How to Configure Secure Shell (SSH) on a Cisco Router

Why Use Secure Shell (SSH)?

Secure Shell (SSH) improves network security by providing a means of establishing secure connections to networking devices for management, thereby preventing hackers from gaining access.

Using Digital Certificates, in a Public/Private Key Cryptography, SSH is able to authenticate clients or servers ensuring that the device or server you are about to connect to is exactly who they claim to be.

Ok, so now that we have a very brief idea of how SSH secures network traffic, the next step is figuring out where to get this thing we call a digital certificate. Do we have to go into a store to purchase it?

Digital Certificates can be acquired in generally three different ways.

1- The most secure (and expensive) is requesting it from a trusted company called a CA – Certificate Authorities. An example of one such company is VeriSign, which is highly popular within the CA Industry for their role in providing worldwide trusted certificates; these certificates can however cost quite a bit.

2- There are two other ways of requesting a certificate. One is by using an internally trusted CA (trusted within a company) also called an enterprise CA or by generating a self sign certificate on the device itself.

3- The last one is the least secure form, but provides more than enough security to lock down your average network device. This self signed certificate can be generated using the built in commands on your Cisco router.

What About Telnet?

Like SSH, Telnet can also be used to connect to your router but, the main disadvantage of using Telnet is that it does not encrypt its connections. This means that if a hacker is able to capture packets from a Telnet session, he or she would be able to view information contained within those packets, such as a client’s username and password, therefore gaining access to your router.

The diagram below will give you an idea of how this works.

SSH Router Configuration

Now that we have an understanding of how SSH works and why we should use it instead of Telnet, the next step is actually getting down to configuring the device, which is always my favorite part.

For this exercise I will be using a Cisco 871 series SOHO router with IOS ver. 12.4 software. Depending on whether your router is brand new or currently in a production environment, you’re going to have to either connect via a Console session or through a Telnet session.

Take a look anothergood article on configuring a Cisco router to use RADIUS for authentication for the steps needed to connect via a Console session or you can check this article on Cisco’s website.

Here are the steps:
1. Configure a hostname for the router using these commands.

yourname#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
yourname (config)#hostname LabRouter
LabRouter(config)#

2. Configure a domain name with the ip domain-name command followed by whatever you would like your domain name to be. I used CiscoLab.com.

LabRouter(config)#ip domain-name CiscoLab.com

3. We generate a certificate that will be used to encrypt the SSH packets using the crypto key generate rsa command.

Take note of the message that is displayed right after we enter this command:“The name for the keys will be: LabRouter.CiscoLab.com” — it combines the hostname of the router along with the domain name we configured to get the name of the encryption key generated; this is why it was important for us to, first of all, configure a hostname then a domain name before we generated the keys.

Notice also that it asks us to choose a size of modulus for the key we’re about to generate. The higher the modulus, the stronger the encryption of the key. For our example, we’ll use a modulus of 1024.

4. Now that we’ve generated the key, our next step would be to configure our vty lines for SSH access and specify which database we are going to use to provide authentication to the device. The local database on the router will do just fine for this example.

LabRouter(config)#line vty 0 4
LabRouter(config-line)#login local
LabRouter(config-line)#transport input ssh

5. You will need to create an account on the local router’s database to be used for authenticating to the device. This can be accomplished with these commands.

LabRouter(config)#username XXXX privilege 15 secret XXXX

Fine Tuning Your SSH Configuration

We’ve pretty much completed all the steps needed to configure and use SSH on your router; however, there are some other configurations that can be made to further secure your device.

For one, I would highly recommend you enabling an exec time-out on your router to prevent anyone from gaining access to the device in cases you forgot to logout or got distracted because of an emergency. This way, the router will automatically log you out after the session has been idle for a set time.

You must configure this command on the line interface as depicted below.

LabRouter(config)#line vty 0 4
LabRouter(config-line)# exec-timeout 5

This means that if the session has been idle for 5 minutes, the router will automatically disconnect the session.

Use Access Control Lists (ACL) as an added layer of security; this will ensure that only devices with certain IP address are able to connect to the router.

So let’s say the IP Subnet for your LAN is 192.168.100.0/24, you would create an acl to permit only traffic from that subnet and apply this acl to the vty lines.

LabRouter(config)#access-list 1 permit 192.168.100.0 0.0.0.255
LabRouter(config)#line vty 0 4
LabRouter(config-line)#access-class 1 in

Final Tip: Enable SSH2

Another crucial point to note is the use of SSH2 as opposed to using SSH1. SSH2 improves on a lot of the weaknesses that existed within SSH1 and for this reason I recommend always using SSH2 where possible.

Enable SSH version 2 with this command:

LabRouter(config)#line vty 0 4
LabRouter(config)#ip ssh versopn 2