Secure Shell (SSH) is a protocol which provides a secure remote access connection to network devices. Communication between the client and server is encrypted in both SSH version 1 and SSH version 2. Implement SSH version 2 when possible because it uses a more enhanced security encryption algorithm.
- SSH Version 1.0 (SSH v1) server was introduced in some Cisco IOS platforms and images that start in Cisco IOS Software Release 12.0.5.S.
- SSH Version 2.0 (SSH v2) support was introduced in some Cisco IOS platforms and images starting in Cisco IOS Software Release 12.1(19)E.
Why Use Secure Shell (SSH)?
Secure Shell (SSH) improves network security by providing a means of establishing secure connections to networking devices for management, thereby preventing hackers from gaining access.
Using Digital Certificates, in a Public/Private Key Cryptography, SSH is able to authenticate clients or servers ensuring that the device or server you are about to connect to is exactly who they claim to be.
What About Telnet?
Like SSH, Telnet can also be used to connect to your router but, the main disadvantage of using Telnet is that it does not encrypt its connections. This means that if a hacker is able to capture packets from a Telnet session, he or she would be able to view information contained within those packets, such as a client’s username and password, therefore gaining access to your router.
The diagram below will give you an idea of how this works.
This is a good example of Man-in-the-middle attack.
Now let us configure SSH
1. Set Your Hostname :-
2. Set the domain name ( both the hostname and domain name are required for the encryption keys to be generated) :-
Router (config)# ip domain-name rumyittips.com
3. Generate the encryption keys for securing the session :-
Rumy(config)# crypto key generate rsa general-keys moduls 1024
4. Set the max idle timer for a SSH session :-
Rumy(config)# ip ssh time-out ?
<1.-120> SSH time-out interval (secs)
Rumy(config)#ip ssh time-out 60
5. Set the max failed attempts for an SSH connection :-
Rumy(config)# ip ssh authentication-retries ?
<0-5> Number of authentication retries
Rumy(config)# ip ssh authentication-retries 2
6. Connect to the vty lines of the Router ;-
Rumy(config)# line vty 0 1180
7. Last , Configure SSH and then Telnet as access Protocols:-
Rumy(config-line)# transport input SSH telnet
Prevent Non-SSH Connections :-
If you want to prevent non-SSH connections, add the transport input ssh command under the lines to limit the router to SSH connections only. Straight (non-SSH) Telnets are refused.
line vty 0 4
!— Prevent non-SSH Telnets.
transport input ssh
Configure the SSH Version :-
Configure SSH v1:-
Rumy(config)#ip ssh version 1
Configure SSH v2:-
Rumy(config)#ip ssh version 2
Configure SSH v1 and v2:
Rumy(config)#no ip ssh version
Note:- You receive this error message when you use SSHv1:-
%SCHED-3-THRASHING: Process thrashing on watched message event.
SSH version 2 supports the login banner. The login banner is displayed if the SSH client sends the username when it initiates the SSH session with the Cisco router. For example, when the Secure Shell ssh client is used, the login banner is displayed. When the PuTTY ssh client is used, the login banner is not displayed. This is because Secure Shell sends the username by default and PuTTY does not send the username by default.