Configure SSH on your Cisco router

Most IT pros know that using Telnet to manage routers, switches, and firewalls is not exactly a security best practice. Instead, the accepted alternative to Telnet's lack of security is Secure Shell (SSH). Learn how to configure SSH on your Cisco router. David Davis has the details.

Most IT pros realize that using Telnet to manage routers, switches, and firewalls is insecure. Transmitted in clear text across a network, Telnet traffic basically publicizes any login usernames and passwords to any attackers out there listening—who can take advantage of that information to access a device as the network administrator.

The standard alternative to Telnet's lack of security is Secure Shell (SSH). Like Telnet, you can use SSH to enter IOS commands over a network or to copy files over the network to a device. But with SSH, which uses encryption and digital certificates, you don't have nearly as many security concerns.

There are two versions of Secure Shell: SSH1 and SSH2. Cisco IOS 12.1(3)T was the first version to support SSH1; however, it does require the Data Encryption Standard (DES) or triple DES (3DES) IPSec encryption version of the IOS.

Certain versions of IOS 12.3—12.3(4)T, 12.2(25)S, and 12.3(7)JA or later—were the first to support SSH2, which requires a version of the IOS that supports 3DES. IOS versions that support 3DES have k9 in the name of the file.

It's important to note that SSH1 and SSH2 are two entirely different protocols. SSH2 offers much more security, and I recommend using it whenever possible. However, even SSH1 is better than Telnet. It will protect you from the casual hacker who's trying to sniff passwords from your network.

The Cisco IOS offers both an SSH server and an SSH client. So you can connect to your router's SSH server from an SSH client, or you can connect your router's SSH client to another device that has an SSH server.

Let's start with how to configure SSH on a Cisco IOS router. This configuration process is also very similar on Cisco switches and firewalls. Before you begin, make sure you have the proper image that includes IPSec DES or 3DES encryption to make sure using SSH is possible.

For our example, I'm using a 2611 router running IOS version 12.2(15)T9 that includes 3DES encryption. The exact filename is c2600-ik9o3s3-mz.122-15.T9.bin.

First, make sure your router has a hostname by using the hostname command. Here's an example:

Router(config)# hostname TR-Router

Next, configure a domain name on your router using the ip domain-name command. Here's an example:

TR-Router(config)# ip domain-name

Then, create an RSA encryption key pair for the router to use for authentication and encryption of the SSH data. One of the questions you must answer during this process is the modulus size of the key. Make sure the key modulus is at least 768 bits. Here's an example:

TR-Router(config)# crypto key generate rsa
The name for the keys will be:
Choose the size of the key modulus in the range of 360 to 2048
for your General Purpose Keys. Choosing a key modulus greater than
512 may take a few minutes.
How many bits in the modulus [512]: 768 % Generating 768 bit RSA keys ...[OK]
TR-Router(config)# *Mar  1 00:17:13.337: %SSH-5-ENABLED: SSH 1.5 has been enabled TR-Router(config)#

As you can see from this example, after the system generates the key, you'll receive a message that it has automatically enabled SSH 1.5 on the router. To clarify, SSH 1.5 is Cisco's way of saying this router is running SSH1. If the system has enabled support for both SSH1 and SSH2, this message would say SSH 1.99. If the system has only enabled support for SSH2, the message would say SSH 2.0.

You can also configure SSH settings if you choose. To do so, use the ip ssh command with whichever parameters you choose to set. (Different IOS versions have different options because they support different versions of SSH.) Here's an example:

TR-Router(config)# ip ssh ?
 authentication-retries Specify number of authentication retries
 Port                   Starting (or only) port number to listen
 Rsa                    Configure RSA keypair name for SSH  
 source-interface       Specify interface for source address in SSH
 time-out               Specify SSH time-out interval

TR-Router(config)# ip ssh

Configuring optional SSH settings completes the process of configuring SSH on the router. Now, let's take a look at showing the SSH status.

To view the status of SSH, you can use the following commands:

  • Use show ip ssh to view SSH settings.
  • Use show ssh to view SSH connections.

Here's an example:

TR-Router# show ip ssh
SSH Enabled - version 1.5
Authentication timeout: 120 secs; Authentication retries: 3
TR-Router# show ssh
%No SSH server connections running.

SSH debug commands are also available by using the debug ip ssh command.

You can use a device's built-in SSH client to connect to other SSH servers. The Privileged Mode command is ssh. Here's an example:

TR-Router# ssh ?
  -c    Select encryption algorithm
  -l    Log in using this username
  -o    Specify options
  -p    Connect to this port
  WORD  IP address or hostname of a remote system TR-Router# ssh

One word of caution: In May 2005, researchers discovered vulnerabilities in a number of Cisco IOS versions with SSH capabilities. For more information—and to make sure the IOS version you're using isn't vulnerable—check out "Cisco Security Advisory: Vulnerabilities in Cisco IOS Secure Shell Server."

Earlier in the article, I mentioned that you can also use SSH's secure functionality to copy files over your network. While space constraints keep me from delving further into the topic, check out Cisco's Secure Copy documentation for more information. For more information about configuring SSH on your router, check out Cisco's Configuring Secure Shell documentation and its Secure Shell Version 2 Support documentation.

Miss a column?

Check out the Cisco Routers and Switches Archive, and catch up on David Davis' most recent columns.

Want to learn more about router and switch management? Automatically sign up for our free Cisco Routers and Switches newsletter, delivered each Friday!

David Davis has worked in the IT industry for 12 years and holds several certifications, including CCIE, MCSE+I, CISSP, CCNA, CCDA, and CCNP. He currently manages a group of systems/network administrators for a privately owned retail company and performs networking/systems consulting on a part-time basis.