Setting up SSH on a Cisco Router
From KoshWiki
Contents |
Description
I was asked to setup SSh on a Cisco router at my work. This is actually very easy and very annoying at the same time. Seeing that most of the articles I read were copy/pastes of one article[1], I decided to make my own. (Also there is a Queue in World of Warcraft at the moment)
Enabling SSH on your Cisco
The first thing we need to do is setup the cisco to allow us to use SSH
Get into config mode, and we will go from there.
Setting the FQDN for the Router
We setup the FQDN in two parts, the Hostname and the Domain Name
Switch(config)#hostname oz-test1 oz-test1(config)#
Now the domain name
oz-test1(config)#ip domain-name hostname.net.au oz-test1(config)#
Creating the keys SSH will use
Here is why we have to set the FQDN first, it requires it as the name for the keys.
oz-test1(config)#crypto key generate rsa % You already have RSA keys defined named oz-test1.hostname.net.au. % Do you really want to replace them? [yes/no]: yes Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus [512]: 1024 % Generating 1024 bit RSA keys ...[OK] oz-test1(config)#
What about SSH Versions ?
I prefer SSH 2.0 over 1.0, because the larger number is so much better (that is a joke...)
oz-test1(config)#ip ssh version 2
Authentication, The other white meat
Now we have ssh setup, all well and good, but we don't have any way to authenticate ![2] Alot of the articles skip over this entirely, and I'm sure that people not understanding Cisco authentication are in the minority. But I'm all about copy/paste/work guides.
Back into configure mode. (If you left it)
oz-test1(config)#aaa new-model oz-test1(config)#aaa authentication login default local oz-test1(config)#username kosh privilege 15 password 0 mysupersecretpassword
Now to test it
vandread:~# ssh -v kosh@xxx.xxx.xxx.xxx OpenSSH_4.3p2 Debian-2, OpenSSL 0.9.8b 04 May 2006 debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug1: Connecting to xxx.xxx.xxx.xxx [xxx.xxx.xxx.xxx] port 22. debug1: Connection established. debug1: permanently_set_uid: 0/0 debug1: identity file /root/.ssh/identity type -1 debug1: identity file /root/.ssh/id_rsa type -1 debug1: identity file /root/.ssh/id_dsa type -1 debug1: Remote protocol version 2.0, remote software version Cisco-1.25 debug1: no match: Cisco-1.25 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_4.3p2 Debian-2 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-cbc hmac-md5 none debug1: kex: client->server aes128-cbc hmac-md5 none debug1: sending SSH2_MSG_KEXDH_INIT debug1: expecting SSH2_MSG_KEXDH_REPLY The authenticity of host 'xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx)' can't be established. RSA key fingerprint is d8:10:54:46:d7:49:2e:ef:3a:84:ac:11:0a:50:d0:87. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'xxx.xxx.xxx.xxx' (RSA) to the list of known hosts. debug1: ssh_rsa_verify: signature correct debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: password debug1: Next authentication method: password kosh@xxx.xxx.xxx.xxx's password: debug1: Authentication succeeded (password). debug1: channel 0: new [client-session] debug1: Entering interactive session. debug1: Sending environment. debug1: Sending env LANG = en_AU oz-test1>
