Skip to main content

Enabling & Configuring SSH on Cisco Routers. Restrict SSH for Management & Enable AAA Authentication for SSH Sessions

cisco-routers-ssh-support-configuration-rsa-key-generation-01This article shows how to configure and setup SSH for remote management of Cisco IOS Routers. We’ll show you how to check if SSH is supported by your IOS version, how to enable it, generate an RSA key for your router and finally configure SSH as the preferred management protocol under the VTY interfaces.

Secure Shell (SSH) provides a secure and reliable mean of connecting to remote devices. It’s an encrypted network protocol that allows users to safely access equipment via command line interface sessions. SSH makes use of TCP port 22 which’s assigned to secure logins, file transfer and port forwarding.

SSH uses public key for authenticating the remote device and encrypt all data between that device and the workstation which makes it the best choice for public networks, unlike (telnet) which transmits data in plain text which subjects it to security threats, this makes (telnet) recommended for private networks only to keep the data uncompromised.

Verifying SSH Support On A Cisco Router

The first step involves examining whether your Cisco router’s IOS supports SSH or not. Most modern Cisco routers support SSH, so this shouldn’t be a problem.

Products with (K9) in the image name e.g c2900-universalk9-mz.SPA.154-3.M2.bin, support strong encryption with 3DES/AES while (K8) IOS bundles support weak encryption with the outdated DES.

To check, simply enter privilege mode and use the show ip ssh command:

R1# show ip ssh
SSH Disabled - version 1.99
%Please create RSA keys to enable SSH (and of atleast 768 bits for SSH v2).
Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 1024 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded): NONE

In the above output, the system is showing SSH support, but it’s currently disabled as no RSA key has been generated.  It is also worth noting that a key of at least 768 bits must be generated to enable SSHv2.

Securing Router Access

It’s always a good idea to first restrict access to the Cisco router before enabling SSH. This is very important especially when the device has an interface facing public networks e.g Internet, Public Hotspot.

We first create user credentials for the device and then enable Athentication, Authorization & Accounting Services (AAA).  Finally, ensure a secret password is set to protect access to privilege mode, along with the service password-encryption command to ensure all clear-text passwords are encrypted:

Router (config)# username admin privilege 15 secret Firewall.cx
Router (config)# aaa new-model
Router (config)# aaa authentication login default local
Router (config)# enable secret $FirewAll.cx!
Router (config)# service password-encryption

Next, it is highly recommended to restrict remote access via the SSH protocol only. This will ensure that insecure services such as Telnet cannot be used to access the router. Telnet sends all information unencrypted, including username/password, and is therefore considered a security risk.

We’ll use the transport input ssh command under the VTY section to restrict remote access using SSH only. Note that we can also use Access-lists to restrict SSH connections to our router:

R1(config)# line vty 0 4
R1(config-line)# transport input ssh
R1(config-line)# login authentication default
R1(config-line)# password $Cisco!

Note: the password command used under line vty 0 4 section is completely optional and not used in our case because of the login authentication default command which forces the router to use the AAA mechanism for all user authentication.

Generating The Router’s RSA Key – Digital Certificate

Digital keys serve the purpose to help further secure communications between devices. Our next step involves generating an RSA key pair that will be used by SSH to help encrypt the communication channel.

Before generating our RSA key, it is necessary to define our router’s domain using the ip domain-name command, followed by the crypto key generate command:

R1 (config)#  ip domain-name firewall.cx
R1(config)# crypto key generate rsa
The name for the keys will be: R1.firewall.cx
Choose the size of the key modulus in the range of 360 to 4096 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus [512]: 4096
% Generating 4096 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 183 seconds)

When generating our key pairs, the router notifies us with the name used for the keys, which consists of the router’s hostname (R1) + Configured Domain Name (firewall.cx).  Finally, we can select the amount of bits used for the modulus (key).

Since we selected to generate a key using 4096 bits, the router took a bit over 3 minutes to generate the key! Note that router used in our example was a Cisco 877.

With SSH enabled we are able to ssh into our router and manage it securely from any location around the globe.

To view any active SSH session, simply use the show ssh command:

R1# show ssh
Connection   Version    Mode   Encryption      Hmac       State             Username
0             2.0        IN    aes256-cbc      hmac-sha1  Session started   admin
0             2.0        OUT   aes256-cbc      hmac-sha1  Session started   admin
%No SSHv1 server connections running.
R1#

This article explained the importance of enabling and using SSH to remotely manage and configure your Cisco router. We saw how to create users for remote management, enable AAA, encrypt clear-text passwords, enable SSHv2, generate RSA keys and verify SSH sessions to our router.