SSH (Secure Shell) works in client-server mode. Our PC will have a client installed (which is usually putty.exe) and a router, which is the server. SSH uses strong encryption and hashing algorithms to ensure secure access. Since everything is about security today, you will enable SSH (Secure Shell) and disable Telnet. Telnet sends traffic as clear text, and SSH uses encryption. It uses public-key cryptography to authenticate users. SSH keys are generated on a router. Therefore, before enabling SSH to the router, you need to generate an RSA. To be able to generate a key, you need to specify a hostname, which was already done in Task 1, and a domain name on the router.
In this task, you will enable remote access to the router and perform the following activities:
Connect to the NYEDGE1router. Configure the domain name by entering the following commands (press Enter after each command):
NYEDGE1# configure terminal
NYEDGE1(config)# ip domain-name practice-labs.com
You will see the following output:
NYEDGE1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
NYEDGE1(config)#ip domain-name practice-labs.com
NYEDGE1(config)#
Step 2
You will now generate an RSA key. To do so, enter the following commands (press Enter after each command):
NYEDGE1(config)# crypto key generate rsa
How many bits in the modulus [512]: 2048
You will see the following output:
NYEDGE1(config)#crypto key generate rsa
The name for the keys will be: NYEDGE1.practice-labs.com
Choose the size of the key modulus in the range of 360 to 4096 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.
How many bits in the modulus [512]: 2048
% Generating 2048 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 21 seconds)
NYEDGE1(config)#
*Jan 29 11:29:03.455: %SSH-5-ENABLED: SSH 1.99 has been enabled
Notice that after you generated the key, SSH 1.99 is automatically enabled.
Step 3
You will now enable version 2 of SSH. To do so, enter the following command (press Enter after each command):
NYEDGE1(config)# ip ssh version 2
NYEDGE1(config)# exit
You will see the following output:
NYEDGE1(config)#ip ssh version 2
NYEDGE1(config)#exit
NYEDGE1#
Step 4
You can confirm SSH is enabled by entering the following command:
NYEDGE1# show ip ssh
Press Enter.
The output will be as follows:
NYEDGE1#show ip ssh
SSH Enabled - version 2.0
Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 1024 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded):
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCZmOnT4CC8U+a+VE5703YeDDApJaGsDKE1rxpbHVsf
FE6TAZDwtwouePT9JCMLa6k/wso804W3LBcnF34Mbom8lRpNNceSTD9DgfjIwjfEizuXmTHwN/wDblRd
30cSGLb8elnBceg8VFJl0ufa3sOLtFV0lHBZ4O19sYqxcP5gxQsU8/aG0EoVUITWH0YWWEa1FtoP6f+i
cygdhBaroC63kKa9zrg/tmuWsJGg0nJgBu5XoAgmpIENWlomjKZ7x50nvY2lIOdORHxcTG0FUQQo81HF
Sg8Xo/u3+W2yAZfHqa8IPQr+wLKoYAHUOH7KA5U0wCjvcLDIAORQy5slThT7
NYEDGE1#
The above output shows some basic SSH parameters. You will see version 2 of ssh is enabled. You will be disconnected after 120 seconds of inactivity and you have 3 authentication retries before you get disconnected from the router.
Step 5
You will now set vty lines for SSH transport. Vty stands for Virtual teletype, and it is a virtual port that is used for remote access to a device. These are virtual lines, and there is no hardware associated to them.
For example, when you issue the following command, you will have 5 simultaneous virtual connections (Telnet or SSH):
line vty 0 4
The maximum number of simultaneous connections you can have is 16 (line vty 0 15).
To configure secure shell (ssh) access, use the following commands (press Enter after each command):
NYEDGE1# configure terminal
NYEDGE1(config)# line vty 0 4
NYEDGE1(config-line)# transport input ssh
NYEDGE1(config-line)# login local
NYEDGE1(config-line)# exit
You will see the following output:
NYEDGE1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
NYEDGE1(config)#line vty 0 4
NYEDGE1(config-line)#transport input ssh
NYEDGE1(config-line)#login local
NYEDGE1(config-line)#exit
NYEDGE1(config)#