Introduction
Setting-up an SSH connection to a Cisco device can provide a lot of pros for the configuration of the hardware. It allows remote administration, and adds a security layer because you can get rid of the physical serial cable (making the physical computer vulnerable).
Configuration
Requirements
To allow the remote connection, at least one IP address must be configured on an interface:
int [INTERFACE]
ip add [IP_ADDRESS] [MASK]
Note: When using a switch, the IP address should be configured on a VLAN. The VLAN must be set on an interface.
It is mandatory to configure a hostname and a password for the privileged execution mode (“enable”):
hostname [NAME]
enable password [PASSWORD]
Set-up
The first step is to configure a domain name (here, test.lan) on the device:
ip domain-name test.lan
Then you can generate the RSA key that will be used for SSH encryption:
crypto key generate rsa
Note: It is recommended to choose a key length of at least
2048for security purpose.
A user account is also required for the SSH connection. Here is the command to create one:
username [NAME] password [PASSWORD]
We will now configure virtual lines to welcome SSH connection.
Creation of 5 virtual console lines (you can create more or less):
line vty 0 4
Select “SSH” as transport mode for data transporting:
transport input ssh
transport output ssh
Enforce the usage of a local account for the virtual console lines:
login local
Tips
Device timestamp
It may be required to change the device clock time to create the key:
clock set hh:mm:ss month day year
Here is an example to set the date to January, 1, 2000, 3:30 p.m. (the month must be specified on 4 characters):
clock set 18:30:00 Janu 01 2000
Safe password policy
Cisco devices accepts different level of password encryption. It is recommended to select password of type 5 and 7. All the commands to set that up can be found of the official Cisco website .