Previous section   Next section

Recipe 3.20 Using SSH for Secure Access

3.20.1 Problem

You want to use SSH to give more secure encrypted remote access to your router.

3.20.2 Solution

You can configure your router to run an SSH Version 1 server for VTY access:

Router1#configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
Router1(config)#hostname Router1
Router1(config)#ip domain-name oreilly.com
Router1(config)#crypto key generate rsa
The name for the keys will be: Router1.oreilly.com
Choose the size of the key modulus in the range of 360 to 2048 for your
  General Purpose Keys. Choosing a key modulus greater than 512 may take
  a few minutes.
   
How many bits in the modulus [512]: 1024
Generating RSA keys ...
[OK]
   
Router1(config)#
Jun 27 15:04:15: %SSH-5-ENABLED: SSH 1.5 has been enabled
Router1(config)#ip ssh time-out 120 
Router1(config)#ip ssh authentication-retries 4
Router1(config)#end
Router1#

SSH became available in Cisco's IOS starting with Release 12.1(1)T. However, only versions of IOS that support IPSec (DES or 3DES) encryption include SSH support. Note that there are severe restrictions on exporting any software that includes 3DES outside of the U.S. and Canada.

3.20.3 Discussion

SSH provides a secure method of communication between network entities by means of transparent encryption. It is a protocol that encrypts all traffic, including passwords, between a client and a server. This makes it an excellent replacement for the Telnet and Rlogin protocols. Cisco's IOS currently supports only a subset of the standard SSH tools. In particular, Cisco routers do not support the newer SSH Version 2, which includes a number of important enhancements.

The main reason to consider replacing Telnet with SSH is security. The entire Telnet session, including passwords, is transmitted in clear-text. Anybody using a protocol analyzer between the Telnet client and server can easily see all of the data sent by both ends of the conversation—including usernames and passwords. SSH, on the other hand, uses strong encryption algorithms to ensure that the entire session is unintelligible to anybody except for the intended party. This allows for secure communication through the Internet or any other public network.

The transparent encryption scheme used by SSH ensures that, except for initial configuration, SSH behaves similarly to Telnet.

Configuring SSH requires the following steps:

Generating a set of SSH keys automatically enables the SSH protocol. As soon as you have created the keys, the router can start accepting SSH sessions. The first time you attempt to access an SSH-enabled device, your SSH client software will prompt you to store the device host key. This prevents other devices from masquerading as a legitimate device:

Freebsd% ssh -l ijbrown Router1
The authenticity of host 'Router1 (172.25.1.5)' can't be established.
RSA1 key fingerprint is 7a:97:99:2a:ef:08:40:fb:c3:dd:c4:8c:29:fc:2f:4d.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'Router1' (RSA1) to the list of known hosts.
ijbrown@Router's password: xxxxxxxxxx
   
Router1>exit
Connection to Router1 closed.

SSH passes the current username to the SSH server, which in turn prompts for the password of the current user. However, with the Unix version of SSH, you can override this behavior by specifying the -l option, followed by an alternate username. In the previous example, we explicitly specified a particular username (ijbrown). The default behavior looks like this:

Freebsd% ssh Router1
ijbrown@Router1's password: xxxxxxxxx
   
Router1>

Because we don't specify a username in this example, the router assumes that it should use the current Unix username, ijbrown.

If you decide to use SSH as your transport protocol for administrative access to your routers, we recommend that you disable all other forms of VTY access by using the transport input configuration command. Running insecure protocols defeats the purpose of implementing SSH in the first place. For more information on disabling transport protocols on virtual terminals, see Recipe 3.10. The following example illustrates how to disable all inbound protocols except SSH:

Router1#configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
Router1(config)#line vty 0 4
Router1(config-line)#transport input ssh
Router1(config-line)#end
Router1#

Starting with Version 12.1(3)T, Cisco's IOS began to support SSH client functionality as well. SSH clients allow you to access other SSH servers, including SSH-enabled routers. In the following example, we initiate an SSH session from our router to an SSH-enabled Unix server:

Router1#ssh -l ijbrown server
Trying server.oreilly.com (172.25.1.3)... Open
   
Password: xxxxxxxxxxx
FreeBSD 4.6-STABLE (IJB) 
   
Welcome to FreeBSD!
   
You have new mail.
Freebsd%

Many SSH clients and servers are readily available for most popular operating systems. There are also several free SSH packages available on the Internet, including OpenSSH and PuTTY (see Appendix A for more details).

The show ssh EXEC command displays the active SSH sessions and their attributes, such as VTY number, SSH version, encryption type, session state, and username:

Router1#show ssh
Connection      Version Encryption      State                   Username
 0              1.5     3DES            Session started         ijbrown
 3              1.5     3DES            Session started         morewood

The command show ip ssh displays the SSH server configuration status, including the SSH version, authentication timeout, and number of retries:

Router1#show ip ssh
SSH Enabled - version 1.5
Authentication timeout: 120 secs; Authentication retries: 4
Router1#

3.20.4 See Also

Recipe 3.1; Chapter 4


  Previous section   Next section
Top