i m a beginner on SSH,i hve configured SSH in one of our router(3640).As explained in the cisco site i created the domain name,hostname,crypto key generate,authentication timeouts,retries.After doing all these i binded the same to the line vty .i got the key also generated by RSA by issuing the command show key mypubkey rsa.
i m using putty as ssh client ,can anyone tellme how i will have to use the key generated by rsa to etsablish the connection with the router ..
Putty and the router will swap their public keys automatically, you won't have to do anything. The first time you connect to the router using Putty it will tell you that you haven't connected here before and do you want to swap the keys, just answer yes and you should get a username prompt.
Keep in mind that SSH requires botha username and a password, so on the router you'll have to have configured:
> aaa new-model
> aaa authentication login default local
then use that username/password to login from then on (even with Telnet connections).
Remember: Cisco only uses SSH version 1. Most packages (including PuTTY) default to version 2. Version 1 is far less secure than version 2 but way more secure than Telnet ...
Also make sure that Putty is configured for DES or 3DES (whichever your router is rigged for).
Which version of IOS are you running on the 3640?
i m using 12.2(3) ios version ,,
Cisco Internetwork Operating System Software
IOS (tm) 3600 Software (C3660-IK8S-M), Version 12.2(3), RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2001 by cisco Systems, Inc.
Compiled Wed 18-Jul-01 22:27 by pwade
thats the output ...
i m selecting SSH ver 1 only for establishing the connection ,it asks like connect as username ,password.since the AAA model is already configured and in use.
but some of my colleagues who r in server side security r saying tha once u use the key which is generated by the router to establish the connection
the router shuld not ask for the username and password since it works in the same fashion on the servers also(which is not asking for any username and password).
is this right ???can anyone clear me out ??
The keys are swapped the first time and are then used for the encryption, but the router is always going to ask for a username and password. Otherwise anyone could sit at your laptop, SSH to this router and get in, very insecure.
SSH version 2 allows you to define on the server side a clients key that can authenticate without a password. Cisco only supports SSH v1 so using public key authentication w/o a password will not work. This is a very nice feature that I use on Linux boxes all the time.