Most IT pros realize that using Telnet to manage routers, switches, and firewalls is insecure. Transmitted in clear text across a network, Telnet traffic basically publicizes any login usernames and passwords to any attackers out there listening—who can take advantage of that information to access a device as the network administrator.
The standard alternative to Telnet's lack of security is Secure Shell (SSH). Like Telnet, you can use SSH to enter IOS commands over a network or to copy files over the network to a device. But with SSH, which uses encryption and digital certificates, you don't have nearly as many security concerns.
There are two versions of Secure Shell: SSH1 and SSH2. Cisco IOS 12.1(3)T was the first version to support SSH1; however, it does require the Data Encryption Standard (DES) or triple DES (3DES) IPSec encryption version of the IOS.
Certain versions of IOS 12.3—12.3(4)T, 12.2(25)S, and 12.3(7)JA or later—were the first to support SSH2, which requires a version of the IOS that supports 3DES. IOS versions that support 3DES have k9 in the name of the file.
It's important to note that SSH1 and SSH2 are two entirely different protocols. SSH2 offers much more security, and I recommend using it whenever possible. However, even SSH1 is better than Telnet. It will protect you from the casual hacker who's trying to sniff passwords from your network.
The Cisco IOS offers both an SSH server and an SSH client. So you can connect to your router's SSH server from an SSH client, or you can connect your router's SSH client to another device that has an SSH server.
Let's start with how to configure SSH on a Cisco IOS router. This configuration process is also very similar on Cisco switches and firewalls. Before you begin, make sure you have the proper image that includes IPSec DES or 3DES encryption to make sure using SSH is possible.
For our example, I'm using a 2611 router running IOS version 12.2(15)T9 that includes 3DES encryption. The exact filename is c2600-ik9o3s3-mz.122-15.T9.bin.
First, make sure your router has a hostname by using the hostname command. Here's an example:
Router(config)# hostname TR-Router TR-Router(config)#
Next, configure a domain name on your router using the ip domain-name command. Here's an example:
TR-Router(config)# ip domain-name TechRepublic.com TR-Router(config)#
Then, create an RSA encryption key pair for the router to use for authentication and encryption of the SSH data. One of the questions you must answer during this process is the modulus size of the key. Make sure the key modulus is at least 768 bits. Here's an example:
TR-Router(config)# crypto key generate rsa The name for the keys will be: TR-Router.TechRepublic.com Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus [512]: 768 % Generating 768 bit RSA keys ...[OK] TR-Router(config)# *Mar 1 00:17:13.337: %SSH-5-ENABLED: SSH 1.5 has been enabled TR-Router(config)#
As you can see from this example, after the system generates the key, you'll receive a message that it has automatically enabled SSH 1.5 on the router. To clarify, SSH 1.5 is Cisco's way of saying this router is running SSH1. If the system has enabled support for both SSH1 and SSH2, this message would say SSH 1.99. If the system has only enabled support for SSH2, the message would say SSH 2.0.
You can also configure SSH settings if you choose. To do so, use the ip ssh command with whichever parameters you choose to set. (Different IOS versions have different options because they support different versions of SSH.) Here's an example:
TR-Router(config)# ip ssh ? authentication-retries Specify number of authentication retries Port Starting (or only) port number to listen on Rsa Configure RSA keypair name for SSH source-interface Specify interface for source address in SSH connections time-out Specify SSH time-out interval TR-Router(config)# ip ssh
Configuring optional SSH settings completes the process of configuring SSH on the router. Now, let's take a look at showing the SSH status.
To view the status of SSH, you can use the following commands:
Here's an example:
TR-Router# show ip ssh SSH Enabled - version 1.5 Authentication timeout: 120 secs; Authentication retries: 3 TR-Router# show ssh %No SSH server connections running. TR-Router#
SSH debug commands are also available by using the debug ip ssh command.
You can use a device's built-in SSH client to connect to other SSH servers. The Privileged Mode command is ssh. Here's an example:
TR-Router# ssh ? -c Select encryption algorithm -l Log in using this username -o Specify options -p Connect to this port WORD IP address or hostname of a remote system TR-Router# ssh
source: techrepublic.com