Enabling Secure Shell (SSH) in Cisco IOS

It is recommended that Secure Shell (SSH) is used for remote administration of Cisco Routers and Switches.

To see if SSH is already enabled

CISCO877# show ip ssh%SSH has not been enabled

To enable SSH on your Cisco Switch or Router, do the following from the global configuration mode:

Configure the Hostname on the Switch or Router

Router(config)# hostname CISCO877

Configure the Domain name for the Cisco Switch or Router

CISCO877(config)# ip domain-name my.domain.com

Generate a RSA Key Pair

CISCO877(config)# crypto key generate rsa

This enables SSH on the Cisco switch or the router.

The following optional commands are recommended but are not mandatory:

Set the SSH Negotiation phase timeout interval (in seconds)

CISCO877(config)# ip ssh time-out 120

This sets the time period for the Cisco Router or Switch to wait for 120 seconds before timing out the client during the SSH Negotiation phase.

Set the Maximum retry attempts

CISCO877(config)# ip ssh authetication-retries 3

This sets the maximum number of the Authentication retires to be 3 times before the interface (vty) is reset.

To change the default port for SSH (default is 22) connection

CISCO877(config)# ip ssh port 3536

This sets the port number to listen for SSH connections to be 3536.

Try to logon and logoff the Cisco IOS Router or switch to ensure it works OK and then disable Telnet access to the switch. This can be done by making SSH as the only transport agent.

CISCO877(config)# line vty 0 4
CISCO877(config)# transport input ssh

This makes SSH as the only way to connect to the Cisco Routers or Switches remotely.

Write the config changes to the startup-config:

MyCISCO877# wr mem

To see the status of the SSH on the Cisco switch or the router

MyCISCO877# show ip ssh

SSH Enabled – version 1.5

Authentication timeout: 120 secs; Authentication retries: 3

To view the status of SSH connections

MyCISCO877# show ssh

Connection      Version     Encryption State   Username

 0                1.5       3DES    Session Started  guest

If at any time, you want to disable SSH on the Cisco Router or Switch, from the Global Configuration

CISCO877(config)# crypto key zeroize rsa

This deletes the RSA key-pair. Once you delete the RSA key-pair, it disables the SSH server.

In this case, if you had ssh as the only transport mode then this needs to be changed to default

CISCO877(config)# line vty 0 4
CISCO877(config)# transport input telnet

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.