Cisco Networking: Secure Shell (SSH) Password Configuration
Secure Shell (SSH) is a network protocol for your Cisco devices which is more secure than Telenet. Setting a secure password is a configuration requirement for this protocol.
To set up access to a Cisco switch for SSH, you will need to have a user account created on your switch. The example assumes you have a user named remote with a password named remote. (Note: Do not use this type of password policy on your production network!)
To set up SSH access, you need to change the default vty terminal or create a new one. This example creates a new vty for SSH access using the following commands:
Switch1>enable Password: Switch1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch1(config)#ip domain-name edtetz.net Switch1(config)#crypto key generate rsa The name for the keys will be: Switch1.edtetz.net Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus : 1024 % Generating 1024 bit RSA keys ...[OK] Switch1(config)# *Mar 17 00:59:53.971: %SSH-5-ENABLED: SSH 1.99 has been enabled Switch1(config)#line vty 5 Switch1(config-line)#login local Switch1(config-line)#transport input ssh Switch1(config-line)#exit Switch1(config)#exit
The preceding commands have completed four key tasks:
Created a set of Secure Sockets Layer (SSL) encryption keys and enabled SSH access with the crypto command.
Created a vty terminal pool of one terminal to be used specifically with SSH.
Enabled the incoming transport to SSH rather than Telnet or the other supported protocols using the transport command.
Set the login option to use the local users database. This authenticates SSH users by checking their credentials against the users found in the local users database.
The crypto key command needs to be issued only one time on the switch. Once the key is generated, it can be used by all services that require cryptography or encryption services.
At this point, you can use an SSH client program (like PuTTY) to connect to the command-line interface on this switch on TCP port 22. Because Telnet is still enabled on vty ports 0 through 4, you can use the following command to disable Telnet access, or actually all remote access through that set of vty ports.
By disabling the four default vty ports, you have reduced remote management of this switch to one SSH user at a time and eliminated unencrypted Telnet management traffic on the network. Therefore, you can still manage the switch remotely, but must use SSH.
Switch1>enable Password: Switch1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch1(config)#line vty 0 4 Switch1(config-line)#transport input none Switch1(config-line)#exit Switch1(config)#exit