Cisco configure SSH
Prerequisites
The Cisco IOS image used must be a k9(crypto) image in order to support SSH.
Configure ssh server using aaa new-model
Color code explained:
- black - basic configuration
- green - enhanced config
- blue - comments
!--- The aaa new-model command causes the local username and password on the router !--- to be used in the absence of other AAA statements. aaa new-model username cisco password 0 cisco !--- Instead of aaa new-model, you can use the login local command. !--- assign domain name to the router/switch, this will be used to sign SSH key, also called 'keypair-name' or 'label' ip domain-name rtp.cisco.com ip ssh version 2 !--- Starting (or only) Port number to listen on ip ssh port 22 !--- Specify interface for source address in SSH connections when connecting from the router to another device source-interface Loopback0 !--- Generate an server authentication key - 1024 bit long, domain name will be used as key-pair-label crypto key generate rsa modulus 1024 !--- Generate ssh key, giving label to distinguishes different key-pairs crypto key generate rsa label key-pair-label general-keys modulus 1024 !--- choose which key use for server authentication ip ssh rsa keypair-name key-pair-label ip ssh time-out 60 ip ssh authentication-retries 2 ip ssh time-out 120 ip ssh logging events line vty 0 4 !--- Prevent non-SSH Telnets. transport input ssh
- Verify
# show ip ssh !version and configuration data SSH Enabled - version 2.0 Authentication timeout: 120 secs; Authentication retries: 2 Minimum expected Diffie Hellman key size : 1024 bits IOS Keys in SECSH format(ssh-rsa, base64 encoded): ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDzA0tV5uStSgpEcDCCFIdaIlG7/VRhe7lwmpD3nATp SRTM94dJkXScrSXoT4dlqBHY+r7H+g25y5Rq7Dqv8AewNR0DKrGaYkIlO3A0O4s6wyK4KM71tdKia+Rc darPOEZKcJiFotegARWiWKS87UX0qD5XFYqGPNQZZWhIefp+aw==
# show ssh !shows current ssh connections Connection Version Mode Encryption Hmac State Username 0 2.0 IN aes256-cbc hmac-sha1 Session started admin 0 2.0 OUT aes256-cbc hmac-sha1 Session started admin %No SSHv1 server connections running.
Configure ssh server to perform RSA-Based user authentication
This feature is only supported in IOS 15.0(1)M and later versions.
- Add public-key for user authentication
Paste your public key generated by PuTTYgen from private-key *.PPK file. Delimited by 65 characters.
R2#conf t Enter configuration commands, one per line. End with CNTL/Z. R2(config)#ip ssh pubkey-chain R2(conf-ssh-pubkey)#username admin R2(conf-ssh-pubkey-user)#key-string R2(conf-ssh-pubkey-data)#$AAQEA6jYlf9MBskhkWov+ZOUDKun0ExQIRj1zfWA/YciO02VS R2(conf-ssh-pubkey-data)#$Xsx123456789012345678901234567uS6A8/mF0A3P/ScRjct R2(conf-ssh-pubkey-data)#$JrN1234567890123456789012345676xVXF4sP4OCSXIn+Cp8 R2(conf-ssh-pubkey-data)#$bCnZLmv908AeDb1Ac4nPdsn1OhCPIg6fxZjB7DvAMB8Dbr+7Y R2(conf-ssh-pubkey-data)#$apEbGE94luIqnBc61HsMd6JCWbQ== key@comment.us R2(conf-ssh-pubkey-data)#exit R2(conf-ssh-pubkey-user)#exit
- Copy & paste version
conf terminal ip ssh pubkey-chain username $username key-string %Censored - Public lines from putty gen % %Censored - Public lines from putty gen % %Censored - Public lines from putty gen % %Censored - Public lines from putty gen % %Censored - Public lines from putty gen % %Censored - Public lines from putty gen ==% exit exit exit end
- Verify
R2#show run | section ssh ip ssh rsa keypair-name SSH ip ssh version 2 ip ssh pubkey-chain username admin key-hash ssh-rsa C20B739F2641234567891C6A11000111 key@comment.us
- Remove user's public key
R2(config)#ip ssh pubkey-chain R2(conf-ssh-pubkey)#no username tech R2(conf-ssh-pubkey)#end
User Authentication Methods
- Disabling User Authentication Methods ( supported on IOS 15.3(3)M )
This feature is not supported on IOS 15.2 loaded on Cisco 1941 ISR G2 platform. Using features navigator http://tools.cisco.com/ITDIT/CFN/ it is only available on IOS 15.3(3)M onwards.
The following example shows how to disable the public-key-based authentication and keyboard-based authentication methods, allowing the SSH client to connect to the SSH server using the password-based authentication method:
r1(config)#no ip ssh server authenticate user {publickey | keyboard | pasword}
r1(config)# no ip ssh server authenticate user publickey %SSH:Publickey disabled.Overriding RFC r1(config)# no ip ssh server authenticate user keyboard r1(config)# exit
- Disable authentication - supported on all IOS versions (insecure)
You can actually use the below listed command. It basically disables authentication and won't prompt for username and password. Remember, we are using default and not any method list so it will disable authentication on all lines including console.
r1(config)#aaa authentication login default none
If you would only like to disable authentication on a specific line then create a method list and apply it on that line.
r1(config)#aaa authentication login SSH none r1(config)# line vty 0 15 r1(config-line)#login authentication SSH r1(config-line)#exit
References
- Configuring Secure Shell on Routers and Switches Running Cisco IOS
- Secure Shell Version 2 Support Last Updated: March 31st 2011, Sections: Secure Shell Version 2 Enhancements for RSA Keys & Configuring the Cisco IOS SSH Server to Perform RSA-Based User Authentication
- SSH with key authentication on Cisco IOS devices
- SSH access without password Cisco forum
- SSH Publickey accepted but still prompted for username/password? Cisco forum
- Network Management Configuration Guide Library, Cisco IOS Release 15M&T Last Updated: November 29, 2012
- Secure Shell—Configuring User Authentication Methods Feature is supported on IOS 15.3(3)M
- Example: Disabling User Authentication Methods Cisco Systems, Inc. Secure Shell Configuration Guide Cisco IOS XE Release 3S