Problem
Configure SSH input on Cisco switches and routers
tl;dr
Enable SSH:
conf t
hostname Switch32
ip domain-name mydomain.com
aaa new-model
crypto key generate rsa
If you have not yet set up user credentials, or want to add a new user:
conf t
username john secret cat12345
Where cat12345 is the password you wish to set for the user john.
Solution
To enable SSH on a Cisco iOS device, you need two things: specify a management interface (see this guide), and actually enable SSH. To do the latter, your router or switch needs to be configured with a hostname, and a domain name:
conf t
hostname iSwitch
ip domain-name fixmacsnow.com
Then, allow users configured on the switch to login with SSH or Telnet connections:
aaa new-model
Generate your RSA key:
crypto key generate rsa
User credentials
If you have not yet configured a user, you should do so now (choose one):
user john password cat12345
user john secret 12345
Secret and password can be used to set a password for user john. However, secret stores the password as a hash, instead of showing it in plaintext. If you store your password in plaintext, it is quite easy to reveal it if you let someone at the console, or for someone reading your NVRAM:
Switch32#sh run | include password
username john password 0 cat12345
Security considerations
By default, both SSH and Telnet connections are allowed to Cisco devices. In some environments, it may not matter (such as a completely isolated lab for studying or testing your configs), but in others, it will open you up to malicious hackers since information is sent over Telnet as plain text. Therefore, someone will be able to capture packets on your network, such as the commands you send to the switch or router. The hacker can then parse them for sensitive data like passwords. To disable Telnet:
conf t
line vty 0 4
transport input ssh
This only allows SSH connections via the network to your Cisco device. If physical access to the device is restricted, it may not matter so much if you leave Telnet on over the console port, but if you wish to disable Telnet via console as well:
line con 0
transport input ssh
Default SSH authentication timeout (time you have to enter correct user credentials after making the initial connection) is set to 120 seconds. If you wish to change it:
ip ssh time-out 60
Change number of retries:
ip ssh authentication-retries 4
Save!
Don't forget to exit configuration mode and save your changes!
end
wr