Network administrators use the Telnet protocol to connect to network devices remotely. Telnet provides the user with the flexibility to log in to the device with whatever privileges are configured. Even though Telnet provides more advantages, it is an insecure protocol that sends the information in plain text. Secure Shell (SSH) is an application and protocol that secures network sessions to remote network devices. SSH uses a connection-oriented mechanism over a port number of 22. Nowadays, network administrators use SSH instead of Telnet.
There are three main features of SSH:
- Authentication: To determine the identity of the user
- Confidentiality via encryption: To ensure that the information is only used by the authorized user in the network
- Integrity: To ensure that the information sent is modified by an unauthorized user in the network
There are two versions of SSH—version 1 and 2, and communication between the client and server is encrypted in both the servers. However, Cisco IOS software implements only version 1, and use of version 2 is suggested only when possible as it uses a more improved security-encryption algorithm:
The first step is to configure a local database for user authentication. We will be using CCNASECURITY as the username and CCNASEC as the password. To achieve this, we are going to use the following commands:
CISCOSECURITY(config)#username CCNASECURITY password CCNASEC
CISCOSECURITY(config)#exit
Then, configure the router to allow users to securely access the CLI. Follow the steps to configure SSH on the router:
- Configure the hostname command:
Router(config)#hostname CISCOSECURITY
- The next step is to configure a domain name. A domain name should be configured before generating RSA keys:
CISCOSECURITY(config)#ip domain-name SECURITY.com
- Generate the SSH key to be used:
CISCOSECURITY(config)#crypto key generate rsa general-keys
- Enable SSH transport support for the Virtual Terminals (VTYs). Use the following command to complete the preceding steps:
CISCOSECURITY(config)#ip domain-name SECURITY.com
CISCOSECURITY(config)#crypto key generate rsa general-keys
The name for the keys will be: CISCOSECURITY.SECURITY.com
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.
How many bits in the modulus [512]: 512
% Generating 512 bit RSA keys, keys will be non-exportable...[OK]
*Mar 1 01:13:53.619: RSA key size needs to be atleast 768 bits for ssh version 2
*Mar 1 01:13:53.631: %SSH-5-ENABLED: SSH 1.5 has been enabled
- The next step is to configure the device to use the local user database for authentication and enable SSH services:
CISCOSECURITY(config)#line vty 0 15
CISCOSECURITY(config-line)#login local
CISCOSECURITY(config-line)#transport input ssh
CISCOSECURITY(config-line)#exit
To recap, steps 1-5 demonstrated how configure a hostname, add a domain name on the router, generated encryption keys for using the SSH protocol and disabling the Telnet protocol, but ensuring the router will only accept incoming SSH sessions on the vty lines.
Now an SSH client tool can be used to verify the SSH configuration:
The tool shows a security alert to use the encryption algorithm created:
After accepting the security alert, the secure connection is established successfully.