SSH (or Secure Shell) is a network protocol that allows data to be exchanged using a secure channel between two networked devices. SSH was designed as a replacement for Telnet and other insecure remote shells, which send information, notably passwords, in plaintext, leaving them open for interception. Using encryption, SSH provides confidentiality and integrity of data over an insecure network, such as the Internet.
Enterprise security environments have long required network admins to connect to network devices via SSH to prevent interception of administrative traffic, but the time has come that everybody should be using SSH to connect with their routers, switches, and network devices. Its a best-practice, most-devices already support it without any extra expense, and you can implement it in just a few minutes.
To begin with, you need to realize is that not every Cisco IOS supports SSH services: It requires you to be running an IOS image that supports SSH–since it requires cryptography, you’ll need to be using an image that includes crypto.
Cisco licenses features, and prior to version 12.4, SSH was NOT a free feature–you weren’t automatically licensed to use the crypto version of your feature set. (For example: IP Base to IP Base + Crypto was a large upgrade fee.) With IOS 12.4, Cisco has changed their policy. Now, 12.4 users can upgrade to an equivalent crypto-enabled IOS without an upgrade fee. So, 12.4 IP-Base users can go to IP-Base + Crypto, Enterprise Services can go to Enterprise Services + Crypto for no fee, etc. Of course, you should confirm the terms of your license with Cisco or your reseller’s license expert to make sure your specific license covers this upgrade.
Cryptography-enabled images are denoted with K9 in the image name, so for this example, I’m using an image named c1700-k9o3sy7-mz.123-14.T6.bin in my Cisco 1721 lab router. All examples below started from default configuration on this device using this image.
On a Cisco IOS based router that supports SSH, you start by ensuring the router has a hostname assigned besides the default name “Router”, and setup a domain name.
Next, you’ll need to assign an IP address to at least one interface on the router, and issue the no shutdown command to that interface. You don’t need to have the interface cabled to anything for the configuration to work, but you’ll obviously have to connect the router to another device before you can make a successful SSH connection to the router.
Now you’ll need to generate the keys that will be used to build your SSH tunnels. Default value for key-length is 512, but you can ramp up the value based on how secure you need the connections to be. Cisco’s recommendation is that 2048 is considered the practical maximum for “everyday” enterprise/civilian use, but your requirements may vary based on your organizations different policies, procedures, and requirements.
To create the keys you’ll enter the command crypto key generate rsa at the config prompt. You’ll see an output telling you of success or failure. This can take a few moments on a lower-end router, especially if you enter a very-high value at the modulus prompt.
Next, you’ll want to enable the use of SSH for remote connections. Additionally, SSH remote connections require you to use at least two-factor authentication, so you’ll also need to issue the login local command.
Next, if you don’t have a username/password configured for two-factor authentication, you’ll want to add one (with a password of monkeys) using the command:
username testuser privilege 0 secret monkeys
If you haven’t added an ADMINISTRATIVE username for the router, make sure you do that too with the command:
username admin privilege 15 secret someridiculouslycomplexpassword
Now its time for a quick save of your configuration by issuing the write memory command and you should try logging in. If you’ve followed these steps correctly, you’ll have no problem.
Review
In review, on a Cisco router, enabling SSH is very easy–it requires the following steps:
- Router must have a host name and domain-name assigned.
- At least one interface must be configured with an IP address.
- Create at least one user name for use in two-factor authentication.
- Generate encryption keys to use in establishing SSH tunnels.
- Enable SSH connections, and SSH logins from remote access.