Use SSH instead of Telnet for more secure connections

 

If you have been using Telnet to control network devices, you can consider other safer methods. This document describes how to replace Telnet with SSH.

Using Telnet, the TCP/IP protocol used to access remote computers, to control your network device is equivalent to shouting your username and password when you leave a building. Soon, someone will listen, and they will use your lack of security awareness.

SSH is an industry standard that replaces Telnet and other remote console management applications. SSH commands are encrypted and kept confidential in several ways.

When using SSH, a digital certificate authenticates the connection between the client (your workstation) and the server (your network device) and encrypts the protected password. SSH1 uses the RSA encryption key, and SSH2 uses the digital signature algorithm (DSA) Key to protect connections and authentication.

Encryption algorithms include Blowfish, Data Encryption Standard (DES), and triple DES (3DES ). SSH protects and helps prevent spoofing, man-in-the-middle attacks, and packet listening.

The first step in implementing SSH is to verify that your device supports SSH. Log on to your vro or vswitch and check whether you have loaded an IPSec IOS image that supports SSH.

In our example, we will use the Cisco IOS command. Run the following command:

Router> Show flash

This command displays the name of the loaded IOS image. You can use the result to compare the list of supported features of your supplier.

After you verify that your device supports SSH, make sure that the device has a host name and a correctly configured host domain, as shown below:

Router> config terminal

Router (config) # hostname

Router (config) # ip domain-name domainname

At this time, you can enable the SSH server on the router. To enable the SSH server, you must first use the following command to generate a pair of RSA keys:

Router (config) # crypto key generate rsa

SSH is automatically enabled when an RSA key is generated on the vro. If you delete the RSA key pair, the SSH server is automatically disabled.

The last step to implement SSH is to enable authentication, authorization, and audit (AAA ). When configuring AAA, specify the user name and password, Session Timeout, and the number of connections allowed. Run the following command:

Router (config) # aaa new-model

Router (config) # username password

Router (config) # ip ssh time-out

Router (config) # ip ssh authentication-retries

To verify that you have configured SSH and it is running on your vro, run the following command:

Router # show ip ssh

After verifying the configuration, you can force the users you add during the AAA configuration process to use SSH instead of Telnet. You can also apply SSH to a virtual terminal (vty) connection to achieve the same purpose. Here is an example:

Router (config) # line vty 0 4

Router (config-line) # transport input SSH

Before closing an existing Telnet session, you need an SSH client program to test your configuration. I strongly recommend PuTTY; it is free, and it is an excellent terminal software.

Last thought

After you enable SSH on your vro and vswitch, make sure that you have modified all existing access control lists to allow connections to these devices. You can report to your superiors that you have blocked a huge security vulnerability: all network management sessions are encrypted and protected.