Most IT pros realize that using Telnet to
manage routers, switches, and firewalls is insecure. Transmitted in clear text
across a network, Telnet traffic basically publicizes any login usernames and
passwords to any attackers out there listening—who can
take advantage of that information to access a device as the network
administrator.
The standard alternative to Telnet’s lack of security is Secure
Shell (SSH). Like Telnet, you can use SSH to enter IOS commands over a network or
to copy files over the network to a device. But with SSH, which uses encryption
and digital certificates, you don’t have nearly as many security concerns.
There are two versions of Secure Shell: SSH1 and SSH2. Cisco
IOS 12.1(3)T was the first version to support SSH1; however, it does require the
Data Encryption Standard (DES) or triple DES (3DES) IPSec encryption version of
the IOS.
Certain versions of IOS 12.3—12.3(4)T, 12.2(25)S, and 12.3(7)JA
or later—were the first to support SSH2, which requires a version of the IOS
that supports 3DES. IOS versions that support 3DES have k9 in the name of the
file.
It’s important to note that SSH1 and SSH2 are two entirely different
protocols. SSH2 offers much more security, and I recommend using it whenever
possible. However, even SSH1 is better than Telnet. It will protect you from
the casual hacker who’s trying to sniff passwords from your network.
The Cisco IOS offers both an SSH server and an SSH client. So
you can connect to your router’s SSH server from an SSH client, or you can
connect your router’s SSH client to another device that has an SSH server.
Let’s start with how to configure SSH on a Cisco IOS router.
This configuration process is also very similar on Cisco switches and
firewalls. Before you begin, make sure you have the proper image that includes
IPSec DES or 3DES encryption to make sure using SSH is possible.
For our example, I’m using a 2611 router running IOS version
12.2(15)T9 that includes 3DES encryption. The exact filename is c2600-ik9o3s3-mz.122-15.T9.bin.
First, make sure your router has a hostname by using the hostname
command. Here’s an example:
Router(config)# hostname TR-Router TR-Router(config)#
Next, configure a domain name on your router using the ip
domain-name command. Here’s
an example:
TR-Router(config)# ip domain-name TechRepublic.com TR-Router(config)#
Then, create an RSA encryption key pair for the router to
use for authentication and encryption of the SSH data. One of the questions you
must answer during this process is the modulus size of the key. Make sure the
key modulus is at least 768 bits. Here’s an example:
TR-Router(config)# crypto key generate rsa The name for the keys will be: TR-Router.TechRepublic.com Choose the size of the key modulus in the range of 360 to 2048
for your General Purpose Keys. Choosing a key modulus greater than
512 may take a few minutes.
How many bits in the modulus [512]: 768 % Generating 768 bit RSA keys ...[OK]
TR-Router(config)# *Mar 1 00:17:13.337: %SSH-5-ENABLED: SSH 1.5 has been enabled TR-Router(config)#
As you can see from this example, after the system generates
the key, you’ll receive a message that it has automatically enabled SSH 1.5 on
the router. To clarify, SSH 1.5 is Cisco’s way of saying this router is running
SSH1. If the system has enabled support for both SSH1 and SSH2, this message
would say SSH 1.99. If the system has only enabled support for SSH2, the
message would say SSH 2.0.
You can also configure SSH settings if you choose. To do so,
use the ip ssh command with whichever
parameters you choose to set. (Different IOS versions have different options
because they support different versions of SSH.) Here’s an example:
TR-Router(config)# ip ssh ? authentication-retries Specify number of authentication retries Port Starting (or only) port number to listen on Rsa Configure RSA keypair name for SSH source-interface Specify interface for source address in SSH connections time-out Specify SSH time-out interval TR-Router(config)# ip ssh
Configuring optional SSH settings completes the process of
configuring SSH on the router. Now, let’s take a look at showing the SSH
status.
To view the status of SSH, you can use the following
commands:
- Use show ip ssh to view SSH settings.
- Use show ssh to view SSH connections.
Here’s an example:
TR-Router# show ip ssh SSH Enabled - version 1.5 Authentication timeout: 120 secs; Authentication retries: 3 TR-Router# show ssh %No SSH server connections running. TR-Router#
SSH debug commands are also available by using the debug ip ssh command.
You can use a device’s built-in SSH client to connect to other
SSH servers. The Privileged Mode command is ssh.
Here’s an example:
TR-Router# ssh ?
-c Select encryption algorithm
-l Log in using this username
-o Specify options
-p Connect to this port
WORD IP address or hostname of a remote system TR-Router# ssh
One word of caution: In May 2005, researchers discovered
vulnerabilities in a number of Cisco IOS versions with SSH capabilities. For
more information—and to make sure the IOS version you’re using isn’t
vulnerable—check out “Cisco
Security Advisory: Vulnerabilities in Cisco IOS Secure Shell Server.”
Earlier in the article, I mentioned that you can also use SSH’s
secure functionality to copy files over your network. While space constraints
keep me from delving further into the topic, check out Cisco’s
Secure Copy documentation for more information. For more information about
configuring SSH on your router, check out Cisco’s Configuring
Secure Shell documentation and its Secure
Shell Version 2 Support documentation.
Miss a column?
Check out the Cisco Routers and Switches
Archive, and catch up on David Davis’ most recent columns.
Want to learn more
about router and switch management? Automatically
sign up for our free Cisco Routers and Switches newsletter, delivered each
Friday!
David Davis has worked
in the IT industry for 12 years and holds several certifications, including
CCIE, MCSE+I, CISSP, CCNA, CCDA, and CCNP. He currently manages a group of
systems/network administrators for a privately owned retail company and
performs networking/systems consulting on a part-time basis.