Introduction
SSH stands for “Secure Shell”. SSH commonly uses port 22 to connect your computer to another computer on the Internet. It is most often used by network administrators as a remote login / remote control way to manage their business servers. Examples would be: your email administrator needs to reboot the company email server from his home, or your network administrator needs to reset your office password while she is away at a conference.
If remote access to a switch is necessary, then consider using SSH instead of telnet. SSH provides encrypted connections remotely. However, only IOS versions that include encryption support SSH. Also, to include SSH capability the switch may need to have its IOS updated.
Before using SSH on the switch, the administrator must configure the switch with the following commands: hostname, ip domain-name, and crypto key generate rsa.
Configuring SSH on an IOS device
With aaa new-model
ip domain-name cisco.com
!
crypto key generate rsa general-keys modulus 1024
!
user cisco priv 15 pass cisco
!
aaa authentication login default local
aaa authentication enable default none
!
line vty 0 15
login authentication default
You can also restrict vty access to SSH (not allowing telnet).
line vty 0 15
transport input ssh
Without aaa new-model
Switch(config)# crypto key generate rsa
The crypto key generate rsa command depends on the hostname and ip domain-name commands. This crypto command generates a Rivest, Shamir, Adleman (RSA) key pair, which includes one public RSA key and one private RSA key.
To restrict SSH access to the switch, configure an extended access-list (e.g., 101) that allows only the administrators’ systems to make these connections and apply this access-list to the virtual terminal lines. Allow only SSH connections to these lines by using the transport input ssh command. Set the privilege level to 0, and set the exec-timeout period to 9 minutes and 0 seconds to disconnect idle connections to these lines. Finally, use the login local command to enable local account checking at login that will prompt for a username and a password.
The following commands show the example configuration for SSH on the virtual terminal lines.
Switch(config)# no access-list 101
Switch(config)# access-list 101 remark Permit SSH access from
administrators’ systems
Switch(config)# access-list 101 permit tcp host 10.0.0.2 any eq 22 log
Switch(config)# access-list 101 permit tcp host 10.0.0.4 any eq 22 log
Switch(config)# access-list 101 deny ip any any log
Switch(config)# line vty 0 4
Switch(config-line)# access-class 101 in
Switch(config-line)# transport input ssh
Switch(config-line)# privilege level 0
Switch(config-line)# exec-timeout 9 0
Switch(config-line)# login local