Cisco Networking: Secure Shell (SSH) Password Configuration - dummies

Cisco Networking: Secure Shell (SSH) Password Configuration

By Edward Tetz

Secure Shell (SSH) is a network protocol for your Cisco devices which is more secure than Telenet. Setting a secure password is a configuration requirement for this protocol.

To set up access to a Cisco switch for SSH, you will need to have a user account created on your switch. The example assumes you have a user named remote with a password named remote. (Note: Do not use this type of password policy on your production network!)

To set up SSH access, you need to change the default vty terminal or create a new one. This example creates a new vty for SSH access using the following commands:

Switch1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Switch1(config)#ip domain-name
Switch1(config)#crypto key generate rsa
The name for the keys will be:
Choose the size of the key modulus in the range of 360 to 2048 for your
  General Purpose Keys. Choosing a key modulus greater than 512 may take
  a few minutes.
How many bits in the modulus [512]: 1024
% Generating 1024 bit RSA keys ...[OK]
*Mar 17 00:59:53.971: %SSH-5-ENABLED: SSH 1.99 has been enabled 
Switch1(config)#line vty 5 
Switch1(config-line)#login local
Switch1(config-line)#transport input ssh

The preceding commands have completed four key tasks:

  • Created a set of Secure Sockets Layer (SSL) encryption keys and enabled SSH access with the crypto command.

  • Created a vty terminal pool of one terminal to be used specifically with SSH.

  • Enabled the incoming transport to SSH rather than Telnet or the other supported protocols using the transport command.

  • Set the login option to use the local users database. This authenticates SSH users by checking their credentials against the users found in the local users database.

The crypto key command needs to be issued only one time on the switch. Once the key is generated, it can be used by all services that require cryptography or encryption services.

At this point, you can use an SSH client program (like PuTTY) to connect to the command-line interface on this switch on TCP port 22. Because Telnet is still enabled on vty ports 0 through 4, you can use the following command to disable Telnet access, or actually all remote access through that set of vty ports.

By disabling the four default vty ports, you have reduced remote management of this switch to one SSH user at a time and eliminated unencrypted Telnet management traffic on the network. Therefore, you can still manage the switch remotely, but must use SSH.

Switch1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Switch1(config)#line vty 0 4
Switch1(config-line)#transport input none