Welcome again to our Cisco CCNA preparation series. Today, we would like to present you how you can configure and troubleshoot SSH access on your Cisco router.
SSH is a protocol used by network administrators to securely configure the routers from remote locations. Back in the days, telnet was used for this operation. However, telnet was not providing any secure authentication mechanisms, allowing an attacker to see the username and password sent to the router if he was able to capture the packets. Man in the Middle (MITM) attacks are common these days and were a common practice then too. SSH was designed as a replacement for Telnet to provide confidentiality and integrity of data through encryption mechanisms.
SSH uses the client-server model. A device to which you want to connect must run a server instance. The default port used by SSH is TCP 22. For the authentication mechanism, SSH uses public-key cryptography.
SSH was originally designed as SSH-1. SSH-1 appeared in 1995 and its goal was to replace the rlogin, Telnet and rsh protocols, because those protocols were sending data unencrypted over the network. However, due to a design flaw which made SSH vulnerable to various kinds of attacks, in 1996 a revised version of SSH was designed. SSH-2 is currently the used version of the SSH protocol and every time you refer to SSH you actually talk about SSH-2. SSH-1 is considered obsolete and should be avoided by explicitly configuring SSH to use version 2 of the protocol. SSH-2 is backward compatible with the original SSH implementation, but its designed corrected the flaws from the first version.
The SSH-2 protocol has its internal architecture with three separated layers.
The transport layer handles the initial key exchange and server authentication, sets up encryption, compression and integrity verification.
The user authentication layer handles the authentication of the client and provides a number of authentication methods such as password (based on a password) and publickey (using DSA or RSA keypairs). More authentication mechanisms can be available, depending on the SSH implementation.
The last layer, the connection layer, defines the concept of channels, channel requests and global requests. The standard channels are: shell – for terminal shells, SFTP and exec requests; direct-tcpip – for client-to-server forwarded connections and forwarded-tcpip – for server-to-client forwarded connections.
In order to implement a SSH server on a Cisco router or switch, lets first configure the device to accept telnet logins with locally configured usernames and passwords. For a device to accept local usernames and passwords you can use the aaa new-model or login local commands. We will use aaa new-model.
Router(config)#username cisco password 0 cisco
Router(config)#line vty 0 4
Router(config-line)#transport input telnet
We can now telnet to the router with the configured username cisco and password cisco. Now, we have to add a couple of lines to enable SSH.
Router(config)#ip domain-name yourdomain.com
Router(config)#crypto key generate rsa
The name for the keys will be: Router.yourdomain.com
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.
How many bits in the modulus