Easy enabling Secure Shell (SSH) on Cisco Routers & Switches
As most of you know that Telnet has no security mechanisms. Telnet sends passwords in clear-text and these passwords can be easily seen using a packet sniffer like Wireshark, formerly called Ethereal (goto the post Easy capturing Telnet Password using Wireshark Packet Sniffer to view complete procedure). Instead of Telnet, you can use Secure Shell, which creates a more secure session than telnet, which uses an unencrypted data stream. You can understand SSH as an “security-enabled” version of Telnet. Secure Shell (SSH) uses encrypted keys to send data so that your username and password are not sent in the clear text.
Here are the steps to setting up SSH:
1. Set your hostname:
Router(config)#hostname R_1
2. Set the domain name (both the hostname and domain name are required for the encryption keys to be generated):
R_1(config)#ip domain-name example.com
3. Generate the encryption keys for securing the session:
R_1(config)#crypto key generate rsa general-keys
Then it will ask for number of bits to use for asynchronous encryption (using public-private keys). You can use 1024 bit keys for most router platforms. Generating 2048 bit keys will be CPU intensive. Generating keys may take few seconds to 15 minutes generate keys, depending upon your platform.
4. Set the max idle timer for a SSH session to 60 socends:
R_1(config)#ip ssh time-out 60
5. Set the max failed attempts for an SSH connection to 2:
R_1(config)#ip ssh authentication-retries 2
6. Then, goto vty lines config mode using following command, the last vty line number changes router-to-router. Use question mark to view last line-number:
R_1(config)#line vty 0 ?
R_1(config)#line vty 0 4
7. Last, configure SSH and then Telnet as access protocols:
R_1(config-line)#transport input ssh telnet
If you do not use the keyword telnet at the end of the command string, then only SSH will work on the router.
No comments:
Post a Comment