Principle and explanation of SSH usage-application skills

Use SSH instead of Telnet for a more secure connection

If you have been using Telnet to control network devices, you can consider other, more secure ways. This article tells you how to replace Telnet with SSH.
Click here for Find out more!

Using Telnet, the TCP/IP protocol used to access a remote computer to control your network device is equivalent to shouting your username and password when you leave a building. Soon, someone will listen, and they will take advantage of your lack of security awareness.

SSH is an industry standard that replaces Telnet and other remote console management applications. The SSH command is encrypted and is kept confidential in several ways.

When using SSH, a digital certificate will authenticate the connection between the client (your workstation) and the server (your network device) and encrypt the protected password. SSH1 uses the RSA encryption key, SSH2 uses the digital Signature Algorithm (DSA) key to protect the connection and authentication.

Cryptographic algorithms include Blowfish, Data Encryption Standard (DES), and Sanchong DES (3DES). SSH protection and helps prevent spoofing, "man-in-the-middle" attacks, and packet sniffing.

The first step in implementing SSH is to verify that your device supports SSH. Please log in to your router or switch and determine if you are loading an IPSec iOS mirror that supports SSH.

In our example, we will use the Cisco IOS command. Run the following command:
Router> Show Flash

This command displays the names of the iOS mirrors that have been loaded. You can use the results to compare your vendor's support feature List.

After you verify that your device supports SSH, make sure the device has a host name and a properly configured host domain, just like the following:
router> Config terminal
Router (config) # hostname hostname
Router (config) # IP domain-name domainname

At this point, you can enable the SSH server on the router. To enable an SSH server, you first have to use the following command to generate a pair of RSA keys:
Router (config) # crypto key generate RSA

Generating a pair of RSA keys on the router automatically enables SSH. If you delete this pair of RSA keys, the SSH server is automatically disabled.

The final step in implementing SSH is to enable authentication, authorization, and Auditing (AAA). When you configure AAA, specify the username and password, the session timeout, and the number of attempts that a connection allows. Use the command as follows:
Router (config) # AAA New-model
Router (config) # username password
Router (config) # IP ssh time-out
Router (config) # ip ssh authentication-retries

To verify that you have configured SSH and that it is running on your router, execute the following command:
router# show ip ssh

After verifying the configuration, you can force users to use SSH instead of Telnet when you add to the AAA configuration. You can also use SSH in a virtual terminal (vty) connection to achieve the same goal. Here is an example:
Router (config) # line vty 0 4
Router (config-line) # Transport Input SSH

Before you close an existing Telnet session, you need an SSH Terminal client program to test your configuration. I highly recommend putty; it's free, and it's an excellent terminal software.

The last Thought
After you have SSH enabled on your router and switch, make sure you modify all existing access control lists to allow connections to these devices. You can now report to your superiors that you have blocked a huge security breach: All network management sessions are now encrypted and protected.