Cisco configure SSH

From Ever changing code


The Cisco IOS image used must be a k9(crypto) image in order to support SSH.

Configure ssh server using aaa new-model

Color code explained:

  • black - basic configuration
  • green - enhanced config
  • blue - comments
!--- The aaa new-model command causes the local username and password on the router
!--- to be used in the absence of other AAA statements.
aaa new-model
username cisco password 0 cisco
!--- Instead of aaa new-model, you can use the login local command.

!--- assign domain name to the router/switch, this will be used to sign SSH key, also called 'keypair-name' or 'label'
ip domain-name
ip ssh version 2
!--- Starting (or only) Port number to listen on
ip ssh port 22
!--- Specify interface for source address in SSH connections when connecting from the router to another device
source-interface Loopback0

!--- Generate an server authentication key - 1024 bit long, domain name will be used as key-pair-label
crypto key generate rsa modulus 1024
!--- Generate ssh key, giving label to distinguishes different key-pairs
crypto key generate rsa label key-pair-label general-keys modulus 1024
!--- choose which key use for server authentication
ip ssh rsa keypair-name key-pair-label
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh time-out 120
ip ssh logging events

line vty 0 4 
!--- Prevent non-SSH Telnets.
transport input ssh
# show ip ssh       !version and configuration data
SSH Enabled - version 2.0
Authentication timeout: 120 secs; Authentication retries: 2
Minimum expected Diffie Hellman key size : 1024 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded):
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDzA0tV5uStSgpEcDCCFIdaIlG7/VRhe7lwmpD3nATp
# show ssh         !shows current ssh connections
Connection Version Mode Encryption  Hmac         State                 Username
0          2.0     IN   aes256-cbc  hmac-sha1    Session started       admin
0          2.0     OUT  aes256-cbc  hmac-sha1    Session started       admin
%No SSHv1 server connections running.

Configure ssh server to perform RSA-Based user authentication

This feature is only supported in IOS 15.0(1)M and later versions.

Add public-key for user authentication

Paste your public key generated by PuTTYgen from private-key *.PPK file. Delimited by 65 characters.

R2#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R2(config)#ip ssh pubkey-chain
R2(conf-ssh-pubkey)#username admin
Copy & paste version
conf terminal
ip ssh pubkey-chain
username $username
%Censored - Public lines from putty gen %
%Censored - Public lines from putty gen %
%Censored - Public lines from putty gen %
%Censored - Public lines from putty gen %
%Censored - Public lines from putty gen %
%Censored - Public lines from putty gen ==%
R2#show run | section ssh
ip ssh rsa keypair-name SSH
ip ssh version 2
ip ssh pubkey-chain
 username admin
  key-hash ssh-rsa C20B739F2641234567891C6A11000111
Remove user's public key
R2(config)#ip ssh pubkey-chain
R2(conf-ssh-pubkey)#no username tech

User Authentication Methods

Disabling User Authentication Methods ( supported on IOS 15.3(3)M )

This feature is not supported on IOS 15.2 loaded on Cisco 1941 ISR G2 platform. Using features navigator it is only available on IOS 15.3(3)M onwards.

The following example shows how to disable the public-key-based authentication and keyboard-based authentication methods, allowing the SSH client to connect to the SSH server using the password-based authentication method:

r1(config)#no ip ssh server authenticate user {publickey | keyboard | pasword}
r1(config)# no ip ssh server authenticate user publickey
%SSH:Publickey disabled.Overriding RFC
r1(config)# no ip ssh server authenticate user keyboard
r1(config)# exit
Disable authentication - supported on all IOS versions (insecure)

You can actually use the below listed command. It basically disables authentication and won't prompt for username and password. Remember, we are using default and not any method list so it will disable authentication on all lines including console.

r1(config)#aaa authentication login default none

If you would only like to disable authentication on a specific line then create a method list and apply it on that line.

r1(config)#aaa authentication login SSH none
r1(config)# line vty 0 15
r1(config-line)#login authentication SSH