If you’re new to the world of networking, you may be wondering how to configure SSH on a Cisco device instead of using the local console cable to configure your device. For security reasons, we’re going to enable SSH version 2 instead of version 1 or the more vulnerable telnet protocol.
For those that are unfamiliar, SSH (Secure Shell) is a secure network protocol required for secure remote access connections with authentication and encryption.
In this article, I’ll be using my Cisco 3560CG 8 port switch using Cisco IOS 15.0(2), however, these steps are largely unchanged on newer Cisco IOS versions.
Configure SSH on a Cisco Device
Since we’ll be using an RSA keypair for encryption, we need to set the hostname and domain of the router. Use these commands to accomplish this:
Hostname:
Switch(config)#hostname lab-switch
Domain name:
lab-switch(config)#ip domain-name lab.local
Afterward, you need to generate the RSA keypair. Best practice dictates that you use a minimum 2048 bit key for SSH v2. After you run the below command, you must specify how many bits you would like to use for the algorithm. If you would like to read more on Cisco cryptography, feel free to read Cisco’s Next Generation Cryptography article.
lab-switch(config)#crypto key generate rsa
The name for the keys will be: lab-switch.lab.local
Choose the size of the key modulus in the range of 360 to 4096 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.
How many bits in the modulus [512]: 2048
% Generating 2048 bit RSA keys, keys will be non-exportable…
[OK]
Depending on the bit size, the above command may take a few moments to complete. You should see a message similar to the below:
lab-switch#%SSH-5-ENABLED: SSH 1.99 has been enabled
In order to create a more secure environment, we need to enable SSH version 2 using the following:
lab-switch(config)#ip ssh version 2
Finally, we need to tell the VTY (virtual terminal) lines to only accept SSH connections and to use local authentication. As an extra step, I set a user privilege level of 15 and a execution timeout of 30 seconds:
lab-switch(config)#line vty 0 4
lab-switch(config-line)#exec-timeout 30 0
lab-switch(config-line)#privilege level 15
lab-switch(config-line)#transport input ssh
lab-switch(config-line)#login local
Additionally, if you haven’t already created a local user you’ll need to do so before you can sign in (make sure you back out of the line configuration):
lab-switch(config)#username admin privilege 15 password user_pass
At this point, your device will be ready for remote connectivity. If you configured everything correctly, you can go ahead and connect to it via SSH!
