Cisco configure SSH
Prerequisites
The Cisco IOS image used must be a k9(crypto) image in order to support SSH.
Configure ssh server using aaa new-model
basic configuration enhanced config
!--- The aaa new-model command causes the local username and password on the router !--- to be used in the absence of other AAA statements. aaa new-model username cisco password 0 cisco !--- Instead of aaa new-model, you can use the login local command. !--- assign domain name to the router/switch, this will be used to sign off SSH key ip domain-name rtp.cisco.com ip ssh version 2 !--- Starting (or only) Port number to listen on ip ssh port 22 !--- Specify interface for source address in SSH connections when connecting from the router to another device source-interface Loopback0 !--- Generate an SSH key to be used with SSH here 1024bit long crypto key generate rsa modulus 1024 ip ssh time-out 60 ip ssh authentication-retries 2 ip ssh time-out 120 ip ssh logging events line vty 0 4 !--- Prevent non-SSH Telnets. transport input ssh
- Verify
show ip ssh SSH Enabled - version 2.0 Authentication timeout: 120 secs; Authentication retries: 2 Minimum expected Diffie Hellman key size : 1024 bits IOS Keys in SECSH format(ssh-rsa, base64 encoded): ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDzA0tV5uStSgpEcDCCFIdaIlG7/VRhe7lwmpD3nATp SRTM94dJkXScrSXoT4dlqBHY+r7H+g25y5Rq7Dqv8AewNR0DKrGaYkIlO3A0O4s6wyK4KM71tdKia+Rc darPOEZKcJiFotegARWiWKS87UX0qD5XFYqGPNQZZWhIefp+aw==
Configure ssh server to perform RSA-Based user authentication
This feature is only supported in IOS 15.0(1)M and later versions.
- Add public-key for user authentication
Paste your public key generated by PuTTYgen from private-key *.PPK file. Delimited by 65 characters.
R2#conf t Enter configuration commands, one per line. End with CNTL/Z. R2(config)#ip ssh pubkey-chain R2(conf-ssh-pubkey)#username admin R2(conf-ssh-pubkey-user)#key-string R2(conf-ssh-pubkey-data)#$AAQEA6jYlf9MBskhkWov+ZOUDKun0ExQIRj1zfWA/YciO02VS R2(conf-ssh-pubkey-data)#$XsxM7SqNkRSQOR7y7HBMoxTHV7o+R/uS6A8/mF0A3P/ScRjct R2(conf-ssh-pubkey-data)#$JrNGACGaFy1njD9PrrvrU4o4hx6XDr6xVXF4sP4OCSXIn+Cp8 R2(conf-ssh-pubkey-data)#$bCnZLmv908AeDb1Ac4nPdsn1OhCPIg6fxZjB7DvAMB8Dbr+7Y R2(conf-ssh-pubkey-data)#$apEbGE94luIqnBc61HsMd6JCWbQ== key@comment.us R2(conf-ssh-pubkey-data)#exit R2(conf-ssh-pubkey-user)#exit
- Verify
R2#show run | section ssh ip ssh rsa keypair-name SSH ip ssh version 2 ip ssh pubkey-chain username admin key-hash ssh-rsa C20B739F2645D6850C591C6A11780CB5 key@comment.us
- Remove user's public key
R2(config)#ip ssh pubkey-chain R2(conf-ssh-pubkey)#no username tech R2(conf-ssh-pubkey)#end
User Authentication Methods
- Disabling User Authentication Methods ( supported on IOS 15.3(3)M )
This feature is not supported on IOS 15.2 loaded on Cisco 1941 ISR G2 platform. Using features navigator http://tools.cisco.com/ITDIT/CFN/ it is only available on IOS 15.3(3)M onwards.
The following example shows how to disable the public-key-based authentication and keyboard-based authentication methods, allowing the SSH client to connect to the SSH server using the password-based authentication method:
r1(config)#no ip ssh server authenticate user {publickey | keyboard | pasword}
r1(config)# no ip ssh server authenticate user publickey %SSH:Publickey disabled.Overriding RFC r1(config)# no ip ssh server authenticate user keyboard r1(config)# exit
- Disable authentication - supported on all IOS versions (insecure)
You can actually use the below listed command. It basically disables authentication and won't prompt for username and password. Remember, we are using default and not any method list so it will disable authentication on all lines including console.
r1(config)#aaa authentication login default none
If you would only like to disable authentication on a specific line then create a method list and apply it on that line.
r1(config)#aaa authentication login SSH none r1(config)# line vty 0 15 r1(config-line)#login authentication SSH r1(config-line)#exit
References
- Configuring Secure Shell on Routers and Switches Running Cisco IOS
- Secure Shell Version 2 Support Last Updated: March 31st 2011, Sections: Secure Shell Version 2 Enhancements for RSA Keys & Configuring the Cisco IOS SSH Server to Perform RSA-Based User Authentication
- SSH with key authentication on Cisco IOS devices
- SSH access without password Cisco forum
- SSH Publickey accepted but still prompted for username/password? Cisco forum
- Network Management Configuration Guide Library, Cisco IOS Release 15M&T Last Updated: November 29, 2012
- Secure Shell—Configuring User Authentication Methods Feature is supported on IOS 15.3(3)M