Enabling SSH on Cisco Devices
Firstly, why enable SSH? By default, all Cisco devices will use telnet for network access (once a password has been configured.) Telnet is a cleartext protocol, all credentials are passed in clear text and can easily be ‘snooped.’ SSH is an encrypted protocol, therefore usenames and passwords cannot be snooped. Please note that SSH support requires an IPSEC (3DES/DES) IOS image to be installed on your Cisco device.
Step 1: Set Hostname and Domain Name for RSA generation:
(config)# hostname 3620-1
(config)# ip domain-name test.local
NOTE: Replace 3620-1 with the hostname of your router, and test.local with the correct domain name for your environment.
Step 2: Generate the RSA key pair for your routerand enable SSH support using the following commands:
(config)# crypto key generate rsa
Step 3: Set vty protocol to allow SSH only:
(config)# line vty 0 4
(config-line)# transport input ssh
Step 4: Set an SSH session timeout of 120 seconds:
(config)# ip ssh time-out 120
Step 5: Set the number of authentication attempts before the vty is reset to 3:
(config) ip ssh authentication-retries 3
Step 6: Save your configuration!
# copy run start
Disabling SSH Access
Step 1: Delete the RSA key:
(config)# crypto key zeroise rsa
Step 2: Reset VTY’s to use telnet:
(config)# line vty 0 4
(config-line)# transport input telnet
Step 3: Save your configuration!
# copy run start