VTY Admission Application SSH
Telnet is the best accepted agreement acclimated to admission a router for authoritative purposes, yet it is important to accept that is the best insecure. All communications in the Telnet affair are in bright text, and there are abounding attacks accepted to capture
Telnet affair and appearance and/or abduction the affair information. A added reliable and defended adjustment for accessory administering to use Defended Shell (SSH) protocol.
SSH provides able affidavit and encryption application able cryptographic algorithms. SSH uses TCP anchorage 22. Two versions SSH are available: SSH agreement Adaptation 1 and Adaptation 2. SSH Adaptation 1 is an advance over application clear-text Telnet.
However, some axiological flaws abide in the SSHv1 protocol. SSH Adaptation 2 is a rework and stronger adaptation of SSH.
SSH accompanying with the AAA affidavit apparatus application TACACS+ or RADIUS provides the best band-aid for a secure, scalable
access mechanism. Example 3-4 shows how to configure SSH for vty lines. (AAA agreement examples are accessible in Part this book.)
Example 3-4. Configuring VTY Admission Application SSH and Admission List
Router(config)# hostname R1
R1(config)# username cisco countersign cisco
R1(config)# ip domain-name syd.cisco.com
R1(config)# crypto key accomplish rsa
R1(config)# access-list 10 admittance 10.1.1.1
R1(config)# access-list 10 admittance 10.1.1.2
R1(config)# access-list 10 admittance 192.168.1.1
R1(config)# access-list 10 abjure any log
R1(config)# band vty 0 4
R1(config-line)# access-class 10 in
R1(config-line)# exec-timeout 10 0
R1(config-line)# carriage ascribe ssh
R1(config-line)# countersign
R1(config-line)# login
R1(config-line)# end
R1#
The carriage ascribe ssh command stipulates that alone the SSH agreement may be acclimated for alternate logins to the router. Any
sessions application Telnet agreement will be denied.
Note
SSH requires accepting a Crypto IOS image.