Using Telnet for remote administration of Cisco Routers and Switches (infact for any other device like a unix,linux or a solaris seerver) is not very secure as the data including the passwords are sent in clear text. It will only be a matter of time for a malicous attacker who can sniff the packets to gain access to the passwords and infact the whole network.
It is recommended that Secure Shell (SSH) is used for remote administration of Cisco Routers and Switches.
NOTE: Cisco IOS on the Catalyst switches are by default supplied with the SSH feature bultin. However, the basic Cisco IOS for the routers do not have the SSH facility built-in. To use the SSH feature on Cisco Routers, you need to have the Cisco IOS version with the IPSec(DES or 3DES) encryption software.
To see if SSH is already enabled
Router# show ip ssh
%SSH has not been enabled
To enable SSH on your Cisco Switch or Router, do the following from the global configuration mode:
Configure the Hostname on the Switch or Router
Router(config)# hostname MyRouter
Configure the Domain name for the Cisco Switch or Router
MyRouter(config)# ip domain-name MyDomain
Generate a RSA Key Pair
MyRouter(config)# crypto key generate rsa
This enables SSH on the Cisco switch or the router.
The following optional commands are recommended but are not mandatory:
Set the SSH Negotiation phase timeout interval (in seconds)
MyRouter(config)# ip ssh time-out 120
This sets the time period for the Cisco Router or Switch to wait for 120 seconds before timing out the client during the SSH Negotiation phase.
Set the Maximum retry attempts
MyRouter(config)# ip ssh authetication-retries 3
This sets the maximum number of the Authentication retires to be 3 times before the interface (vty) is reset.
To change the default port for SSH (default is 22) connection
MyRouter(config)# ip ssh port 3536
This sets the port number to listen for SSH connections to be 3536.
Try to logon and logoff the Cisco IOS Router or switch to ensure it works OK and then disable Telnet access to the switch. This can be done by making SSH as the only transport agent.
MyRouter(config)# line vty 0 4
MyRouter(config)# transport input ssh
This makes SSH as the only way to connect to the Cisco Routers or Switches remotely.
Write the config changes to the startup-config:
MyRouter# wr mem
To see the status of the SSH on the Cisco switch or the router
MyRouter# show ip ssh
SSH Enabled – version 1.5
Authentication timeout: 120 secs; Authentication retries: 3
To view the status of SSH connections
MyRouter# show ssh
Connection Version Encryption State Username
0 1.5 3DES Session Started guest
If at any time, you want to disable SSH on the Cisco Router or Switch, from the Global Configuration
MyRouter(config)# crypto key zeroize rsa
This deletes the RSA key-pair. Once you delete the RSA key-pair, it disables the SSH server.
In this case, if you had ssh as the only transport mode then this needs to be changed to default
MyRouter(config)# line vty 0 4
MyRouter(config)# transport input telnet
How i can disable support for DES SSH cipher in cisco routers?
For setting transport input you may want to go in to “line vty 0 15” because there are more than 5 terminal lines that telnet can connect to 🙂
Thank you for the explanation and config details!
Actually, there are more vty lines than the 16 mentioned “vty 0 15,” I believe. It depends on the IOS capabilities. Right?
i tried to connect from one router to another using SSH after basic configuration on the both th router. i got below error
Connection to 10.1.1.1 closed by foreign host
can anyone tell me why this error occers,& how to solve the issue
Connection to 10.1.1.1 closed by foreign host
mean’s that, in all likelyhood, you forgot to “activate” your vty lines.
meaning:
Did you do the normal Sw1#(config):”Line vty 0 15″, “password yourpass”, “login” and “exit” ?. If not then the foreign host wont allow connections of any type (telnet, ssh etc).
does any one know the command for entering into ssh on a a router.
is it
router#ssh -c 3des -l username.password.com 192.168.1.1
i could do with some help guess anyone wid any information i would appreciate.
ip ssh port xxx does not work using more current ios versions.
In response to the last comment about
ip ssh port xxx, that not working, there is additional commands needed to make it listen for ssh other than port 22.
Try;
ip ssh port xxxx rotary 1
or
ip ssh port xxxx rotary 1 127
basically rotary 1, is the rotary group number, and the second number (127 in this example) is the high number that it will look for.
I have only used the first example so I cant comment much on what the rotary is all about, but a simple ? or tab key will show those commands in newer IOS
Hey, great article. Exactly what I needed. Although I don’t support changing the default port from 22. 22 is the SSH port and it is an SSH server. Obscurity offers such a tiny amount of additional security when compared to the SSH protocol itself, it’s not worth hassle. Just my 2cents. Thanks again the info.
Cheers,
Rhys
How can i enble https access on switch 6506
when im giving ip http secure-server it’s telling unrecognized command. Im using sup720 with ipservicesk9-12.2(18).SXF5 pls help me out on this.
Hi
Is there any way i can have telnet and ssh both for tty lines using async port adapter like NM-32 on cisco routers or is it either telnet or ssh at a time ?
line con 0
password 7 071F76451A0E4D
line vty 0 4
password 7 105E5E10511046
transport input telnet ssh
line vty 5 15
This is what I have on my router. I would like to disable telnet but not SSH. How do I do it?
Please help!