Use SSH to log on to a Cisco Router

1. Preface

A large number of Cisco routers are used in Jiangxi IP networks. Administrators usually use Telnet to remotely log on to the vro for routine maintenance. Because Telnet, FTP, and other network service programs use plain text transmission passwords and data in the network, their security cannot be effectively guaranteed. Once the Administrator's user name and password are intercepted by someone with ulterior motives, the consequences will be unimaginable. Therefore, how to achieve secure logon of Cisco routers becomes the primary problem in daily network maintenance. This document uses the Cisco router's support for SSH and implements secure login to the router through SSH.
The full name of SSH is Secure Shell, which is developed by a Finnish company. SSH is composed of software on the client and server. There are two incompatible versions: 1.x and 2.x. SSH is powerful. It can replace Telnet and provide a secure "channel" for FTP, POP3, and PPP ". SSH can be used to encrypt all transmitted data. Even if someone intercepts the data, they cannot obtain useful information. At the same time, data is compressed to greatly speed up transmission.
This document describes how to configure Secure logon Using SSH on a Cisco router. This method is simple, secure, and suitable for promotion and use in network maintenance.

2. Configure the SSH service on the Cisco Router

In the Cisco router product series, only IOS 7200, 7500, and 12000 Series (GSR) products support SSH. Generally, the names of IOS versions that support SSH include K3 or K4. K3 indicates 56bit SSH encryption, and K4 indicates 168bit SSH encryption. For example, IOS on GSR 12016 and 12008 is a version that supports 56bit SSH encryption. Cisco products currently only support SSH-1, not SSH-2. The following uses GSR 12008 as an example to describe the configuration method of SSH-1 (the configuration input command is italic ):
① Configure hostname and ip domain-name:
Router # configure terminal
Router (config) # hostname TEST-GSR12008
TEST-GSR12008 (config) # ip domain-name jx.cn.net
② Configure the logon username and password (take local authentication as an example ):
TEST-GSR12008 (config) # username test password 0 test
Note: Add a user named test and password: test.
TEST-GSR12008 (config) # line vty 0 4
TEST-GSR12008 (config-line) # login local
After the two parts are completed, use the show run command to see:
Hostname TEST-GSR12008
!
Boot system flash gsr-k3p-mz.120-14.S.bin
Enable secret 5 $1 $ DMyW $ gdSIOkCr7p8ytwcRwtnJG.
Enable password 7 094F47C31A0A
!
Username test password 7 0835495D1D
Clock timezone PRC 16
Redundancy
Main-cpu
Auto-sync startup-config
!
!
!
!
Ip subnet-zero
No ip finger
Ip domain-name jx.cn.net
Ip name-server 202.101.224.68
Ip name-server 202.101.226.68
!
③ Configure the SSH service:
TEST-GSR12008 (config) # crypto key generate rsa
The name for the keys will be: TEST-GSR12008.jx.cn.net
Note: The SSH keyword name is hostname +. + ip domain-name
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
A few minutes.

How many bits in the modulus [512]: Note: select the number of encrypted digits. Use the default value.
Generating RSA keys...
[OK]

TEST-GSR12008 (config) # end
TEST-GSR12008 # write
Building configuration...
At this time, run the show run command to see:
Ip subnet-zero
No ip finger
Ip domain-name jx.cn.net
Ip name-server 202.101.224.68
Ip name-server 202.101.226.68
Ssh ip time-out 120
Ip ssh authentication-retries 3
!
Run the show ip ssh command:
SSH Enabled-version 1.5
Authentication timeout: 120 secs; Authentication retries: 3
The SSH service has been started. To stop the SSH service, run the following command:
TEST-GSR12008 (config) # crypto key zeroize rsa
④ Set SSH Parameters
After configuring SSH, run the show run command to view the default SSH parameter: timeout is limited to 120 seconds, and authentication retries are set to three times. You can run the following command to modify the value:
TEST-GSR12008 (config) # ip ssh {[time-out seconds]} | [authentication-retries interger]}
To change the timeout limit to 180 seconds, use:
TEST-GSR12008 (config) # ip ssh time-out 180
If you want to change the number of retries to 5, use:
TEST-GSR12008 (config) # ip ssh authentication-retries 5
In this way, SSH has been successfully configured on the vro, so that you can perform secure login through SSH. Article entry: csh responsible editor: csh