Welcome again to our Cisco CCNA preparation series. Today, we would like to present you how you can configure and troubleshoot SSH access on your Cisco router.

SSH is a protocol used by network administrators to securely configure the routers from remote locations. Back in the days, telnet was used for this operation. However, telnet was not providing any secure authentication mechanisms, allowing an attacker to see the username and password sent to the router if he was able to capture the packets. Man in the Middle (MITM) attacks are common these days and were a common practice then too. SSH was designed as a replacement for Telnet to provide confidentiality and integrity of data through encryption mechanisms.

SSH  uses the client-server model. A device to which you want to connect must run a server instance. The default port used by SSH is TCP 22. For the authentication mechanism, SSH uses public-key cryptography.

SSH was originally designed as SSH-1. SSH-1 appeared in 1995 and its goal was to replace the rlogin, Telnet and rsh protocols, because those protocols were sending data unencrypted over the network. However, due to a design flaw which made SSH vulnerable to various kinds of attacks, in 1996 a revised version of SSH was designed. SSH-2 is currently the used version of the SSH protocol and every time you refer to SSH you actually talk about SSH-2. SSH-1 is considered obsolete and should be avoided by explicitly configuring SSH to use version 2 of the protocol. SSH-2 is backward compatible with the original SSH implementation, but its designed corrected the flaws from the first version.

The SSH-2 protocol has its internal architecture with three separated layers.

The transport layer handles the initial key exchange and server authentication, sets up encryption, compression and integrity verification.

The user authentication layer handles the authentication of the client and provides a number of authentication methods such as password (based on a password) and publickey (using DSA or RSA keypairs). More authentication mechanisms can be available, depending on the SSH implementation.

The last layer, the connection layer, defines the concept of channels, channel requests and global requests. The standard channels are: shell – for terminal shells, SFTP and exec requests; direct-tcpip – for client-to-server forwarded connections and forwarded-tcpip – for server-to-client forwarded connections.

In order to implement a SSH server on a Cisco router or switch, lets first configure the device to accept telnet logins with locally configured usernames and passwords. For a device to accept local usernames and passwords you can use the aaa new-model or login local commands. We will use aaa new-model.

Router(config)#aaa new-model
Router(config)#username cisco password 0 cisco
Router(config)#line vty 0 4
Router(config-line)#transport input telnet

We can now telnet to the router with the configured username cisco and password cisco. Now, we have to add a couple of lines to enable SSH.

Router(config)#ip domain-name yourdomain.com
Router(config)#crypto key generate rsa
The name for the keys will be: Router.yourdomain.com

Choose the size of the key modulus in the range of 360 to 2048 for your

General Purpose Keys. Choosing a key modulus greater than 512 may take

a few minutes.

How many bits in the modulus


% Generating 512 bit RSA keys, keys will be non-exportable…[OK] Router(config)#ip ssh time-out 60
Router(config)#ip ssh authentication-retries 3
Router(config)#line vty 0 4
Router(config-line)#transport input ssh

As we previously told you, SSH uses public-key cryptography. The first step in enabling SSH access to your router is to generate an RSA key with crypto key generate rsa global configuration command.

You can also modify some SSH parameters like connection time-out and authentication retries. The most important parameter which you should never forget to change, is to explicitly allow only SSH-2 connections. By default, SSH accepts both SSH-1 and SSH-2 connections. You must use the ip ssh version 2 global configuration command to configure this parameter.

Router(config)#ip ssh version 2

To be able to use a router or a switch as a SSH client you must configure the hostname too in addition to the configuration made to act as a SSH server.

Router(config)#hostname Router

To connect to a SSH router from one use the following command for SSH-1:

Router#ssh -l cisco -c 3des

Or for SSH-2:

Router#ssh -v 2 -c aes256-cbc -m hmac-sha-1-160 -l cisco

The -l specifies the username, -c the encryption algorithm, -m the HMAC algorithm and -v the protocol version.

To troubleshoot SSH, you have the show ssh, show ip ssh and debug ip ssh commands.

Router#debug ip ssh
Incoming SSH debugging is on

*Mar  1 00:30:30.494: SSH0: starting SSH control process
*Mar  1 00:30:30.494: SSH0: sent protocol version id SSH-2.0-Cisco-1.25
*Mar  1 00:30:30.494: SSH0: protocol version id is – SSH-2.0-OpenSSH_5.1
*Mar  1 00:30:30.494: SSH2 0: send: len 280 (includes padlen 4)
*Mar  1 00:30:30.494: SSH2 0: SSH2_MSG_KEXINIT sent
*Mar  1 00:30:30.503: SSH2 0: ssh_receive: 792 bytes received
*Mar  1 00:30:30.503: SSH2 0: input: packet len 792
*Mar  1 00:30:30.503: SSH2 0: partial packet 8, need 784, maclen 0
*Mar  1 00:30:30.503: SSH2 0: input: padlen 8
*Mar  1 00:30:30.503: SSH2 0: received packet type 20
*Mar  1 00:30:30.503: SSH2 0: SSH2_MSG_KEXINIT received
*Mar  1 00:30:30.503: SSH2: kex: client->server aes128-cbc hmac-md5 none
*Mar  1 00:30:30.503: SSH2: kex: server->client aes128-cbc hmac-md5 none
*Mar  1 00:30:30.536: SSH2 0: expecting SSH2_MSG_KEXDH_INIT
*Mar  1 00:30:30.704: SSH2 0: ssh_receive: 144 bytes received
*Mar  1 00:30:30.704: SSH2 0: input: packet len 144
*Mar  1 00:30:30.704: SSH2 0: partial packet 8, need 136, maclen 0
*Mar  1 00:30:30.704: SSH2 0: input: padlen 5
*Mar  1 00:30:30.704: SSH2 0: received packet type 30
*Mar  1 00:30:30.704: SSH2 0: SSH2_MSG_KEXDH_INIT received
*Mar  1 00:30:30.889: SSH2 0: signature length 143
*Mar  1 00:30:30.889: SSH2 0: send: len 448 (includes padlen 8)
*Mar  1 00:30:30.889: SSH2: kex_derive_keys complete
*Mar  1 00:30:30.889: SSH2 0: send: len 16 (includes padlen 10)
*Mar  1 00:30:30.889: SSH2 0: newkeys: mode 1
*Mar  1 00:30:30.897: SSH2 0: SSH2_MSG_NEWKEYS sent
*Mar  1 00:30:30.897: SSH2 0: waiting for SSH2_MSG_NEWKEYS
*Mar  1 00:30:30.956: SSH2 0: ssh_receive: 16 bytes received
*Mar  1 00:30:30.956: SSH2 0: input: packet len 16
*Mar  1 00:30:30.956: SSH2 0: partial packet 8, need 8, maclen 0

Router#show ssh
Connection Version Mode Encryption  Hmac         State               Username
0          2.0     IN   aes128-cbc  hmac-md5     Session started       cisco
0          2.0     OUT  aes128-cbc  hmac-md5     Session started       cisco
%No SSHv1 server connections running.

Router#show ip ssh
SSH Enabled – version 2.0
Authentication timeout: 60 secs; Authentication retries: 3

We hope you enjoyed this lesson and you found it useful for your CCNA certification preparation, as well as a great hands-on experience. We are proud to provide certification training with real world examples.

Please also see our Lab Suggestions and our CCENT & CCNA Lab Certification Kits