In this lesson, we will learn how to configure SSH on Cisco IOS enabled devices. This tutorial will show you how to enable SSH, generating RSA key, and then allowing on SSH remote management protocol under the VTY interfaces. This will also show you how to add more security in SSH access and some best practice on SSH services.

If you don’t know about SSH (Secure Shell), then it’s been a secure and reliable way to connect a remote device and It works on port 22. If you want to know more about SSH, then please check RFC 4253.

How to configure SSH on Cisco IOS devices

We will configure SSH in few steps. So, let’s configure SSH on Cisco ISO devices.

First of all, let’s configure the hostname of the device. We will call it “IOS”.

Router#configure terminal
Router(config)#hostname IOS
IOS(config)# 

Now, we need to configure a domain name for our system. We will call it letsconfig.local.

IOS(config)#ip domain-name letsconfig.local

We have configured hostname and domain-name because they are needed to generate RSA key. We have configured hostname as IOS and domain-name as letsconfig.local; so, our RSA key name will be IOS.letsconfigu.com. Let’s generate it.

IOS(config)#crypto key generate rsa modulus ?
  <360-4096>  size of the key modulus [360-4096] 

Please note that, we have option to choose key module from 360 to 4096. The higher the number is, it’s more strong and secure. Here we will choose 2048.

IOS(config)#crypto key generate rsa modulus 2048
The name for the keys will be: IOS.letsconfig.local

% The key modulus size is 2048 bits
% Generating 2048 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 4 seconds)

IOS(config)#
*Sep 16 14:16:02.268: %SSH-5-ENABLED: SSH 1.99 has been enabled
IOS(config)# 

Our key is ready as well as SSH is enabled. Now, let’s configure VTY and allow only ssh.

IOS(config)#line vty 0 4
IOS(config-line)#transport input ssh
IOS(config-line)#login local
IOS(config-line)# 

“transport input ssh” means, we are allowing only ssh here. And then allowing login with local username. If you still didn’t configure the local user, then let’s configure it.

IOS(config)#username admin privilege 15 secret admin@123

Verification

Now, let’s verify our ssh by using “show ip ssh” command.

IOS#show ip ssh
SSH Enabled - version 1.99
Authentication methods:publickey,keyboard-interactive,password
Authentication Publickey Algorithms:x509v3-ssh-rsa,ssh-rsa
Hostkey Algorithms:x509v3-ssh-rsa,ssh-rsa
Encryption Algorithms:aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
MAC Algorithms:hmac-sha1,hmac-sha1-96
Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 1024 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded): IOS.letsconfig.local
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDLCXgfn9B0Uk/2GgjqqV3iZpEjQ9QstpnHP0K3mX/1
bGBmHgsEbdK6lA5urJeBdyWuTlkERx+swjNeSzcZPCCdN/LJcgc8E8agyzGW6p882B3fD+SpARL0DFF4
1n1DQHYHbenRk9FwHeDRXN1CHgC7VScC2kMxe7UxzM8Fut3xpNQZo20MmMRrZ0EF54F5JKR2qQyHH3Ws
RCd8DCKQILlDKXxpCls52lgvp5nkK6EG/osf94cT6f82a93EzqaUdwklOl65EJnoqBBWfx+8WPdAeyYW
lPa5aJfSeGBM2+6NBw5nmvk9mX7Fr7I7u1KXqjJ8NGpGhxrOXItWPkuXgfQB
IOS#

Sure enough, our SSH is active. However, we can see our current version is 1.99. It’s actually not a version, this mean, it support both v1 and v2 ssh. We will only use ssh v2 for better security. Below command will help to make it version 2. You can check SSH wikipedia link for more details.

IOS(config)#ip ssh version 2

After applying it, let’s verify again.

IOS#show ip ssh
SSH Enabled - version 2.0
Authentication methods:publickey,keyboard-interactive,password
Authentication Publickey Algorithms:x509v3-ssh-rsa,ssh-rsa
Hostkey Algorithms:x509v3-ssh-rsa,ssh-rsa
Encryption Algorithms:aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
MAC Algorithms:hmac-sha1,hmac-sha1-96
Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 1024 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded): IOS.letsconfig.local
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDLCXgfn9B0Uk/2GgjqqV3iZpEjQ9QstpnHP0K3mX/1
bGBmHgsEbdK6lA5urJeBdyWuTlkERx+swjNeSzcZPCCdN/LJcgc8E8agyzGW6p882B3fD+SpARL0DFF4
1n1DQHYHbenRk9FwHeDRXN1CHgC7VScC2kMxe7UxzM8Fut3xpNQZo20MmMRrZ0EF54F5JKR2qQyHH3Ws
RCd8DCKQILlDKXxpCls52lgvp5nkK6EG/osf94cT6f82a93EzqaUdwklOl65EJnoqBBWfx+8WPdAeyYW
lPa5aJfSeGBM2+6NBw5nmvk9mX7Fr7I7u1KXqjJ8NGpGhxrOXItWPkuXgfQB
IOS#

If a user is connected through SSH, you can use to “show ssh” command to verify it.

IOS#show ssh
Connection Version Mode Encryption  Hmac         State                 Username
0          2.0     IN   aes256-ctr  hmac-sha1    Session started       admin
0          2.0     OUT  aes256-ctr  hmac-sha1    Session started       admin
%No SSHv1 server connections running.
IOS#

Written by Rajib Kumer Das

I am Rajib Kumer Das, a network engineer with 7+ years of experience in multi-vendor environment. In my current company, I am responsible to take care critical projects and it's support cases. I do have several vendor certificates and have plans to go further.

Leave a Comment

Your email address will not be published. Required fields are marked *