Difference between revisions of "Cisco configure SSH"
Jump to navigation
Jump to search
| Line 3: | Line 3: | ||
= Configure using aaa new-model = | = Configure using aaa new-model = | ||
<span style="color: black">basic configuration</span> | |||
<span style="color: green">enhanced config</span> | |||
<span style="color: blue">!--- The aaa new-model command causes the local username and password on the router | <span style="color: blue">!--- The aaa new-model command causes the local username and password on the router | ||
| Line 13: | Line 16: | ||
ip domain-name rtp.cisco.com | ip domain-name rtp.cisco.com | ||
ip ssh version 2 | ip ssh version 2 | ||
ip ssh port 22 | <span style="color: blue">!--- Starting (or only) Port number to listen on</span> | ||
<span style="color: green">ip ssh port 22</span> | |||
<span style="color: blue">!--- Specify interface for source address in SSH connections when connecting from the router to another device</span> | |||
<span style="color: green">source-interface Loopback0</span> | |||
<span style="color: blue">Enable SSH Server Authentication</span> | |||
<span style="color: green">ip ssh stricthostkeycheck</span> | |||
<span style="color: blue">!--- Generate an SSH key to be used with SSH here 1024bit long</span> | <span style="color: blue">!--- Generate an SSH key to be used with SSH here 1024bit long</span> | ||
| Line 19: | Line 27: | ||
ip ssh time-out 60 | ip ssh time-out 60 | ||
ip ssh authentication-retries 2 | ip ssh authentication-retries 2 | ||
ip ssh time-out 120 | |||
<span style="color: green">ip ssh logging events</span> | |||
line vty 0 4 | line vty 0 4 | ||
<span style="color: blue">!--- Prevent non-SSH Telnets.</span> | <span style="color: blue">!--- Prevent non-SSH Telnets.</span> | ||
transport input ssh | transport input ssh | ||
;Verify | |||
show ip ssh | |||
SSH Enabled - version 2.0 | |||
Authentication timeout: 120 secs; Authentication retries: 2 | |||
Minimum expected Diffie Hellman key size : 1024 bits | |||
IOS Keys in SECSH format(ssh-rsa, base64 encoded): | |||
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDzA0tV5uStSgpEcDCCFIdaIlG7/VRhe7lwmpD3nATp | |||
SRTM94dJkXScrSXoT4dlqBHY+r7H+g25y5Rq7Dqv8AewNR0DKrGaYkIlO3A0O4s6wyK4KM71tdKia+Rc | |||
darPOEZKcJiFotegARWiWKS87UX0qD5XFYqGPNQZZWhIefp+aw== | |||
= Configuring the Cisco IOS SSH Server to Perform RSA-Based User Authentication = | = Configuring the Cisco IOS SSH Server to Perform RSA-Based User Authentication = | ||
Revision as of 14:11, 17 November 2013
Prerequisites
The Cisco IOS image used must be a k9(crypto) image in order to support SSH.
Configure using aaa new-model
basic configuration enhanced config
!--- The aaa new-model command causes the local username and password on the router !--- to be used in the absence of other AAA statements. aaa new-model username cisco password 0 cisco !--- Instead of aaa new-model, you can use the login local command. !--- assign domain name to the router/switch, this will be used to sign off SSH key ip domain-name rtp.cisco.com ip ssh version 2 !--- Starting (or only) Port number to listen on ip ssh port 22 !--- Specify interface for source address in SSH connections when connecting from the router to another device source-interface Loopback0 Enable SSH Server Authentication ip ssh stricthostkeycheck !--- Generate an SSH key to be used with SSH here 1024bit long crypto key generate rsa modulus 1024 ip ssh time-out 60 ip ssh authentication-retries 2 ip ssh time-out 120 ip ssh logging events line vty 0 4 !--- Prevent non-SSH Telnets. transport input ssh
- Verify
show ip ssh SSH Enabled - version 2.0 Authentication timeout: 120 secs; Authentication retries: 2 Minimum expected Diffie Hellman key size : 1024 bits IOS Keys in SECSH format(ssh-rsa, base64 encoded): ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDzA0tV5uStSgpEcDCCFIdaIlG7/VRhe7lwmpD3nATp SRTM94dJkXScrSXoT4dlqBHY+r7H+g25y5Rq7Dqv8AewNR0DKrGaYkIlO3A0O4s6wyK4KM71tdKia+Rc darPOEZKcJiFotegARWiWKS87UX0qD5XFYqGPNQZZWhIefp+aw==
Configuring the Cisco IOS SSH Server to Perform RSA-Based User Authentication
This feature is only supported in IOS 15.0(1)M and later versions.
The below need to be reworked..........WIP.........
Paste your public key
R2#conf t Enter configuration commands, one per line. End with CNTL/Z. R2(config)#ip ssh pubkey-chain R2(conf-ssh-pubkey)#username tech R2(conf-ssh-pubkey-user)#key-string R2(conf-ssh-pubkey-data)#$AAQEA6jYlf9MBskhkWov+ZOUDKun0ExQIRj1zfWA/YciO02VS R2(conf-ssh-pubkey-data)#$XsxM7SqNkRSQOR7y7HBMoxTHV7o+R/uS6A8/mF0A3P/ScRjct R2(conf-ssh-pubkey-data)#$JrNGACGaFy1njD9PrrvrU4o4hx6XDr6xVXF4sP4OCSXIn+Cp8 R2(conf-ssh-pubkey-data)#$bCnZLmv908AeDb1Ac4nPdsn1OhCPIg6fxZjB7DvAMB8Dbr+7Y R2(conf-ssh-pubkey-data)#$apEbGE94luIqnBc61HsMd6JCWbQ== tech@admin.us R2(conf-ssh-pubkey-data)#exit R2(conf-ssh-pubkey-user)#^Z
- Verify
R2#show run | section ssh ip ssh rsa keypair-name SSH ip ssh version 2 ip ssh pubkey-chain username pipi key-hash ssh-rsa C20B739F2645D6850C591C6A11780CB5 tech@admin.us
- Disable authentication (not tested)
You can actually use the below listed command. It basically disables authentication and won't prompt for username and password. Remember, we are using default and not any method list so it will disable authentication on all lines including console.
r1(config)#aaa authentication login default none
If you would only like to disable authentication on a specific line then create a method list and apply it on that line.
r1(config)#aaa authentication login SSH none r1(config)# line vty 0 15 r1(config-line)#login authentication SSH r1(config-line)#exit
References
- Configuring Secure Shell on Routers and Switches Running Cisco IOS
- Secure Shell Version 2 Support Last Updated: March 31st 2011, Sections: Secure Shell Version 2 Enhancements for RSA Keys & Configuring the Cisco IOS SSH Server to Perform RSA-Based User Authentication
- SSH with key authentication on Cisco IOS devices
- SSH access without password Cisco forum
- SSH Publickey accepted but still prompted for username/password? Cisco forum
- Network Management Configuration Guide Library, Cisco IOS Release 15M&T Last Updated: November 29, 2012