Configure SSH on Cisco Routers and Switches
The Secure Shell
(SSH) is a protocol for secure remote login services over an insecure network.
This document explains the procedure to configure SSH on Cisco Router and
Switches. SSH is preferred over TELNET as it encrypts the communication between
server and client and vice versa.
Router(config)#hostname
R1
|
Step 2: Verify IOS for support SSH. Device should have a k9(crypto) software image as shown
below:
R1 #
show version
Cisco
IOS Software, Catalyst 4500 L3 Switch Software (cat4500-IPBASEK9-M), Version 12.2(31)SGA1, RELEASE
SOFTWARE (fc3)
Technical
Support: http://www.cisco.com/techsupport
Copyright
(c) 1986-2007 by Cisco Systems, Inc.
Compiled
Fri 26-Jan-07 14:35 by kellythw
Image
text-base: 0x10000000, data-base: 0x115C5630
ROM:
12.2(20r)EW1
Dagobah
Revision 95, Swamp Revision 29
R1
uptime is 4 years, 15 weeks, 1 day, 22 hours, 33 minutes
System
returned to ROM by power-on
System
restarted at 15:30:21 met Fri Feb 6 2009
System
image file is "bootflash:cat4500-ipbasek9-mz.122-31.SGA1.bin" ----<<<<<
|
R1#sh ip ssh
SSH Disabled - version 1.99
%Please create RSA keys to enable SSH. ----------------<<<<<<<<<<<<<<<<
Authentication timeout: 120 secs; Authentication
retries: 3
|
R1 (config)#
ip domain-name lab.local
|
Step 4: Generate the RSA key using
below command:
R1(config)#crypto key generate rsa
The name for the keys will be: R1.lab.local
Choose the size of the key modulus in the range of 360
to 2048 for your
General Purpose
Keys. Choosing a key modulus greater than 512 may take
a few minutes.
How many bits in the modulus [512]: 1024
---<<<
Key length should be 1024 or 2048
% Generating 1024 bit RSA keys, keys will be
non-exportable...[OK]
Switch(config)# May 25 11:50:29.631: %SSH-5-ENABLED: SSH
1.99 has been enabled ---<<<<<
You will get this message if you
are generating the key for the
first time
|
R1#show crypto key
mypubkey rsa
% Key pair was generated at: 12:04:12 UTC May 25 2013
Key name: R1.lab.local
Storage Device:
not specified
Usage: General
Purpose Key
Key is not
exportable.
Key Data:
30819F30
0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00B1953A
7EDD950E
BE52B486 646FCA59 4EFC4652 7DC277A8 400B14EE 8B72E51D C003218B
FD57E400 069EEA52
F3FDBE69 CD1C6EC2 9055F11E 5F09D35A EE003292 A22AD9CA
E23FA548
FA53E757 4C0EC4F8 80D71E01 A5EB29C9 083B0A8F 5C3E8BF8 C9CA6C1D
83C64769
0C57BF12 E13D76E0 63D826CE F0A8B42D FB77455A A4115D48 67020301 0001
% Key pair was generated at: 12:04:12 UTC May 25 2013
Key name: R1.lab.local.server
Temporary key
Usage:
Encryption Key
Key is not
exportable.
Key Data:
307C300D
06092A86 4886F70D 01010105 00036B00 30680261 00C57E1D 6B07B8B8
4E0647E0
E210473A D92F99EB F264B9D1 BC2AE04D BFF59126 55FE58F0 8561E998
1045D4F4
591E7032 4EC6A0A5 BA20B0A2 FF0D1269 76FEF992 41C24342 AFFB8838
CEE5F80A
B6540AEC 75F7D0A9 2A6A18F0 BDDA9683 A7FF58E6 1D020301 0001
|
Router(config)#crypto key generate rsa
% Please define a hostname other than
Router. -----<<<<<<<<<<<<<<<<<<<<<
|
If you try to generate
RSA key without configuring the domain name, you will get the below error:
R1 (config)#crypto key
generate rsa
% Please define a domain-name first. -----<<<<<<<<<<<<<<<<<<<<<
|
Step 5 : Verify SSH status:
R1#sh ip ssh
ssh Enabled - version 1.99 ---------<<<<<<<<<<<<<<<<<<<<
Authentication timeout: 120 secs; Authentication
retries: 3
|
Step 6: Use IP SSH version command to change the SSH version:
R1(config)#
ip SSH version 2
|
Step 7: Test the SSH access. If SSH access is successful then follow
Step 8
Step 8: Enable SSH access only.
R1(config)#line vty
0 4
R1(config-line)#transport
input ssh
|
No comments:
Post a Comment