Let’s go through a quick and easy way to enable SSHv2 access on a Cisco router. Should be similar on a switch.
- Make sure the IOS has the crypto modules, usually identified by a “k9” or “k5” in the IOS file name. Check with show version
- Configure a hostname with the command hostname and a domain name with the command ip domain-name
- Generate a new keypair with crypto key generate rsa and use 2048 bits
- Create a new username for SSH access: username sshuser password 0 mysshpassword. Replace sshuser and mysshpassword accordingly.
- Configure SSH parameters:
- ip ssh timeout 60
- ip ssh authentication-retries 3
- ip ssh rsa keypair-name NAME (replace NAME with the keypair name obtained from show crypto key mypubkey rsa
- Prevent non-SSH sessions with line vty 0 4 and transport input ssh
- Additionally, prevent SSH access from outside a certain subnet:
- access-list 15 permit 192.168.0.0 0.0.0.255
- line vty 0 4
- access-class 15 in
Now SSHv2 should be enabled and accessible. All commands should be entered in global configuration mode, except for the show commands.
This entry was posted
on Friday, April 22nd, 2011 at 11:20 am and is filed under General.
You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Leave a reply