Adding ssh and deleting telnet

Unanswered Question
May 4th, 2007
User Badges:
  • Purple, 4500 points or more

Can anyone briefly tell me how to do this without hanging myself out of the box . We have basically been tasked with adding ssh access on both IOS and Catos boxes . I have read thru the cisco documents been its not entirely clear what needs to be done , specially on catos. Can you enable SSH on a catos box without having to use permit lists ? Also on IOS how do you restrict access to ssh only with hanging yourself out of the box , do have to enable SSH and then go back and remove the transport input telnet commnad after the fact ? Our first problem is going to be we have to upgrade hundreds of boxes in order to even run this . Just thought maybe someone could put this in plain english instead of overly complicated ciscospeak . thanks for any help ....

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
royalblues Fri, 05/04/2007 - 04:54
User Badges:
  • Green, 3000 points or more

Glenn,


You should first complete the configuraton of prerequisites such as domain name, key length etc for SSH. This will also include checks for IOS supporting SSH


After this you can just telnet to each box and issue the transport input ssh command.


This disables the telnet but does not lock out your current session. All new sessions however needs to be SSH.

If you have 100 devices, a script or cisco works netconfig would help.


I am not sure about CatOS as currently none of my CatoS devcies have the cryptographic images to support SSH


HTH, rate if it does

Narayan

Amit Singh Fri, 05/04/2007 - 07:24
User Badges:
  • Cisco Employee,

Glen,


You have to enable " ip permit list " on cat OS boxes to configure the SSH. Also, on Cat4000 Cat OS supports only SSH Ver1, SSH ver2 is not supported. If you have Cat6500 with CatOS SSH ver2 is supported starting with 8.3.x


Please see the link below for config :


http://www.cisco.com/en/US/customer/tech/tk583/tk617/technologies_tech_note09186a0080094314.shtml


As posted by Narayan, its better to push some script using Ciscoworks if you have a lots of devices for configuration.


-amit singh

glen.grant Fri, 05/04/2007 - 12:16
User Badges:
  • Purple, 4500 points or more

In playing with ssh on a catos box it appears though you can ssh into a catos box , you cannot ssh from a catos box to another box as the ssh command is not present even in the crypto version of the code , does this sound correct?

royalblues Sat, 05/05/2007 - 04:36
User Badges:
  • Green, 3000 points or more

Glen,


For intiating a SSH from a cisco device you would require the SSH client. This feature was introduced in the IOS software but i dont think they did it for CatOS


Narayan

glen.grant Sat, 05/05/2007 - 09:07
User Badges:
  • Purple, 4500 points or more

Ok ,thanks for confirming don't see any way to ssh directly from a catos switch, yes IOS does have it built in .

I'd just expand on what someone else said, you can use the "transport input all" command and then confirm ssh is working, this way you can always telnet if there is anything wrong. Once you're sure everything is okay you can change that to "transport input ssh" which effectively turns off telnet access.

Actions

This Discussion