Using SSH for Secure Access
Problem
You want to use SSH for secure encrypted remote access to your router.
Solution
You can configure your router to run an SSH Version 1 server for VTY access:
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#hostname Router1
Router1(config)#ip domain-name oreilly.com
Router1(config)#crypto key generate rsa
The name for the keys will be: Router1.oreilly.com
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.
How many bits in the modulus [512]: 1024
Generating RSA keys ...
[OK]
Router1(config)#
Jun 27 15:04:15: %SSH-5-ENABLED: SSH 1.5 has been enabled
Router1(config)#ip ssh time-out 120
Router1(config)#ip ssh authentication-retries 4
Router1(config)#end
Router1#
SSH became available in Cisco's IOS, starting with release 12.1(1)T. However, only versions of IOS that support IPSec (DES or 3DES) encryption include SSH support. Note that there are severe restrictions on exporting any software that includes 3DES outside of United States and Canada.
Beginning with IOS Version 12.3(4)T, Cisco introduced support for SSH Version 2. The configuration is identical. However, only IOS versions that support 3DES encryption will support SSH Version 2. Also, the RSA key-pair size must be greater than or equal to 768.
Discussion
SSH provides a secure method of communication between network entities by the means of transparent encryption. It is a protocol that encrypts all traffic, including passwords, between a client and a server. This makes it an excellent replacement for Telnet and Rlogin protocols.
The main reason to consider replacing Telnet with SSH is security. The entire Telnet session, including passwords, is transmitted in clear-text. If anybody has a protocol analyzer in between the Telnet client and server, they can easily discover the username and password, as well as see all of the data sent by both ends of the conversation. SSH, on the other hand, uses strong encryption algorithms to ensure the entire session is unintelligible to anybody except for the intended party. This allows for secure communication, even through a public network such as the Internet.
The transparent encryption scheme used by SSH ensures that, except for initial configuration, SSH behaves much the same way as Telnet does. The SSH protocol hides the security functionality from the end user, leaving a session that operates like a native Telnet session would. The actual encryption algorithm used in a given SSH session is negotiated between the client and host devices, with the best available technique selected.
Configuring SSH Version 1 requires the following steps:
-
Ensure that your router is running IOS Version 12.1(1)T or higher.
-
Ensure that your IOS version contains the IPSec feature set (DES or 3DES). 3DES is preferred.
-
Configure an authentication method that supports usernames and passwords, such as local authentication or AAA. SSH does not support the default VTY password-encryption method because it needs usernames as well as passwords. See Recipe 3.1 for information on local authentication and Chapter 4 for more information on AAA.
-
Set the router's hostname to something other than the default "Router".
-
Configure the ip domain-name on your router to match the organization's domain name.
-
Generate the SSH host keys using the crypto key generate rsa configuration command. The router can accept a key length between 360 and 2048 bits. Larger keys provide greater security, but affect performance. We don't recommend using a key that is shorter than 1024 bits. Creating keys requires a large number of CPU cycles, usually a few minutes of high CPU utilization (depending on the router type and the key length). Once created, keys are stored in NVRAM and are inaccessible. You can delete a set of keys with the crypto key zeroize rsa configuration command.
Generating a set of SSH keys automatically enables the SSH protocol. As soon as you have created the keys, the router is able to start accepting SSH sessions. The first time you attempt to access an SSH enabled device, your SSH client software will prompt you store the device host key. This prevents other devices from masquerading as a legitimate device. As a general rule, you do not need to generate keys on the client device to use SSH:
Freebsd% ssh -l ijbrown Router1
The authenticity of host 'Router1 (172.25.1.5)' can't be established.
RSA1 key fingerprint is 7a:97:99:2a:ef:08:40:fb:c3:dd:c4:8c:29:fc:2f:4d.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'Router1' (RSA1) to the list of known hosts.
ijbrown@Router's password: xxxxxxxxxx
Router1>exit
Connection to Router1 closed.
SSH will pass the current username to the SSH server, which in turn will prompt for the password of the current user. However, with the Unix version of SSH, you can override this behavior by specifying the l option, followed by an alternate username. In the example above, we explicitly specified a particular username (ijbrown). The default behavior looks like this:
Freebsd% ssh Router1
ijbrown@Router1's password: xxxxxxxxx
Router1>
No username was defined, yet the router prompted for the password for the username ijbrown, the current Unix username.
If you decide to use SSH as your transport protocol for administrative access to your routers, we recommend that you disable all other forms of VTY access using the transport input configuration command. Running nonsecure protocols defeats the purpose of implementing SSH in the first place. For more information on disabling transport protocols on virtual terminals, see Recipe 3.10. The following example illustrates how to disable all inbound protocols except SSH:
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#line vty 0 4
Router1(config-line)#transport input ssh
Router1(config-line)#exit
Router1(config)#end
Router1#
Starting with Version 12.1(3)T, Cisco's IOS began to support SSH client functionality as well. SSH clients allow you to access other SSH servers, including SSH enabled routers. In the following example we initiate a SSH session from our router to an SSH-enabled Unix server:
Router1#ssh -l ijbrown server
Trying server.oreilly.com (172.25.1.3)... Open
Password: xxxxxxxxxxx
FreeBSD 4.6-STABLE (IJB)
Welcome to FreeBSD!
You have new mail.
Freebsd%
Many SSH clients and servers are readily available for most popular operating systems. There are also several free SSH packages available on the Internet, including OpenSSH and PuTTY (see Appendix A for more details).
The show ssh EXEC command displays the active SSH sessions and their attributes, such as VTY number, SSH version, encryption type, session state, and username:
Router1#show ssh
Connection Version Encryption State Username
0 1.5 3DES Session started ijbrown
3 1.5 3DES Session started morewood
The command show ip ssh displays the SSH server configuration status, including the SSH version, authentication timeout, and number of retries:
Router1#show ip ssh
SSH Enabled - version 1.5
Authentication timeout: 120 secs; Authentication retries: 4
Router1#
Configuring SSH Version 2 requires the following steps:
-
Ensure that your router is running IOS Version 12.3(4)T or higher.
-
Ensure that your IOS version contains support for 3DES.
-
Configure an authentication method that supports usernames and passwords, such as local authentication or AAA. SSH does not support the default VTY password-encryption method because it needs usernames as well as passwords. See Recipe 3.1 for information on local authentication and Chapter 4 for more information on AAA.
-
Set the router's hostname to something other than the default "Router".
-
Configure the ip domain-name on your router to match the organization's domain name.
-
Generate the SSH host keys using the crypto key generate rsa configuration command. The router can accept a key length between 360 and 2048 bits; however, SSH Version 2 requires a minimum 768 key-pair. Larger keys provide greater security, but affect performance. We don't recommend using a key that is shorter than 1024 bits. Creating keys requires a large number of CPU cycles, usually a few minutes of high CPU utilization (depending on the router type and the key length). Once created, keys are stored in NVRAM and are inaccessible. You can delete a set of keys with the crypto key zeroize rsa configuration command.
By default, the router will run in compatibility mode, meaning it will enable both versions of SSH. Since SSH Version 2 has significant security advantages over SSH Version 1 we highly suggest you disable SSH Version 1 whenever possible. To enable only SSH Version 2, use the ip ssh version command:
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#ip ssh version 2
Router1(config)#end
Router1#