Lab 3-5 – Configuring Secure Shell Virtual Terminal Access (SSH)

In this lab you’ll learn how to configure Secure Shell (SSH) on a Cisco Router or Switch using the command line.

Real World Application

Telnet just does not cut the cheese anymore when it comes to production network remote administration security. As you may be aware, telnet does not encrypt the encapsulated payload so with that being said; anyone on the wire can sniff the traffic and reconstruct the telnet communications which opens a major vulnerability that passwords can be sniffed as well as other types of confidential sensitive information that traverses a network via the telnet protocol.

This has been a known issue since the birth of Telnet and has been resolved with the introduction of Secure Shell, also known as SSH.

SSH in a nut shell is basically Telnet using encryption to securely encapsulate the traffic payload to prevent unwanted sniffing of such traffic. SSH can use different types of encryption algorithms from Data Encryption Standard (DES) all the way up to AES 256Bit CBC.

Lab Prerequisites

• If you are using GNS3 than load the Stub Area Networking GNS3 topology and start R1.
• Establish a console session with Router 1.
• Create a loopback interface and configure it with the IP Address 10.1.1.1/24
• Create an arbitrary username and password in the local user database as required by SSH in order for the VTY lines to establish a remote exec session.
• The VTY Line(s) authentication should be configured to authenticate to the local database. (Note that you can use login local or a AAA authentication list to accomplish this)

Lab Objectives

• Change the hostname from its default hostname Router to something specific to the device. ie; R1
• To generate an RSA key, you’re required to have a domain name set. Set the domain name executing the ip domain-name domainname.net command in global configuration.
• Create an RSA Genera-Usage certification that is self-signed by the Cisco device.
• Configure the transport input protocol on the VTY lines to only accept SSH (this disables telnet and permits only ssh)

Lab Instruction

Ensure that you’ve configure a loopback interface with the ip address of 10.1.1.1/24 as per the prerequisite.

Step 1. As a requirement to generate an RSA general-usage key you’ll need to change the hostname to a hostname other then the default “Router” hostname. In this case, you can use R1 as shown below;

Router con0 is now available

Press RETURN to get started.

Router>enable
Password:
Router#configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#hostname R1
R1(config)#

Step 2. Another requirement prior to generating an RSA certificate on the Cisco device is to set a domain name. For the purposes of this lab, the domain name will be set to freeccnaworkbook.com as shown below;

R1(config)#ip domain-name freeccnaworkbook.com

Step 3. Now you’re ready to generate the RSA certificate. To generate the RSA certification you’ll execute the crypto key generate rsa modulus command followed by the modulus keysize which ranges between [360-2048]. As shown below, an RSA certificate is generated using a 2048 bit modulus key.

R1(config)#crypto key generate rsa modulus 2048
The name for the keys will be: R1.freeccnaworkbook.com

% The key modulus size is 2048 bits
% Generating 2048 bit RSA keys, keys will be non-exportable...[OK]

R1(config)#
%SSH-5-ENABLED: SSH 1.99 has been enabled

You’ll notice that immediately after the rsa general keys are generated, SSH v1.99 is enabled.

Once SSH v1.99 is enabled you can connect to the Cisco device remotely using the SSH v2 protocol found in Putty, SecureCRT and other terminal emulators; excluding HyperTerminal as it does not support cryptographic connectivity.

Step 5. Configure the transport input protocol on the VTY lines to accept only SSH by executing the transport input ssh under the vty line configuration mode as shown below;

R1(config)#line vty 0 4
R1(config-line)#transport input ssh

Step 6. Verify your SSH configuration by using the Cisco IOS SSH client and SSH to the routers loopback interface 10.1.1.1

Minimal documentation regarding the Cisco IOS SSH client exist. Use the Cisco IOS context help ? to view available ssh command options.

R1(config-line)#end
R1#ssh -l john 10.1.1.1

Password:

R1#show ssh
Connection Version Mode Encryption  Hmac         State             Username
0          1.99    IN   aes128-cbc  hmac-sha1    Session started   john
0          1.99    OUT  aes128-cbc  hmac-sha1    Session started   john
%No SSHv1 server connections running.
R1#