NetworkJutsu

Network Security Consulting | San Francisco Bay Area

How to enable SSH on Cisco Routers and Switches

By Leave a Comment

UPDATE: Please read my updated post regarding SSH on Cisco IOS.

On my previous blog post, I talked about one of the things a Network Engineer must do to harden Cisco routers and switches. Today, I am adding another one to the list. I will try to keep adding to this list to raise the importance of security.

As the title says, I am going to show you on how to enable SSH on Cisco IOS devices. The commands are pretty much the same in pretty much all of the IOS versions. If the commands listed here didn’t work, then use the IOS help menu.

The majority, if not all, of the people, know that Telnet sends data in clear text. That said, usernames and passwords are up for grabs. Imagine an unauthorized user logging into company’s Cisco IOS devices and deleting the configuration and rebooting them. When that happens, someone would be let go pretty soon.

To enable SSH on Cisco IOS, you need to have crypto feature in the IOS. If the IOS does not support crypto, then you’re out of luck. If you have a SMARTnet contract, I suggest you upgrade the IOS. For legacy hardware, the only choice is to upgrade it to a newer version. Please check Cisco Feature Navigator to check your IOS if it supports the crypto feature.

Enabling SSH on Cisco IOS

Without further delay, below are the commands to enable SSH on Cisco IOS. With this method, Cisco IOS requires the user to specify the host name and domain name.

Router(config)#host R1
R1(config)#ip domain name domain.com
R1(config)#crypto key generate rsa general-keys modulus 2048
R1(config)#ip ssh version 2
R1(config)#line vty 0 15
R1(config-line)# transport input ssh

Alternatively, Cisco IOS user could enable SSH without specifying the domain name, as shown below. In this case, I am using 4096-bit key size for the RSA keys.

R1(config)#crypto key gen rsa modulus 4096 label SSH_KEY
The name for the keys will be: SSH_KEY
% The key modulus size is 4096 bits
% Generating 4096 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 103 seconds)
R1(config)#
*Dec 15 20:38:36.581: %SSH-5-ENABLED: SSH 1.99 has been enabled
R1(config)#ip ssh rsa keypair-name SSH_KEY
R1(config)#
*Dec 15 20:39:38.227: %SSH-5-DISABLED: SSH 1.99 has been disabled
*Dec 15 20:39:38.228: %SSH-5-ENABLED: SSH 1.99 has been enabled
R1(config)#ip ssh ver 2
R1(config)#line vty 0 15
R1(config-line)#transport input ssh

While you don’t need to use the transport input ssh command, it is recommended to disable Telnet altogether. By default, line vty 0 to 15 has the command transport input all configured but not showed in the running configuration or startup configuration. That said, it will allow you to use either SSH or Telnet.

Final Words

Hopefully, this will be included in your standard configuration for all Cisco routers and switches that you have. Telnet is a considered a security risk, so enabling SSH will mitigate security risk on your network.

I hope this has been helpful and thank you for reading!

You might also like to read

Securing Cisco IOS SSH server

Want to learn more about the basics of securing Cisco networks?

CCNA Security Official Cert Guide

Disclosure

NetworkJutsu.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.com.

About Andrew Roderos

I am a network security engineer with a passion for networking and security. Follow me on Twitter, LinkedIn, and Instagram.