Thursday, March 5, 2009

SSH - Few Words

SSH is a client and server protocol used to log in to another computer over a network. It provides strong authentication and secure communication over a public communication network. SSH may be “more” secure many vendors implementations of SSH is vulnerable.

So lets hop on to a router and configure it :)

Before We enable and configure ssh access, you should know that before enabling ssh we need to configure hostname on router other than "router" and also we need to configure "domain name" on router. Also ssh uses tcp port 22.

Router(config)#hostname Deepak
Deepak(config)#ip domain-name
Deepak(config)#crypto key generate rsa general-keys
The name for the keys will be:
Choose the size of the key modulus in the range of 360 to 2048 for your
  General Purpose Keys. Choosing a key modulus greater than 512 may take
  a few minutes.

How many bits in the modulus [512]: Just hit enter here
% Generating 512 bit RSA keys, keys will be non-exportable...[OK]

*Mar  1 00:03:13.563: %SSH-5-ENABLED: SSH 1.99 has been enabled

Next step is to allow ssh protocol on vty lines for access.

Deepak(config)#configure terminal
Deepak(config)#line vty 0-4
Deepak(config-line)#transport input ssh

Now lets hop on to last few steps. It includes creating local user database and also allowing local authentication on router.

Deepak(config)#username deepak password deepak
Deepak(config)#line vty 0 4
Deepak(config-line)#login local

Now just hop on to client router and use following command for ssh access.

Test#ssh -l deepak ( is just ip address of destination router to which we need 


Anonymous said...

Hi Deepak ,

Is 512 bit RSA genral key is sufficient to enable ssh version 2 ?

Cisco doc says u require minimum 768 bit RSA key to enable SSH version 2.

and did tried with 512 bit key prompt says %SSH-5-ENABLED: SSH 1.5 has been enabled

Just a question ...


Deepak Arora said...

There are two considerations over here:

1. Bigger key means more security but also more overhead on CPU since SSH connection will be control place traffic which hits device CPU

2. SSHv2 is preferred these days over SSHv1