Telnet is a protocol that does not use encryption, where everything that passes through it is displayed in plain text; for security reasons, the SSH (Secure Shell) protocol is recommended as it provides a secure remote access connection for network devices.
The communication between the client and the server is encrypted in versions 1 and 2 of SSH; the recommendation is to use version 2 of this protocol as long as the equipment allows it since it uses an encryption algorithm with more robust security.
With the following steps, we will configure the access via SSH for a Cisco IOS router.
1.- Configure the user to make the connections to the equipment with SSH
R1(config)# username <user> privilege 15 password <password>
Where:
<user> is the name to be assigned to the user for remote SSH connections.
<password> here you specify the user’s password to log in.
2.- Configure the domain name
R1(config)#ip domain-name <DomainName>
Where:
<DomainName> is assigned a domain name for SSH connections, similar to cisco.com or jmcristobal.com.
3.- Generate the public key or key to use with SSH
R1(config)#crypto key generate rsa
...
...
...
How many bits in the modulus [512]: <BitsKeyRSA>
Where:
crypto key generate rsa indicates that we will generate a key with the RSA (Public Key Cryptographic System) security algorithm.
<BitsKeyRSA> is the longitude in bits of the RSA key; the value can be from 360 to 2048 bits.
4.- Configure SSH version 1 or 2
R1(config)#ip ssh version <1 or 2>
5.- Other SSH configurations
R1(config)#ip ssh authentication-retries <Number_Attemps>
R1(config)#ip ssh time-out <Seconds>
Where:
<Number_Attemps> is the number of failed attempts or retries the user has to log in to the machine; if this value is met the login is terminated.
<Seconds> Value that indicates the timeout time in seconds that the device will keep active the login via SSH; if this value is met the connection is terminated.
6.- Configure VTY lines
R1(config)#line vty <VTY range>
R1(config-line)#transport input ssh
R1(config-line)#login local
Donde:
<VTY range> is the number of VTY lines to be configured.
‘transport input ssh’ this line indicates that the VTY sessions will be through the SSH protocol; other values this line can accept is telnet or all.
Example:
R1(config)#username admin privilege 15 password jmcristobal
R1(config)#ip domain-name jmcristobal.com
R1(config)#crypto key generate rsa //Generate the key with the RSA algorithm
The name for the keys will be: R1.jmcristobal.com
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.
How many bits in the modulus [512]: 1024 //Length in bits of the key, can be up to 2048, 1024 recommended.
% Generating 1024 bit RSA keys, keys will be non-exportable…[OK]
R1(config)#ip ssh version 2
R1(config)#ip ssh authentication-retries 2 // Number of failed retries for login, with number 2 you will have three chances to log in; when this value is reached the connection is terminated
R1(config)#ip ssh time-out 30 //Logon time-out for login
R1(config)#line vty 0 15
R1(config-line)#transport input ssh //Indicates the VTY lines to be allowed only by SSH
R1(config-line)#login local
Finally we can connect to our device with a SSH client like PuTTY or from a cisco device with the following line for example:
ssh -l <user> -v <version-number> <IP_address>
Where:
<user> corresponds to the configured username.
<version-number> is the SSH protocol version number
<IP_address> is the IP address to which we are going to try to connect.
Accessing from a computer with IOS:
R1# ssh -l admin -v 2 10.1.1.134