When it comes to device management you want to ensure that the traffic is secure and encrypted. Telnet unfortunately is not encrypted which is why SSH is commonly used for administration of Cisco devices. This lab will discuss and demonstrate the configuration of SSH v1.99 (v2)
Telnet just does not cut the cheese anymore when it comes to production network remote administration security. As you may be aware, telnet does not encrypt the encapsulated payload so with that being said; anyone on the wire can sniff the traffic and reconstruct the telnet communications which opens a major vulnerability that passwords can be sniffed as well as other types of confidential sensitive information that traverses a network via the telnet protocol.
This has been a known issue since the birth of Telnet and has been resolved with the introduction of Secure Shell, also known as SSH.
SSH in a nut shell is basically Telnet using encryption to securely encapsulate the traffic payload to prevent unwanted sniffing of such traffic. SSH can use different types of encryption algorithms from Data Encryption Standard (DES) all the way up to AES 256Bit CBC.
Step 1. As a requirement to generate an RSA general-usage key you’ll need to change the hostname to a hostname other then the default “Router” hostname. In this case, you can use R1 as shown below;
Router con0 is now available Press RETURN to get started. Router>enable Password: Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#hostname R1 R1(config)#
Step 2. Another requirement prior to generating an RSA certificate on the Cisco device is to set a domain name. For the purposes of this lab, the domain name will be set to freeccnaworkbook.com as shown below;
R1(config)#ip domain-name freeccnaworkbook.com
Step 3. Now you’re ready to generate the RSA certificate. To generate the RSA certification you’ll execute the crypto key generate rsa general-keys modulus command followed by the modulus keysize which ranges between [360-2048]. As shown below, an RSA certificate is generated using a 1024 bit modulus key.
R1(config)#crypto key generate rsa general-keys modulus 1024 The name for the keys will be: R1.freeccnaworkbook.com % The key modulus size is 1024 bits % Generating 1024 bit RSA keys, keys will be non-exportable...[OK] R1(config)# %SSH-5-ENABLED: SSH 1.99 has been enabled
You’ll notice that immediately after the RSA General use keys are generated, SSH v1.99 is enabled. Note that the larger the keysize, the longer it takes to generate.
Once SSH v1.99 is enabled you can connect to the Cisco device remotely using the SSH v2 protocol found in Putty, SecureCRT and other terminal emulators; excluding HyperTerminal as it does not support cryptographic connectivity.
Step 5. Configure the transport input protocol on the VTY lines to accept only SSH by executing the transport input ssh under the vty line configuration mode as shown below;
R1(config)#line vty 0 4 R1(config-line)#transport input ssh
Step 6. Verify your SSH configuration by using the Cisco IOS SSH client and SSH to the routers loopback interface 10.1.1.1
Minimal documentation regarding the Cisco IOS SSH client exist. Use the Cisco IOS context help ? to view available ssh command options.
R1(config-line)#end R1#ssh -l john 10.1.1.1 Password: R1#show ssh Connection Version Mode Encryption Hmac State Username 0 1.99 IN aes128-cbc hmac-sha1 Session started john 0 1.99 OUT aes128-cbc hmac-sha1 Session started john %No SSHv1 server connections running. R1#