Cisco Enabling & Disabling SSH

Enabling SSH on Cisco Devices

Firstly, why enable SSH? By default, all Cisco devices will use telnet for network access (once a password has been configured.) Telnet is a cleartext protocol, all credentials are passed in clear text and can easily be ‘snooped.’ SSH is an encrypted protocol, therefore usenames and passwords cannot be snooped. Please note that SSH support requires an IPSEC (3DES/DES) IOS image to be installed on your Cisco device.

Step 1: Set Hostname and Domain Name for RSA generation:
(config)# hostname 3620-1
(config)# ip domain-name test.local

NOTE: Replace 3620-1 with the hostname of your router, and test.local with the correct domain name for your environment.

Step 2: Generate the RSA key pair for your routerand enable SSH support using the following commands:
(config)# crypto key generate rsa

Step 3: Set vty protocol to allow SSH only:
(config)# line vty 0 4
(config-line)# transport input ssh

Step 4: Set an SSH session timeout of 120 seconds:
(config)# ip ssh time-out 120

Step 5: Set the number of authentication attempts before the vty is reset to 3:
(config) ip ssh authentication-retries 3

Step 6: Save your configuration!
# copy run start


Disabling SSH Access

Step 1: Delete the RSA key:
(config)# crypto key zeroise rsa

Step 2: Reset VTY’s to use telnet:
(config)# line vty 0 4
(config-line)# transport input telnet

Step 3: Save your configuration!
# copy run start