Wednesday, November 30, 2011

SSH @ Cisco

       Recently, I had to swap the Internet router of my company. BGP and cef ate up the whole memory and it was not possible to upgrade the memory of Cisco 3725 router beyond 256MB. It was time to change it.

       I had a chance to install a new Cisco 3845 with 1GB memory. Everything was fine except SSH access that I needed because of security policy. I searched the web and found “Configuring Secure Shell on Routers and Switches Running Cisco IOS” document on Cisco web site. It was a little bit different than current one. I made a configuration as explained, but it was not good enough and access to the router via SSH was not possible.

About one week later, I realized that
  • SSH only supports authentication with username/password, but it does not support just access password like telnet
  • So, I had to create a user and set a password with username command
  • I had to enable aaa new-model OR issue login local command under line vty for username/password authentication.
  • Also a hostname and a domain name were required to generate the keys, since router uses its FQDN as the label of the key pair.
  • SSH is enabled by default and I do not need to enable it myself.

Necessary steps to enable SSH are mentioned below.
PRECONDITION: You need a K9 IOS (newer than 12.1) to enable SSH. Catalyst 2900 Series switches do not support SSH.
1) You MUST set a host name
hostname ciscolab

2) You MUST set a ip domain name
ip domain-name

3) You MUST enable aaa new-model OR set “login local” under vty configuration but not just “login”
aaa new-model

4) You MUST create a userusername sshtest password 0 sshpass

5) You MUST generate RSA keys
crypto key generate rsa
if you have RSA keys before you will receive a message, type yes% You already have RSA keys defined named
% Do you really want to replace them? [yes/no]: yes
it will ask for modulus size, 1024 is fine (it depends your security needs)
How many bits in the modulus [512]: 1024

6) You MUST set vty access method to all OR ssh (if you chose ssh telnet will be disabled)
line vty 0 4
  transport input ssh

7) By using SecureCRT (licensed) or Putty (free), chose SSH1 (SSH in Putty) for the protocol enter hostname or IP address and click connect (Open in Putty). It will ask for username and password. Do not touch the other settings, you do not need them.


Post a Comment