[CCNA] Configuring SSH

It’s not an easy way to configure your device using the console port each time, however you’ll use the Telnet or SSH to access to your device remotely, but Telnet is not secure at all, for this, configuring the SSH on your Cisco device is so important.

We’ll work through this steps one by one:

  1. Configure the device hostname
  2. Define the default domain name
  3. Generate encryption keys
  4. Configure SSH options
  5. Create local user account(s)
  6. Define transport protocols for console port (Telnet and/or SSH)
  7. Enable local login

Of course the device must have an IP address, check this post for the initial configuration.

1. Configure the device hostname

Switch#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Switch(config)#hostname MainSwitch

2. Define the default domain name

MainSwitch(config)#ip domain-name ?
  WORD  Default domain name
MainSwitch(config)#ip domain-name locallab.com

3. Generate encryption keys

MainSwitch(config)#crypto key generate ?
  rsa  Generate RSA keys
MainSwitch(config)#crypto key generate rsa
The name for the keys will be: MainSwitch.locallab.com
Choose the size of the key modulus in the range of 360 to 2048 for your
  General Purpose Keys. Choosing a key modulus greater than 512 may take
  a few minutes.

How many bits in the modulus [512]: 2048
% Generating 2048 bit RSA keys, keys will be non-exportable...[OK]

*mars 1 0:15:4.695:  %SSH-5-ENABLED: SSH 1.99 has been enabled

4. Configure SSH options

  • Set the SSH version to version 2
MainSwitch(config)#ip ssh ?
  authentication-retries  Specify number of authentication retries
  time-out                Specify SSH time-out interval
  version                 Specify protocol version to be supported
MainSwitch(config)#ip ssh version ?
    Protocol version
MainSwitch(config)#ip ssh version 2
  • Set the max failed for SSH connection
MainSwitch(config)#ip ssh authentication-retries ?
    Number of authentication retries

MainSwitch(config)#ip ssh authentication-retries 2
  • Of course, you must set also the max idle timer for a SSH session
MainSwitch(config)#ip ssh time-out 60

5. Create local user account(s)

MainSwitch(config)#username ?
  WORD  User name
MainSwitch(config)#username boubakr ?
  password   Specify the password for the user
  privilege  Set user privilege level
  secret     Specify the secret for the user

MainSwitch(config)#username boubakr secret ?
  0     Specifies an UNENCRYPTED secret will follow
  5     Specifies a HIDDEN secret will follow
  LINE  The UNENCRYPTED (cleartext) user secret
MainSwitch(config)#username boubakr secret cisco

Do you know why secret and not password ahmm ?!

MainSwitch(config)#do show run
Building configuration...
! ...
hostname MainSwitch
! ...
ip ssh version 2
ip domain-name locallab.com
username boubakr secret 5 $1$mERr$hx5rVt7rPNoS4wqbXKX7m0
! ...

6. Define transport protocols for console port (Telnet and/or SSH)

MainSwitch(config-line)#transport input ?
  all     All protocols
  none    No protocols
  ssh     TCP/IP SSH protocol
  telnet  TCP/IP Telnet protocol
MainSwitch(config-line)#transport input ssh

You can use both SSH and Telnet, in this case Telnet session will also require the username to login.

7. Enable local login: use the local database for users login

MainSwitch(config-line)#login ?
  local  Local password checking

MainSwitch(config-line)#login local

I hope this been informative for you, enjoy !

Tagged: , , ,

One thought on “[CCNA] Configuring SSH

  1. Dinary August 6, 2014 at 12:07 am Reply

    I’m start for beginning in CCNA I got my friend he old me about CCNA and than i certainly interesting .I don’t no about CCNA . I would like to thank u so much
    otherwise would u main can u post me anything new .

Leave a Reply :

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: