Find a Cisco Partner
Become a Cisco Partner
Secure Shell (SSH) is a protocol which gives a secure far flung get entry to connection to network devices. Communication among the patron and server is encrypted in both SSH model 1 and SSH model 2. Implement SSH model 2 when viable because it makes use of a greater more suitable security encryption set of rules.
This document discusses the way to configure and debug SSH on Cisco routers or switches that run a model of Cisco IOS® Software that helps SSH. This record consists of more facts on unique variations and software program pictures.
The Cisco IOS photo used must be a k9(crypto) photograph with a purpose to assist SSH. For instance c3750e-universalk9-tar.122-35.SE5.tar is a k9 (crypto) photo.
The information on this record is based totally on Cisco IOS 3600 Software (C3640-IK9S-M), Release 12.2(2)T1.
SSH become delivered into these Cisco IOS systems and snap shots:
SSH Version 1.zero (SSH v1) server became delivered in some Cisco IOS platforms and pictures that begin in Cisco IOS Software Release 12.0.five.S.
SSH customer changed into added in a few Cisco IOS platforms and snap shots starting in Cisco IOS Software Release 12.1.three.T.
SSH terminal-line get right of entry to (also referred to as reverse-Telnet) became delivered in a few Cisco IOS structures and pics beginning in Cisco IOS Software Release 12.2.2.T.
SSH Version 2.zero (SSH v2) help become added in a few Cisco IOS systems and pictures beginning in Cisco IOS Software Release 12.1(19)E.
Refer to How to Configure SSH on Catalyst Switches Running CatOS for greater data on SSH guide within the switches.
Refer to the Software Advisor (registered customers handiest) for a whole list of function units supported in exceptional Cisco IOS Software releases and on different systems.
The facts provided in this document was constituted of devices in a selected lab surroundings. All of the choices gadgets used in this report started with a cleared (default) configuration. If you’re in a stay network, ensure which you apprehend the choices ability effect of any command earlier than you operate it.
Refer to Cisco Technical Tips Conventions for more records on file conventions.
SSH v1 vs. SSH v2
Use the choices Cisco Software Advisor (registered clients handiest) in order that will help you discover the model of code with suitable aid for both SSH v1 or SSH v2.
First take a look at the choices authentication with out SSH to make sure that authentication works with the choices router Carter earlier than you add SSH. Authentication can be with a local username and password or with an authentication, authorization, and accounting (AAA) server that runs TACACS+ or RADIUS. (Authentication via the road password isn’t viable with SSH.) This example suggests local authentication, which lets you Telnet into the router with username “cisco” and password “cisco.”
In order to check authentication with SSH, you have to upload to the previous statements if you want to enable SSH on Carter and take a look at SSH from the choices PC and UNIX stations.
At this factor, the choices display crypto key mypubkey rsa command should display the generated key. After you add the choices SSH configuration, take a look at your capacity to get admission to the router from the PC and UNIX station. If this does not paintings, see the debug section of this record.
Optional Configuration Settings
If you want to save you non-SSH connections, upload the choices transport enter ssh command under the traces to restriction the router to SSH connections simplest. Straight (non-SSH) Telnets are refused.
Test to ensure that non-SSH users cannot Telnet to the router Carter.
There are four steps required to allow SSH assist on a Cisco IOS router:
Configure the hostname command.
Configure the DNS domain.
Generate the SSH key for use.
Enable SSH transport support for the choices digital type terminal (vtys).
If you need to have one device act as an SSH consumer to the alternative, you may add SSH to a 2d tool referred to as Reed. These devices are then in a purchaser-server arrangement, in which Carter acts as the choices server, and Reed acts as the client. The Cisco IOS SSH consumer configuration on Reed is the same as required for the choices SSH server configuration on Carter.
Issue this command to SSH from the Cisco IOS SSH patron (Reed) to the Cisco IOS SSH server (Carter) in order to check this:
Complete these steps in an effort to configure the choices SSH server to perform RSA based authentication.
Specify the choices Host call.
Define a default domain name.
Generate RSA key pairs.
Configure SSH-RSA keys for user and server authentication.
Configure the choices SSH username.
Specify the choices RSA public key of the faraway peer.
Specify the choices SSH key kind and version. (elective)
Exit the choices modern-day mode and go back to privileged EXEC mode.
Note: Refer to Secure Shell Version 2 Support for more statistics.
If you need outbound SSH terminal-line authentication, you could configure and test SSH for outbound opposite Telnets thru Carter, which acts as a comm server to Philly.
If Philly is attached to Carter’s port 2, then you may configure SSH to Philly via Carter from Reed with the help of this command:
You can use this command from Solaris:
You want to limit SSH connectivity to a specific subnetwork where all other SSH tries from IPs outside the subnetwork should be dropped.
You can use those steps to accomplish the choices identical:
Define an get right of entry to-listing that allows the site visitors from that precise subnetwork.
Restrict get admission to to the choices VTY line interface with an access-class.
This is an instance configuration. In this case handiest SSH get admission to to the 10.10.10.0 255.255.255.0 subnet is permitted, some other is denied access.
