iOS supports SSH for high-end products such as the 7200 series, 7500 series, and 12000 Series (GSR) in the Cisco routers product family. The iOS version of the general support SSH file name is K3 or K4 words, K3 for 56bit SSH encryption, K4 represents 168bit SSH encryption. iOS like my provincial network GSR 12016 and 12008 is a version that supports 56bit SSH encryption.
Cisco's products currently support only SSH-1 and do not support SSH-2. The following is a case of GSR 12008 for a detailed description of the configuration method for SSH-1 (italic word for configuration input commands):
① Configuring hostname and IP domain-name:
Router#configure terminal
Router (config) #hostname test-gsr12008
test-gsr12008 (config) #ip domain-name Jx.cn.net
|
② Configure the login username and password (local authentication as an example):
test-gsr12008 (config) #username Test Password 0 Test
Note: Add a User: Test, Password: Test
test-gsr12008 (config) #line vty 0 4
test-gsr12008 (config-line) #login Local |
After the two parts are done, you can see with the show Run command:
Hostname test-gsr12008
!
Boot system flash Gsr-k3p-mz.120-14.s.bin
enable secret 5 $1$DMYW$GDSIOKCR7P8YTWCRWTNJG.
Enable password 7 094f47c31a0a
!
Username Test Password 7 0835495d1d
clock timezone PRC
redundancy main-cpu
auto-sync
Startup-config!!!!
IP subnet-zero
no ip finger
IP domain-name jx.cn.net
IP name-server 202.101.224.68
IP name-server 202.101.226.68
! |
③ Configuring the SSH service:
test-gsr12008 (config) #crypto key generate RSA the name for the
keys would be:test-gsr12008.jx.cn.net
Note: SSH's keyword name is hostname +. +ip Domain-name Choose The size of the the key modulus in the range of the 2048 of a for
your general
Purpose Keys. Choosing a key modulus greater than to take
a few minutes.
How many bits in the modulus [512]: NOTE: Choose the number of encrypted bits, with the default on the line
generating RSA keys
... [OK]
test-gsr12008 (config) #end
test-gsr12008#write
Building configuration ...
|
At this point, you can see with the show Run command:
IP subnet-zero
no ip finger
IP domain-name jx.cn.net
IP name-server 202.101.224.68
IP name-server 202.101.226.68
IP ssh time-out
ip ssh authentication-retries 3
! |
With the command show IP ssh can also be seen:
SSH enabled-version 1.5
authentication timeout:120 secs; Authentication Retries:3 |
Now that the SSH service is started, if you need to stop the SSH service, use the following command:
test-gsr12008 (config) #crypto key zeroize RSA |
④ setting SSH Parameters
Once SSH is configured, we see the default parameters of SSH through the show Run command: The timeout is limited to 120 seconds and the number of authentication retries is 3, which can be modified by the following command:
test-gsr12008 (config) #ip ssh {[time-out seconds]} | [Authentication-retries Interger]} |
If you want to change the timeout limit to 180 seconds, you should use:
test-gsr12008 (config) # IP SSH time-out 180 |
If you want to change the number of retries to 5 times, you should use:
test-gsr12008 (config) # ip ssh authentication-retries 5 |
This way, SSH has been successfully configured on the router and is able to log in securely via SSH.