How to enable SSH on a Cisco Router for Security

SSH stands for SecureSHell. SSH is a secure way of connecting to a router or Switch. Telnet connections are not secure,  It sent  passwords  in plain text and the data sent via telnet can be read by a packet sniffer and decode it. We should avoid using telnet at all the times.

we can easily enable SSH on Cisco Routers or Switches, Unlike Telnet (TCP port 23), SSH (TCP port 22) sets up a secure channel before usernames, passwords, and data are sent across the connection. You have to install SSH client software in your PC to connect the Router.

The Cisco IOS can offers both an SSH server and an SSH client. So you can connect to your router’s SSH server from an SSH client, or you can connect your router’s  SSH client to another device that has an SSH server.

NOTE: This should work on any Cisco Router or Switch provided with Cisco IOS.

So Let’s start with how to configure SSH on a Cisco IOS route:

Router(config)#hostname Cisco

It is used to set username of the cisco router to Cisco, Both hostname and domain name required for generate encryption keys.

Cisco(config)#username cisco  privilege 15  password console

This sets the username to cisco and password to console

Cisco(config)#ip domain-name

Cisco(config)#crypto key genrerate rsa general –keys modulus 1024

It generates an RSA key of 1024 bits for securing session. We can set it upto 2048 bits

Cisco(config)#ip ssh time-out 60

This sets maximum idle time for SSH sessions is in seconds

Cisco(config)#ip ssh authentication-retries 3

This sets maximum failed attempts for SSH connections

Cisco(config)#line vty 0 1180

It selects all the lines available . If you leave a single line open hackers can exploit that

Cisco(config-line)#transport input ssh telnet

This last command enables Telnet and SSH both but if you want to just enable SSH on the Cisco Router type below command.

Cisco(config-line)#transport input ssh

Cisco SSH debug and show Commands:

Configuring optional SSH settings completes the process of configuring SSH on the Cisco Router. Now, let’s take a look at showing the SSH status and debug output.

  • debug ip ssh—Displays debug messages for SSH.
  • show ssh—Displays the status of SSH server connections.
    Cisco#show ssh
      Connection    Version Encryption    State              Username
       0            1.5     DES           Session started    cisco
  • show ip ssh—Displays the version and configuration data for SSH.

Cisco SSH – Version 1 Connection and no Version 2

Cisco#show ip ssh
  SSH Enabled - version 1.5
  Authentication timeout: 60 secs; Authentication retries: 2

Cisco SSH – Version 1 Connection and no Version 2

  Cisco#show ip ssh
  SSH Enabled - version 2.0
  Authentication timeout: 120 secs; Authentication retries: 3

Cisco SSH – Version 1 and Version 2 Connections

  Cisco#show ip ssh
  SSH Enabled - version 1.99
  Authentication timeout: 120 secs; Authentication retries: 3

Cisco SSH Sample Debug Output:

Cisco#debug ip ssh

Note: Some of this good debug output is wrapped to multiple lines because of spatial considerations.

00:22:20: SSH0: starting SSH control process
00:22:20: SSH0: sent protocol version id SSH-1.5-Cisco-1.25
00:22:20: SSH0: protocol version id is - SSH-1.5-1.2.26
00:22:20: SSH0: SSH_SMSG_PUBLIC_KEY msg
00:22:21: SSH0: SSH_CMSG_SESSION_KEY msg - length 112, type 0x03
00:22:21: SSH: RSA decrypt started
00:22:21: SSH: RSA decrypt finished
00:22:21: SSH: RSA decrypt started
00:22:21: SSH: RSA decrypt finished
00:22:21: SSH0: sending encryption confirmation
00:22:21: SSH0: keys exchanged and encryption on
00:22:21: SSH0: SSH_CMSG_USER message received
00:22:21: SSH0: authentication request for userid cisco
00:22:21: SSH0: SSH_SMSG_FAILURE message sent
00:22:23: SSH0: SSH_CMSG_AUTH_PASSWORD message received
00:22:23: SSH0: authentication successful for cisco
00:22:23: SSH0: requesting TTY
00:22:23: SSH0: setting TTY - requested: length 24, width 80; set:
   length 24, width 80
00:22:23: SSH0: invalid request - 0x22
00:22:23: SSH0: SSH_CMSG_EXEC_SHELL message received
00:22:23: SSH0: starting shell for vty

See this video to configure SSH on Cisco IOS:

Filed Under: Security General


About the Author:

RSSComments (2)

Leave a Reply | Trackback URL

  1. Marina says:

    You have really interesting blog, keep up posting such informative posts!

  2. Mike says:

    Nice to read, I enabled SSH for my networking devices, Now i got how to use SSH for more security on Cisco Router and switch.

Leave a Reply

If you want a picture to show with your comment, go get a Gravatar.