Note: The equal manner to fasten down the choices SSH get entry to is likewise relevant on transfer platforms.
Configure SSH v1 and v2:
Note: You receive this error message while you operate SSHv1:
Note: Cisco bug ID CSCsu51740 (registered customers simplest) is filed for this difficulty. Workaround is to configure SSHv2.
The banner command output varies between the Telnet and distinct variations of SSH connections. This desk illustrates how specific banner command options work with numerous kinds of connections.
SSH version 2 helps the choices login banner. The login banner is displayed if the SSH patron sends the username when it initiates the choices SSH session with the Cisco router. For instance, when the choices Secure Shell ssh purchaser is used, the choices login banner is displayed. When the choices PuTTY ssh purchaser is used, the login banner isn’t always displayed. This is due to the fact Secure Shell sends the choices username via default and PuTTY does now not ship the username with the aid of default.
The Secure Shell customer needs the choices username to initiate the choices connection to the choices SSH enabled tool. The Connect button is not enabled if you do no longer input the choices host call and username. This screenshot shows that the choices login banner is displayed whilst Secure Shell connects to the choices router. Then, the login banner password spark off displays.
The PuTTY customer does not require the choices username to initiate the choices SSH connection to the router. This screenshot suggests that the choices PuTTY purchaser connects to the router and prompts for the username and password. It does no longer show the choices login banner.
This screen shot suggests that the choices login banner is displayed whilst PuTTY is configured to send the choices username to the router.
debug and show Commands
Before you problem the debug instructions defined and illustrated right here, talk over with Important Information on Debug Commands. Certain display instructions are supported by means of the Output Interpreter Tool (registered clients only) , which lets in you to view an evaluation of display command output.
debug ip sshâDisplays debug messages for SSH.
display sshâDisplays the choices popularity of SSH server connections.
display ip sshâDisplays the choices version and configuration facts for SSH.
Version 1 Connection and no Version 2
Version 2 Connection and no Version 1
Version 1 and Version 2 Connections
Sample Debug Output
Note: Some of this precise debug output is wrapped to more than one traces due to spatial issues.
Note: This output was captured on a Solaris device.
What can cross Wrong
These sections have pattern debug output from several incorrect configurations.
If you get hold of this mistake message, it could be brought about due to any change within the domain name or host name. In order to solve this, strive those workarounds.
Zeroize the choices RSA keys and re-generate the choices keys.
If the choices previous workaround does not work, try those steps:
Zeroize all RSA keys.
Create new classified keys for SSH.
Cisco bug ID CSCsa83601 (registered customers handiest) has been filed to address this behaviour.
If your SSH configuration commands are rejected as unlawful commands, you have not efficaciously generated a RSA key pair in your router. Make certain you have exact a host name and domain. Then use the crypto key generate rsa command to generate an RSA key pair and permit the SSH server.
When you configure the RSA key pair, you might come across these mistakes messages:
You must configure a number name for the choices router the use of the choices hostname worldwide configuration command.
You have to configure a bunch domain for the choices router the usage of the choices ip domain-call worldwide configuration command.
The variety of allowable SSH connections is confined to the choices maximum range of vtys configured for the router. Each SSH connection makes use of a vty aid.
SSH uses both neighborhood safety or the security protocol this is configured thru AAA to your router for consumer authentication. When you configure AAA, you need to ensure that the console is not strolling under AAA with the aid of applying a key-word in the worldwide configuration mode to disable AAA on the choices console.
No SSH server connections walking.
This output indicates that the SSH server is disabled or no longer enabled well. If you’ve got already configured SSH, it’s far advocated which you reconfigure the choices SSH server within the device. Complete these steps to be able to reconfigure SSH server on the tool.
Delete the RSA key pair. After the choices RSA key pair is deleted, the choices SSH server is robotically disabled.
Note: It is crucial to generate a key-pair with as a minimum 768 as bit length while you allow SSH v2.
Caution: This command cannot be undone when you store your configuration, and after RSA keys had been deleted, you cannot use certificates or the choices CA or take part in certificate exchanges with other IP Security (IPSec) friends unless you reconfigure CA interoperability by way of regenerating RSA keys, getting the choices CA’s certificate, and requesting your personal certificate again.Refer to crypto key zeroize rsa – Cisco IOS Security Command Reference, Release 12.3 for extra statistics on this command.
Reconfigure the hostname and domain name of the choices device.
Generate an RSA key pair in your router, which automatically permits SSH.
Refer to crypto key generate rsa – Cisco IOS Security Command Reference, Release 12.3 for extra statistics on the use of this command.
Note: You can receive the choices SSH2 0: Unexpected mesg kind received errors message because of a packet received that isn’t always comprehensible via the choices router. Increase the key length at the same time as you generate rsa keys for ssh for you to remedy this problem.
Configure SSH server. In order to allow and configure a Cisco router/switch for SSH server, you can configure SSH parameters. If you do not configure SSH parameters, the choices default values are used.
Refer to ip ssh – Cisco IOS Security Command Reference, Release 12.three for greater information on using this command.