Configure SSH Access to Cisco Switch and Routers

Surprisingly, most of the world's routers and switches are controlled and configured by an old and insecure protocol, Telnet. But the problem with Telnet is that it flies across the computer network unencrypted. And that makes it simple for even an inexperienced hacker to steal the passwords and control the network equipment. After they take control, the hacker can redirect any sort of traffic to himself, let himself through the firewall, or just simply turn everything off. The only hacker tool needed to snatch up these passwords is a network sniffer or password grabbing program. Several such programs are available free for download on the internet. Rather than using telnet, network administrators should use Secure Shell to administer their equipment because it offers an encrypted tunnel to the network equipment that is almost impossible for hackers to crack into.

What is SSH?

The Secure Shell (SSH) protocol has many great features, but it's most basic form is an encrypted form of telnet, which is what routers and switches use. Here are some simple steps to configure SSH access on Cisco routers and switches.

Steps to Setting up Secure Shell on a router or switch

Check the code or firmware
The default Cisco software, or code as many network administrators call it, that Cisco ships on its equipment does not support SSH access, so it may need to be upgraded. Historically, Cisco charged extra for this type of software because they had to include their encryption libraries, but a version of Cisco code that just does SSH encryption has been made available for most of their routers and switches manufactured in the last few years. This version will not be able to do other IPsec tricks like build VPN tunnels.

The simplest way to tell whether or not that you have the correct code is to do a show version in order to look at the code that you are currently running. The code name will have K9 somewhere in it if you can use SSH. Also, the router or switch will not accept the SSH commands if the code does not support it. Look for the line that starts with:System image file is:

RouterA>show version

System image file is "bootflash:cat4500-ipbasek9-mz.122-31.SGA3.bin"
Notice the K9 in ipbaseK9. That means that this router is ready to upgrade to SSH.

SSH requires a username and password combination authentication rather than just a password. Without configuring username/password authentication of some type, you will not be unable to connect to the network device. Here are some notes on authentication configuration if the device is not already configured for authentication. If the code supports SSH and authentication is already setup, then completing SSH configuration is a quick.

RouterA#configure terminal
Enter configuration menu

RouterA(config)#hostname MyRouter
RouterA(config)#ip domain-name thisdomain.com
Encryption keys are identified by DNS name

RouterA(config)#crypto key generate rsa
How many bits in the modulus [512] 1024
Choose 1024 because most clients will balk at anything less

RouterA(config)#ip ssh time-out 120
This command limits your authentication time to 120 seconds. You must type your username and password in two minutes.

RouterA(config)#ip ssh authentication-retries 3
This limits the number of failed connection tries

RouterA(config)#service tcp-keepalives-in
RouterA(config)#service tcp-keepalives-out
This keeps your SSH sessions from getting hung

RouterA(config)#line vty 0 4
RouterA(config-line)# transport input SSH
This limits incoming administration access to SSH only. The router or switch will not accept telnet connections at this point, so you probably want to test before issuing this command

Now that SSH is configured, network passwords are secured from would-be hackers.