH Status and Version:
Use the show ip ssh command to display SSH version, timeout settings, and authentication retries:
R1# show ip ssh SSH Enabled - version 2.0 Authentication timeout: 120 secs; Authentication retries: 3
🔹 Verify VTY Line Configuration:
The show running-config command displays the current configuration, allowing you to check that SSH is enabled on VTY lines and Telnet is disabled:
R1# show running-config | section line vty line vty 0 4 transport input ssh
🔹 Check IP Interface Status:
Use show ip interface brief to confirm that the device’s interfaces are configured correctly and reachable. Look for the assigned IP address and make sure the interface status is “up”:
R1# show ip interface brief Interface IP-Address OK? Method Status Protocol GigabitEthernet0/0 192.168.1.1 YES manual up up
⚠️ Warning: Ensure the interface intended for SSH access is “up” and reachable from the client device.
5. Security Best Practices for SSH
To maximize security when using SSH on Cisco devices, it’s crucial to follow best practices that limit access, enforce strong authentication, and disable insecure protocols. Here’s how to enhance SSH security on your network devices:
Limit Access to Specific IP Addresses Using Access Control Lists (ACLs)
Restricting SSH access to a specific IP address reduces the risk of unauthorized access. In this example, we’ll allow SSH access only from the administrator’s IP address, 192.168.1.10.
🔹 Create an ACL to permit access only from the IP address 192.168.1.10:
R1(config)# access-list 10 permit 192.168.1.10
🔹 Apply the ACL to the VTY lines to restrict SSH access:
R1(config)# line vty 0 4 R1(config-line)# access-class 10 in
💡 Tip: This configuration ensures that only the administrator with IP 192.168.1.10 can access the device via SSH.
Disable Telnet on VTY Lines
Telnet transmits data in plain text, making it vulnerable to interception. Disabling Telnet on VTY lines ensures only secure SSH connections are allowed.
🔹 Set the transport input to SSH only:
R1(config)# line vty 0 4 R1(config-line)# transport input ssh
By configuring transport input ssh, the device will block Telnet and accept only SSH connections.
Use Strong Passwords and Enforce User Policies
For devices accessible remotely, configure SSH user accounts with strong passwords, ensuring they are complex and difficult to guess. Additionally, use privilege levels to control access.
🔹 Create a secure user account with privilege level 15 (full access):
R1(config)# username admin privilege 15 secret StrongPassword123!
Tip: Use a combination of uppercase, lowercase, numbers, and special characters to increase password strength.
Configure SSH Timeout and Authentication Retries
Setting session timeouts and authentication retry limits helps prevent unauthorized access and brute force attacks.
🔹 Set the SSH timeout to 60 seconds:
R1(config)# ip ssh time-out 60
🔹 Limit authentication attempts to 2:
R1(config)# ip ssh authentication-retries 2
Warning: Reducing retries minimizes the risk of brute-force attacks but may lock out legitimate users who mistype their credentials.
Enable Logging for SSH Sessions
Monitoring SSH access logs can help detect suspicious login attempts and unauthorized access.
🔹 Enable logging for authentication attempts:
R1(config)# login on-failure log R1(config)# login on-success log
Now that we’ve secured SSH access, let’s summarize what we’ve learned in the conclusion.
6. Conclusion
Cisco SSH configuration is one of the most important steps to secure remote management.
To recap Cisco SSH configuration by using theses 3 steps :
- Prepare – Configure hostname, domain name, and user accounts.
- Configure – Generate RSA keys, enable SSH, and set version 2.
- Secure – Restrict access, disable Telnet, and enforce strong authentication.