Friday, February 2, 2024

Cisco - How to enable SSH in Cisco IOS


In today’s interconnected world, securing your network infrastructure is paramount. One of the foundational steps towards securing network access is enabling Secure Shell (SSH) on your network devices. SSH provides a secure channel over an unsecured network in a client-server architecture, offering secure remote login from one computer to another. This blog article will guide you through the steps to enable SSH on a Cisco device running the Internetwork Operating System (IOS).

Prerequisites

Before you begin, ensure you have the following:

  • A Cisco device running IOS 12.2(25)S or later
  • Access to the Cisco device
  • Basic knowledge of Cisco IOS commands
  • The device must have an IP address configured
  • Ensure the device can resolve domain names (either through a static mapping or DNS)

Step-by-Step Guide

1. Enter Global Configuration Mode

First, access your Cisco device through the console or a Telnet/SSH session. Once you’re in, enter the Global Configuration mode by typing:

configure terminal

You’ll see the prompt change, indicating you’re in configuration mode (e.g., R1(config)#).

2. Set the Hostname and Domain Name

For SSH to function properly, your device needs a unique hostname and domain name. If you haven’t set these already, you can do so with the following commands:

R1(config)#ip domain-name lab.analysisman.com

This command sets the domain name to lab.analysisman.com. Adjust the domain name according to your network’s naming conventions.

3. Generate RSA Key Pair

SSH uses RSA keys for encryption. Generate a key pair with:

R1(config)#crypto key generate rsa

You’ll be prompted to choose the size of the key modulus. While you can select a range between 360 and 2048, a 2048-bit key is recommended for better security:

How many bits in the modulus [512]: 2048

Wait for the key generation process to complete. You’ll see a confirmation message once the keys are generated.

4. Enable SSH and Specify Its Version

After generating the RSA keys, enable SSH and set its version to 2 for enhanced security features:

R1(config)#ip ssh version 2


5. Configure the VTY Lines for SSH Access

Now, configure the Virtual Terminal (VTY) lines to only accept SSH connections:

R1(config)#line vty 0 4
R1(config-line)#transport input ssh

This configuration restricts access to the console lines to SSH only, enhancing security by blocking Telnet and other insecure protocols.

6. Enable Local Login and Exit VTY Configuration

Ensure that users logging in through SSH are authenticated locally:

R1(config-line)#login local


Then, exit the VTY configuration mode:

R1(config-line)#exit


7. Create a Local User

For the login local command to work, you need at least one user account:

R1(config)#username cisco password cisco

Replace cisco with your desired username and password. It’s strongly recommended to use a stronger, unique password for security purposes.

8. Secure the Enable Mode

It’s also a good practice to secure the enable mode with a secret password:

R1(config)#enable secret cisco

Again, choose a strong, unique password instead of cisco.

9. Save the Configuration

Finally, save your configuration to ensure it persists across reboots:

R1#write memory

Or you can use:

R1#copy running-config startup-config


  • Here is the full configuration snapshot.
R1#configure t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#ip domain-name lab.analysisman.com
R1(config)#crypto key generate rsa
The name for the keys will be: R1.lab.analysisman.com
Choose the size of the key modulus in the range of 360 to 2048 for your
  General Purpose Keys. Choosing a key modulus greater than 512 may take
  a few minutes.

How many bits in the modulus [512]: 2048
% Generating 2048 bit RSA keys, keys will be non-exportable...[OK]

R1(config)#
*Mar  1 00:41:42.199: %SSH-5-ENABLED: SSH 1.99 has been enabled
R1(config)#ip ssh version 2
R1(config)#
R1(config)#line vty 0 4
R1(config-line)#transport input ssh
R1(config-line)#login local
R1(config-line)#exit
R1(config)#
R1(config)#username cisco password cisco
R1(config)#enable secret cisco
R1(config)#end
R1#
*Mar  1 00:43:21.107: %SYS-5-CONFIG_I: Configured from console by console
R1#wr me
Building configuration...
[OK]


Conclusion

You’ve successfully enabled SSH on your Cisco IOS device, significantly improving the security of your device management. Remember, security is an ongoing process, not a one-time setup. Regularly update your device configurations, passwords, and firmware to protect against new vulnerabilities and threats.

For further reading, Cisco provides comprehensive documentation on IOS commands and configuration guides that can delve deeper into advanced security features and best practices.


References

Configure SSH on Routers and Switches - Cisco


Links

_MOC_2_Cisco


Posted by at 10:00 PM
Labels: , ,

No comments:

Post a Comment