LOGIN TO ROUTER & SWITCHES VIA SECURE SHELL

Unanswered Question
Jan 7th, 2010

Hello,

Happy New Year to all! Thanks so much for the privilege to learn from you all, I am ever grateful for your wealth of experience which you have always shared with this community.

I will like to know how to log in to my router using secure shell login. I am used to Console login, SDM login and Telnet (which I understand is not secure due to its not encrypting data). I will like to discontinue the use of Telnet for obvious security reason.

I need information on secure shell and how I can use it to log into a router.

Thanks

Thomas

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
Peter Paluch Thu, 01/07/2010 - 02:18

Hi Thomas,

In order to access your switches and routers via SSH, you need an IOS image that contains the necessary support. Very often, it is the image with the crypto feature set (the name ends with k9 letters, like c1841-advipservicesk9-...). Then, the steps to activate the SSH on a router/switch are as follows:

configure terminal

ip domain-name some.domain.name

crypto key generate rsa general-keys modulus 1024

username admin privilege 15 secret VerySecretPassword

username user secret SimplePassword

line vty 0 4

login local

transport input ssh

To explain this: First of all, your device must have a non-default hostname (different from Switch or Router), and also, the domain name must be specified. Both the hostname and the domain name will become a part of generated keypair and they are required before the keypair is generated. The command crypto key generate is used to generate the RSA keypair that is necessary for the SSH to work. In this example, the key length is 1024 bits which should be sufficient for most deployments. As soon as the keypair is generated, the SSH will be activated automatically. Then, there are two usernames defined just as an example of defining a user admin that will have the administrative privileges as soon as he logs in, and an ordinary user without elevated privileges. Then, the command login local unter the VTY configuration makes sure that the logins are performed against the local username database (the SSH does not work with passwords defined directly on VTY lines - only with usernames and passwords). The last command, transport input ssh makes sure that to access the VTY lines, only the SSH is permitted. This command effectively disables the Telnet for the VTY lines 0 to 4 and it will not be possible to login in using Telnet anymore.

If your IOS is recent enough you may also try to use the command ip ssh version 2 in your global configuration, as the SSH version 2 is considered more secure than its previous version. Without this command, both version 1 and 2 are activated (if your device supports the SSHv2, of course).

Best regards,

Peter

Peter Paluch Thu, 01/07/2010 - 02:55

Hello Milan,

The article you have referenced talks in essence about Reverse SSH. It is similar to Reverse Telnet - you telnet to a particular high TCP port on your router, and you will get access to a particular serial line. But yes, it will also work for the VTY lines. The configuration will be as follows:

ip ssh port 5001 rotary 1 3

line vty 0
login local
rotary 1
transport input ssh
line vty 1
login local
rotary 2
transport input ssh
line vty 2
login local
rotary 3
transport input ssh

This makes the three lines accessible each under a different TCP port via SSH - the VTY 0 is under the TCP port 5001, the VTY 1 is under 5002 and VTY 2 is under 5003. If you wanted all of them to be under the same port, say, 2222, the configuration would be:

ip ssh port 2222 rotary 1

line vty 0 4

login local

rotary 1

transport input ssh

Best regards,

Peter

tomocisco Fri, 01/08/2010 - 07:28

Hi Peter,

Thanks so much for your response to my question. I found it very helpful, as I was able to configure the router for SSH login.

Just one final thing I want to know, how do I log into the router from an end system running microsoft windows OS for instance after configuring the router for secure shell login. (For example, if I were using Telnet access, I will simply type:  "telnet 192.168.x.y" at the Windows command prompt, and then enter the passwords etc.)

What do I type at windows command prompt to have secure shell login access to the router or how do I log into the router (configured for ssh) from a system running ms Windows OS

Thanks

Thomas

Peter Paluch Fri, 01/08/2010 - 08:00

Hello Thomas,

As far as I know, there is no built-in SSH client in Windows. However, there are a plenty of free SSH clients out there. Perhaps the most popular (and in my opinion, by far the best) free SSH client for Windows is the PuTTY. You may download it here:

http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html

The PuTTY is a single EXE file less than 500 kB in size, and it does not require any installing - just download it, run it and you are ready to go.

Best regards,

Peter

milan.kulik Tue, 01/12/2010 - 02:11

Hi Peter,

here is an enhaced PuTTY version called TuTTY:

http://putty.dwalin.ru/

It includes a serial port connection, too, so you need no other tool to connect to any Cisco device.

BR,

Milan

Peter Paluch Tue, 01/12/2010 - 02:43

Hello Milan,

Interesting - the PuTTY has supported the serial connection for quite a time. Is the TuTTY something yet more advanced in this aspect?

Best regards,

Peter

milan.kulik Tue, 01/12/2010 - 03:11

Hi Peter,

I was using PuTTY till version 0.58 where serial connection was still missing.

Then somebody pointed me to TuTTY - a PuTTY "clone" with serial included.

Now I see PuTTY supports serial since 0.59 :-)

As I don't change my tools frequently, I'd say PuTTY and TuTTY are pretty the same.

But PuTTY is the original project, so it's probably worth to keep it.

I really like it, the only feature I miss is an easy way of moving your favourite session list to another PC.

BR,

Milan

Kevin Brennan Tue, 01/12/2010 - 03:49

Hi All,

If you like PuTTY, you might like to take a look at PuTTY Connection manager. It allows you to set up PuTTY sessions in tabs - It also lets you keep all your sessions (Serial,SSH and Telnet) in a database file for portability. I'm sure it does loads more, but I only use it for these two features.

http://puttycm.free.fr/cms/

Regards

Kevin

george.karavitis Thu, 04/15/2010 - 06:21

Then, the command login local unter the VTY configuration makes sure that the logins are performed against the local username database (the SSH does not work with passwords defined directly on VTY lines - only with usernames and passwords).

Hello Peter,

I've been working on this subject, as we are about to enable only ssh on our production environement (disable telnets) and wanted to see what are the fall-back scenarios with tacacs unreachable. After some testing it seems that your statement above is not correct - ssh can work without username/password localy defined on the router, and can use only the enable password for authentication.

But there is a twist:

Apparently ssh _needs_ a username in order to setup associations/encryptions etc. So in my lab with no username/password defined on the router, when logging with ssh you will _need_ to give a username (any word), but it will be ignored, and only the password will be matched

The above has been tested on a 6506-e with adv ip serv 12.2.33-SXI3, but soon i will have to test on more platforms

rGrds

George

Actions

This Discussion