Using SSH on Cisco devices

Network administrators need to have additional ways other than the physical access through the console port, in order to easily configure, monitor, and manage their networking devices.

This is why it is highly recommended for them to secure the remote access to the command-line interface (CLI) by enabling reliable & secure protocols such as SSH and disabling unsecure protocol such as Telnet.

Configuration Guidelines

1. Configure hostname (which sould be different from the default one) & domain name

Router#config t
Router(config)# hostname R1
R1(config)# ip domain-name icttowers.com
R1(config)#

2. Create local users (preferably with secret password)

R1(config)#
R1(config)# username user1 password Rp@ss01#
R1(config)# username user2 secret P@ssw0r6!
R1(config)# exit
R1# show running-config | include enable
username user1 password 0 Rp@ss01#
username user2 secret 5 $1$mERr$6gBRiMB2QuI5XfWDwoMkM1
R1#

3. Generate RSA keys (which need to be at least 768 bits for ssh version 2)

R1(config)#
R1(config)# crypto key generate rsa
The name for the keys will be: R1.icttowers.com
Choose the size of the key modulus in the range of 360 to 2048
for your General Purpose Keys. Choosing a key modulus greater
than 512 may take a few minutes.

How many bits in the modulus [512]: 2048
% Generating 2048 bit RSA keys, keys will be non-exportable...[OK]
R1(config)#

It is important to highlight here that the longer the key length, the more secure it is.

4. Configure SSH version 2, authentication retries & time-out interval (in seconds)

R1(config)#
R1(config)# ip ssh version 2
R1(config)# ip ssh authentication-retries 2
R1(config)# ip ssh time-out 30
R1(config)#

5. Define number of simultaneous sessions, transport protocols, and redirect authentication towards the local database

R1(config)#
R1(config)# line vty 0 2
R1(config-line)# transport input ssh
R1(config-line)# transport output ssh
R1(config-line)# login local
R1(config-line)#

It is important to highlight here the following points:

• When using line vty 0 2 means three simultaneous sessions are allowed.
• When using transport input/output ssh means that all other protocols (such as Telnet) are disabled.

6. Use ACL as additional filter

R1(config)#
R1(config)# access-list 1 permit host 172.16.10.1
R1(config)# access-list 1 permit 172.16.20.0 0.0.0.255
R1(config)# line vty 0 2
R1(config-line)# access-class 1 in
R1(config-line)#

It is important to highlight here the following points:

• It is possible to use standard or extended access-lists
• Users that are not permitted in the ACL will be rejected directly (i.e. they will not be prompted to authenticate themselves).
• The ACL acts as the first barrier and the authentication as the second one.

7. Basic verification

Test from a neighboring device:
R2#
R2#ssh 172.16.1.1
% No user specified nor available for SSH client
R2#ssh -l 172.16.1.1
% Incomplete command.
R2#ssh -l user2 172.16.1.1
Password:
R1>