You want to use SSH to give more secure encrypted remote access to your router.
You can configure your router to run an SSH Version 1 server for VTY access:
Router1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router1(config)#hostname Router1 Router1(config)#ip domain-name oreilly.com Router1(config)#crypto key generate rsa The name for the keys will be: Router1.oreilly.com Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus [512]: 1024 Generating RSA keys ... [OK] Router1(config)# Jun 27 15:04:15: %SSH-5-ENABLED: SSH 1.5 has been enabled Router1(config)#ip ssh time-out 120 Router1(config)#ip ssh authentication-retries 4 Router1(config)#end Router1#
SSH became available in Cisco's IOS starting with Release 12.1(1)T. However, only versions of IOS that support IPSec (DES or 3DES) encryption include SSH support. Note that there are severe restrictions on exporting any software that includes 3DES outside of the U.S. and Canada.
SSH provides a secure method of communication between network entities by means of transparent encryption. It is a protocol that encrypts all traffic, including passwords, between a client and a server. This makes it an excellent replacement for the Telnet and Rlogin protocols. Cisco's IOS currently supports only a subset of the standard SSH tools. In particular, Cisco routers do not support the newer SSH Version 2, which includes a number of important enhancements.
The main reason to consider replacing Telnet with SSH is security. The entire Telnet session, including passwords, is transmitted in clear-text. Anybody using a protocol analyzer between the Telnet client and server can easily see all of the data sent by both ends of the conversation�including usernames and passwords. SSH, on the other hand, uses strong encryption algorithms to ensure that the entire session is unintelligible to anybody except for the intended party. This allows for secure communication through the Internet or any other public network.
The transparent encryption scheme used by SSH ensures that, except for initial configuration, SSH behaves similarly to Telnet.
Configuring SSH requires the following steps:
Ensure that your router is running IOS Version 12.1(1)T or higher.
Ensure that your IOS version contains the IPSec feature set (DES or 3DES). Although 3DES is preferred, IOS versions containing this feature are export controlled outside of the U.S. and Canada.
Configure an authentication method that supports usernames and passwords, such as local authentication or AAA. SSH does not support the default VTY password encryption method. See Recipe 3.1 for information on local authentication and Chapter 4 for more information on AAA.
Set the router's hostname to something other than the default "Router."
Configure the ip domain-name on your router to match your organization's domain name.
Finally, generate the SSH host keys using the crypto key generate rsa configuration command. The router can accept a key length between 360 and 2048 bits. Larger keys provide greater security, but negatively affect performance. We don't recommend using a key that is shorter than 1024 bits. Creating keys requires a large number of CPU cycles, usually a few minutes of 100% CPU utilization (depending on the router type and the key length). Once created, keys are stored in NVRAM and are inaccessible. You can delete a set of keys with the crypto key zeroize rsa configuration command.
Generating a set of SSH keys automatically enables the SSH protocol. As soon as you have created the keys, the router can start accepting SSH sessions. The first time you attempt to access an SSH-enabled device, your SSH client software will prompt you to store the device host key. This prevents other devices from masquerading as a legitimate device:
Freebsd% ssh -l ijbrown Router1 The authenticity of host 'Router1 (172.25.1.5)' can't be established. RSA1 key fingerprint is 7a:97:99:2a:ef:08:40:fb:c3:dd:c4:8c:29:fc:2f:4d. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'Router1' (RSA1) to the list of known hosts. ijbrown@Router's password: xxxxxxxxxx Router1>exit Connection to Router1 closed.
SSH passes the current username to the SSH server, which in turn prompts for the password of the current user. However, with the Unix version of SSH, you can override this behavior by specifying the -l option, followed by an alternate username. In the previous example, we explicitly specified a particular username (ijbrown). The default behavior looks like this:
Freebsd% ssh Router1 ijbrown@Router1's password: xxxxxxxxx Router1>
Because we don't specify a username in this example, the router assumes that it should use the current Unix username, ijbrown.
If you decide to use SSH as your transport protocol for administrative access to your routers, we recommend that you disable all other forms of VTY access by using the transport input configuration command. Running insecure protocols defeats the purpose of implementing SSH in the first place. For more information on disabling transport protocols on virtual terminals, see Recipe 3.10. The following example illustrates how to disable all inbound protocols except SSH:
Router1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router1(config)#line vty 0 4 Router1(config-line)#transport input ssh Router1(config-line)#end Router1#
Starting with Version 12.1(3)T, Cisco's IOS began to support SSH client functionality as well. SSH clients allow you to access other SSH servers, including SSH-enabled routers. In the following example, we initiate an SSH session from our router to an SSH-enabled Unix server:
Router1#ssh -l ijbrown server Trying server.oreilly.com (172.25.1.3)... Open Password: xxxxxxxxxxx FreeBSD 4.6-STABLE (IJB) Welcome to FreeBSD! You have new mail. Freebsd%
Many SSH clients and servers are readily available for most popular operating systems. There are also several free SSH packages available on the Internet, including OpenSSH and PuTTY (see Appendix A for more details).
The show ssh EXEC command displays the active SSH sessions and their attributes, such as VTY number, SSH version, encryption type, session state, and username:
Router1#show ssh Connection Version Encryption State Username 0 1.5 3DES Session started ijbrown 3 1.5 3DES Session started morewood
The command show ip ssh displays the SSH server configuration status, including the SSH version, authentication timeout, and number of retries:
Router1#show ip ssh SSH Enabled - version 1.5 Authentication timeout: 120 secs; Authentication retries: 4 Router1#
Top |