How to configure SSH on a Cisco Router

2

We need configure SSH on a Cisco router or switch in order to access it remotely, unless we’re using an access server. Even then, SSH should be configured in case the access server fails.

required steps

To be able to SSH into any Cisco device first we need to create at least one user account on the device. If you’d like to know how check out my post on Creating Users on a Cisco Router. Then we need to generate a Self-Signed certificate and enable remote access on the VTY interfaces.

configuration

Theses are all the commands you need to set up SSH on a Cisco router in it’s simplest form.

conf terminal
Enter configuration commands, one per line.  End with CNTL/Z.

! Creating a user account using secret

C1801(config)#username admin privilege 15 secret Not124get!

! Creating a Self-Signed Certificate using the router's name as the
! label and using 1024bit encryption key. The label is important, I'll tell you
! in a minute why

C1801(config)#crypto key generate rsa modulus 1024 label C1801
The name for the keys will be: C1801

% The key modulus size is 1024 bits
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]

C1801(config)#
*Jan  6 15:22:25.339: %SSH-5-ENABLED: SSH 1.99 has been enabled

! We need to tell the router to use the local user database when authenticating
! otherwise users won't be able to log on

C1801(config)#line vty 0 4
C1801(config-line)#login local

! Restricting access to SSH only on the virtual interface. By default all access is
! permitted, including Telnet...

C1801(config-line)#transport input ssh
C1801(config-line)#^Z


Most people believe that the ip domain-name command is required in order to generate a certificate. This is true if you don’t use the command label. Now see what happens if we try without it.


C1801(config)#crypto key generate rsa modulus 1024
% Please define a domain-name first.

My advise is to keep it simple and configure the domain when it’s really required.

optional commands

By default the router will respond to all versions of SSH connections. We can restrict this by telling the router to respond to v2 requests only.

C1801(config)#ip ssh version 2

verification

Here is the output from Putty after connecting to the router.

login as: admin
Using keyboard-interactive authentication.
Password:

C1801#sh ssh
Connection Version Mode Encryption  Hmac         State                 Username
0          2.0     IN   aes256-cbc  hmac-sha1    Session started       admin
0          2.0     OUT  aes256-cbc  hmac-sha1    Session started       admin
%No SSHv1 server connections running.
C1801#

We can also view info about our certifice but using the following command

C1801#show crypto key mypubkey rsa
% Key pair was generated at: 15:22:25 UTC Jan 6 2014
Key name: C1801
 Storage Device: private-config
 Usage: General Purpose Key
 Key is not exportable.
 Key Data:
  30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00C18DC4
  5294A422 4AD177B1 C78D7FD9 63D0811E 9D2A4A4E 794FB12B 5D9E474F 0C3C5FB9
  B4CFF11F 9793958D A51220AA 4679CC17 30FFAD3F C9B080AC CEF73D7B EE87E91A
  D14A01A5 B5FABA83 395F9E83 B578EF06 7FF9E158 4EFBE4E9 FEE91FC1 F04D3511
  59C76F15 6352D73A E18798F3 17710D66 996B98D5 1F1C86D2 32C484B1 59020301 0001
% Key pair was generated at: 15:22:27 UTC Jan 6 2014
Key name: C1801.server
Temporary key
 Usage: Encryption Key
 Key is not exportable.
 Key Data:
  307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00B97C8E 37A53140
  41B1DA16 56B8D3E7 1604A4C6 3038C950 04D42ECA BB6EA619 48E0583E A1412265
  85AAA227 A9D5DFDE DCD7BB9D E18934CA 58783019 142A3782 350DDEDD 86C8C3A0
  FF12EB89 AE41FA34 8C3F0B05 DF9E61F7 2F56ACAB 205D5FB2 C9020301 0001
C1801#

commands explained

Commands used with a brief explanation.

username admin privilege 15 secret Not124get!: Creating a user account
crypto key generate rsa modulus 1024 label C1801: Generating a certificate
transport input ssh: Enabling SSH as the only accepted communication channel
ip ssh version 2: Enabling only SSH v2

show crypto key mypubkey rsa: Shows information about the SSL certificate

If you’d like to learn more about on how to configure SSH on a Cisco router I recommend you read through this documentation: Configuring Secure Shell on Routers and Switches Running Cisco IOS

Sisko Warrior

2 Responses

  1. hi there how can we configure both telnet and ssh as the only accepted channels? (based on the “Transport input” command)
    thank you in advance for your help.

  2. You can use the “transport input telnet ssh” comman on the VTY line. The default command here is “transport input all”. You can enable only SSH or only Telnet too

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.