Friday,Sep17,

Configuring Secure Shell (SSH) for remote access to a Cisco router


Before the introduction of the Cisco IOS SSH, the only remote login protocol has telnet. Although quite functional, non-secure Telnet is a protocol in which the entire session, including authentication, is in plain text and thus subject to snooping.

SSH is a protocol and an application which replaces Telnet and provides encrypted connection for remote administration of network devices such as a Cisco router, switch or a safety device.

The> Cisco IOS provides an SSH server and SSH client. This document is only with the configuration of the SSH server component is concerned.

Terms

Software

The SSH server component requires an IPSec (DES or 3DES) encryption software image of Cisco IOS version 12.1 (1) T or later installed on your router. Advanced IP Services images are the IPSec component. This document wasc2800nm-advipservicesk9-mz.123-14.T5.bin.

Preconfiguration

You must configure a host name and domain name on your router. For example:

Router #
Router # conf t
Enter configuration commands, one per line. End with CNTL / Z.
router01 (config) # hostname router01
router01 (config) # ip domain-name domain.local

You also need to generate RSA key pair for the router, which automatically enables SSH. In the following example, note how the key pair is designatedCombination of host and domain names that were previously configured. The module provides the key length. Cisco recommends a minimum of 1024 bit key length (though the bit key length standard is 512):

router01 (config) #
router01 (config) # generate cryptographic keys RSA
be the name for the key: router01.domain.local
Choose the size of the key module in the range 360-2048 for your General Purpose Keys. The choice of a key module is greater than 512 may be someMinutes.

How many bits in the module [512]: 1024
% Generating 1024 bit RSA keys ... [OK]

Finally, you need a AAA server such as RADIUS or TACACS + server or create a local user database to authenticate remote users and enable authentication on the lines of the terminal. For the purposes of this document, we create a local database of users on the router. In the following example the user "donc" was a privilege of 15 (maximum) and was createdencrypted password "p @ ss5678". (The "secret" of "0" indicates the router with the password to encrypt clear later. Not in the router that is running Configuration ", the password is readable). We also offer on-line configuration mode are used to say the router, use their local database of users for authentication (local login) lines at terminals 0-4.

router01 (config) # username privilege 15 secret 0 p @ donc ss5678
router01 (config) # line vty 0 4
router01 (config-line) # loginlocal

Enabling SSH

To enable SSH, you must tell the router to use the key pair. Optionally, you can use the version of SSH (default SSH version 1), authentication timeout values, and some other parameters. In this example, we told the router to use the key pair created earlier and use of SSH version 2:

router01 (config) #
router01 (config) # ip ssh version 2
router01 (config) # ip ssh router01.domain.local RSA key-name

You can now accessSecure your router, an SSH client as Teraterm.

Display configuration and SSH

You can use the privileged mode command "ssh View" and "ip ssh profile" on configurations and SSH (if unseen). The following example of a Cisco 871 router SSHv1 configuration occurred with the "show ip ssh" and a unique bond SSHv1 displays the command "show ssh. Note that there allow SSHv2 on this router so that by defaultSSH version 1.99. Also note in the production of "ssh show" command Version 1 by default 3DES. SSHv2 supports AES encryption technology robust and efficient. SSHv2 is not under the same vulnerability SSHv1. Best Practice recommends using SSHv2 and off to a dropback SSHv1. Enable SSHv2 SSHv1 disabled. This example is included only to demonstrate backward compatibility:

router04 #
router04 # show ip ssh
SSH Enabled - version1.99
Authentication timeout: 120 secs, authentication attempts: 3
router04 #
router04 # show ssh
State Connection Encryption version User Name
2 1.5 3DES Session started donc
% No SSHv2 connections to servers running.
router04 #

You can use the command "debug ip ssh SSH configurations to solve.

Copyright (c) 2008 R. Don Crawley

Related : MP3 Player plantronicsbluetooth wirelessinkjetprinter

Labels: , , , , Posted by tun at 3:26 PM  

Agregar a marcadores favoritos:
  • Agregar a Technorati
  • Agregar a Del.icio.us
  • Agregar a DiggIt!
  • Agregar a Yahoo!
  • Agregar a Google
  • Agregar a Meneame
  • Agregar a Furl
  • Agregar a Reddit
  • Agregar a Magnolia
  • Agregar a Blinklist
  • Agregar a Blogmarks
  • Agregar a otro servicio

Danos tu comentario

Post a Comment

Subscribe to: Post Comments (Atom)

Home |Design by Blogger