SSH is the protocol to use for remotely accessing Cisco network devices without exposing the password. Telnet as everyone knows transmits the username and password in clear text making it easy for anyone with a sniffer to gather that information and break into the network. Telnet is usually enabled by default and some routers and switches don’t come with an IOS that supports SSH. With companies having to comply with SOX and PCI requirements, the change to SSH access needs to be made. For a Cisco router or switch to accept SSH connections the IOS has to support IPSec. For Cisco firewalls like the ASA or PIX, this isn’t a problem but I was very suprised to see how few of the switches and routers I work with need an IOS upgrade to get this functionality. In this post I run through setting up SSH access on a router. This is done using GNS3 to simulate a Cisco 2691 router running an IOS with the Advanced Security feature set. To begin I console into the router and enter global configuration mode:
Router#config t
Next I give the router a hostname and domain name. This is necessary for SSH configuration.
Router(config)#hostname SDMLab-Main
SDMLab-Main(config)#ip domain-name sdmlab.local
The next step is to create the SSH encryption keys. I run the following command to make sure the keys don’t already exist:
SDMLab-Main(config)#crypto key zeroize
% DSS Keys not found in configuration.
If there were some previuosly created RSA keys under a different hostname and domain name, they would have been erased. This step is necessary to make sure the new information goes into the keys.
Generate the RSA keys with the following command:
SDMLab-Main(config)#crypto key generate rsa
The name for the keys will be: SDMLab-Main.sdmlab.local
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.
How many bits in the modulus [512]: 1024
% Generating 1024 bit RSA keys …[OK]
The default modulus is 512 as shown above but Cisco recommends at least 1024 bits.
This command also enables SSH on the router. The following commands are optional but should be included in every configuration to improve security. The first sets a timeout of 60 seconds for the SSH client to respond to the router. This will keep the request from being open indefinitely:
SDMLab-Main(config)#ip ssh time-out 60
The next command limits the number of failed authentication attempts to three:
SDMLab-Main(config)#ip ssh authentication-retries 3
The final step is to set the transport input to the default vty lines to SSH only:
SDMLab-Main(config)#line vty 0 4
SDMLab-Main(config-line)#transport input ssh
If you are using the additional vty lines 5 15, you would do the same for those lines. That is it. So for PCI or SOX compliance or just general security and peace of mind, remove telnet and add SSH. It may be necessary to upgrade the IOS image on the device but it is well worth doing. Since I’m working on the CCNA Security certification, this is something that I need to know.
Popularity: 52% [?]
Twitter
LinkedIn
Digg