In this How To we will explain the basics of SSH configuration on Cisco IOS.
To start, we recommend you verify you have the correct IOS version that supports triple-DES and SSH. With that said, let’s jump in.
First, make sure your router has a hostname by using the hostname command. Here’s an example:
Router# configure terminal
Router(config)# hostname cell_pe01
Next, configure a domain name on your router using the ip domain-name command. Here’s an example:
cell_pe01(config)# ip domain-name cellstream.com
Now create an RSA encryption key pair for the router to use for authentication and encryption of the SSH data. One of the questions you must answer during this process is the modulus size of the key. Make sure the key modulus is at least 768 bits. Here’s an example:
cell_pe01(config)# crypto key generate rsa
The name for the keys will be: cell_pe01.cellstream.com
Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes.
How many bits in the modulus : 768
% Generating 768 bit RSA keys …[OK]
cell_pe01(config)#*Mar 1 00:17:13.337: %SSH-5-ENABLED: SSH 1.5 has been enabled
As you can see from this example, after the system generates the key, you’ll receive a message that it has automatically enabled SSH 1.5 on the router. To clarify, SSH 1.5 is Cisco’s way of saying this router is running SSH1. If the system has enabled support for both SSH1 and SSH2, this message would say SSH 1.99. If the system has only enabled support for SSH2, the message would say SSH 2.0.
You can also configure SSH settings if you choose. To do so, use the ip ssh command with whichever parameters you choose to set. (Different IOS versions have different options because they support different versions of SSH.) Here’s an example:
cell_pe01(config)# ip ssh ?
authentication-retries Specify number of authentication retries
Port Starting (or only) port number to listen on
Rsa Configure RSA
keypair name for SSH
source-interface Specify interface for source address in SSH
connections time-out Specify SSH time-out interval
cell_pe01(config)# ip ssh
Configuring optional SSH settings completes the process of configuring SSH on the router. Now, let’s take a look at showing the SSH status.
To view the status of SSH, you can use the following commands:
- Use ‘show ip ssh’ to view SSH settings.
- Use ‘show ssh’ to view SSH connections.
Here’s an example:
cell_pe01# show ip ssh
SSH Enabled – version 1.5
Authentication timeout: 120 secs; Authentication retries: 3
cell_pe01# show ssh
%No SSH server connections running.
SSH debug commands are also available by using the debug ip ssh command.
You can use a device’s built-in SSH client to connect to other SSH servers. The Privileged Mode command is ssh. Here’s an example:
cell_pe01# ssh ?
-c Select encryption algorithm -l Log in using this username -o Specify options -p Connect to this port WORD IP address or hostname of a remote system
A few words of caution: On several occasions researchers discovered vulnerabilities in a number of Cisco IOS versions with SSH capabilities. For example, for more information and to make sure the IOS version you’re using isn’t vulnerable check out “Cisco Security Advisory: Vulnerabilities in Cisco IOS Secure Shell Server.” on the Cisco web site.
We hope this helps with SSH usage.