Enabling SSH on Cisco iOS
While telnet and SSH are both allowed types of connections to Cisco gear, there is honestly no reason why you should be using telnet in today’s world. You should be using SSH for accessing all of your network devices. In very simplistic terms [and while the technologies are different], you can almost think of it as telnet being the equivalent to HTTP and SSH being the equivalent to HTTPS.
Telnet transfers all data in clear plain text and thus your passwords or other credentials are visible to anyone watching. Using SSH, means that all of your data is encrypted between the device and your computer, so no one else can see your sensitive bits like passwords. Anything used in production should be secured, and thus SSH is the obvious preference. So lets look at how to enable SSH on our device. Once SSH is enabled we can then disable telnet.
Open a console or telnet session on your device to get started.
The first thing we need to do is make sure that the device is configured with a hostname and a domain name.
CiscoDevice# conf t
CiscoDevice(config)# hostname PWWF
PWWF(config)# ip domain-name it.playswellwithflavors.com
The next step is to allow users that are configured on the switch to login with SSH or Telnet connections.
PWWF(config)# aaa new-model
Next we generate the cryptographic keys that the device will use.
PWWF(config)# crypto key generate rsa
We then want to enable SSH version 2 on the device.
PWWF(config)# ip ssh version 2
We will next set the desired SSH authentication timeout (in seconds). This is the amount of time you have to enter the correct user credentials after connecting. The default value is 120 seconds.
PWWF(config)# ip ssh time-out 60
Then we can change the number of allowed SSH authentication retries that are allowed.
PWWF(config)# ip ssh authentication-retries 3
Next up is to configure all of the line vty (virtual terminal).
We will configure the following :
- set the input transport to SSH only
- set the login type to local logins.
- set the passwords to use strong encryption
- set a timeout for inactive sessions (in minutes)
PWWF(config)# line vty 0 15
PWWF(config-line)# transport input SSH
PWWF(config-line)# login local
PWWF(config-line)# password 5
PWWF(config-line)# exec-timeout 10
PWWF(config-line)# exit
PWWF(config)# exit
PWWF#
The final step is to save our configuration changes with the following command.
PWWF# write
Now you can close your terminal session and connect to your device over SSH.
You can verify that SSH access is enabled on your device with the following command.
PWWF# sh ip ssh
SSH Enabled - version 1.99
Authentication timeout: 60 secs; Authentication retries: 3
If you have not yet created a user credentials, or if you wish to add a new user, here is the command.
In this example, the user name is “bob” and the password is “Aloha1234”
PWWF# conf t
PWWF(config)# username bob secret Aloha1234