You can enable secure shell (SSH) on Cisco routers both with and without AAA (Authentication, Authorization, and Accounting)
If you wish to use SSH on a Cisco router without AAA in IOS release 12.4 and above, you can configure local username and password authentication and use enhanced password security.
Here are the two methods for enabling SSH.
Configuring SSH with AAA
This configuration will only allow connections from the 10.2.1.0/24 subnet via access list 99.
username nick privilege 15 secret 5 XXX
access-list 99 permit 10.2.1.0 0.0.0.255
line vty 0 4
access-class 99 in
privilege level 2
transport input ssh
transport output none
Configuring SSH without AAA
This is the minimum configuration needed to support inbound SSH sessions on a router:
ip domain-name xxx.xxx.com
crypto key generate rsa
! define local usernames, use passwords or secrets
username a password b
username x secret y
ip ssh version 2
line vty 0 4
I hope this post helps you get SSH set up on Cisco IOS for your router.
Here’s another way to do it:
It is recommended that Secure Shell (SSH) is used for remote administration of Cisco Routers and Switches.
To see if SSH is already enabled
CISCO877# show ip ssh%SSH has not been enabled
To enable SSH on your Cisco Switch or Router, do the following from the global configuration mode:
Configure the Hostname on the Switch or Router
Router(config)# hostname CISCO877
Configure the Domain name for the Cisco Switch or Router
CISCO877(config)# ip domain-name my.domain.com
Generate a RSA Key Pair
CISCO877(config)# crypto key generate rsa
This enables SSH on the Cisco switch or the router.
The following optional commands are recommended but are not mandatory:
Set the SSH Negotiation phase timeout interval (in seconds)
CISCO877(config)# ip ssh time-out 120
This sets the time period for the Cisco Router or Switch to wait for 120 seconds before timing out the client during the SSH Negotiation phase.
Set the Maximum retry attempts
CISCO877(config)# ip ssh authetication-retries 3
This sets the maximum number of the Authentication retires to be 3 times before the interface (vty) is reset.
To change the default port for SSH (default is 22) connection
CISCO877(config)# ip ssh port 3536
This sets the port number to listen for SSH connections to be 3536.
Try to logon and logoff the Cisco IOS Router or switch to ensure it works OK and then disable Telnet access to the switch. This can be done by making SSH as the only transport agent.
CISCO877(config)# line vty 0 4CISCO877(config)# transport input ssh
This makes SSH as the only way to connect to the Cisco Routers or Switches remotely.
Write the config changes to the startup-config:
CISCO877# wr mem
To see the status of the SSH on the Cisco switch or the router
CISCO877# show ip sshSSH Enabled – version 1.5Authentication timeout: 120 secs; Authentication retries: 3
To view the status of SSH connections
CISCO877# show ssh
Connection Version Encryption State Username
0 1.5 3DES Session Started guest
If at any time, you want to disable SSH on the Cisco Router or Switch, from the Global Configuration
CISCO877(config)# crypto key zeroize rsa
This deletes the RSA key-pair. Once you delete the RSA key-pair, it disables the SSH server.
In this case, if you had ssh as the only transport mode then this needs to be changed to default
CISCO877(config)# line vty 0 4CISCO877(config)# transport input telnet