This topic is to discuss the following lesson:
If I connect a router R3 to R2 (configured static route) and configure an access list to allow only R3 access to R1 SSH, it just keeps asking for the password again and again. Is this because of the presence of R2 in the middle?
Hello Balagopal!
If you are receiving the prompt for a password, then you have routing configured correctly between the two routers, regardless of what devices may be in between. If it’s asking for the password over and over, it may be that the password being entered is incorrect. Check your config again, and if you still have problems, you can share the relevant portions of your configs so we can take a look.
I hope this has been helpful!
Laz
Hi Rene,
I have always done this using the command:
ip http secure-server
And then:
control-plane host
management-interface FastEthernet0/0 allow ftp https ssh tftp snmp
And:
transport input ssh
I tried it the way you show by generating the crypto key as you have shown above and using the control-plane host lines and it seems to achieve the same results without specifying transport input ssh on the VTY lines. You can only SSH into the router. Is this achieving the same end? The only difference I can see by using your method and issuing a sh run is you don’t get the following output:
crypto pki trustpoint TP-self-signed-232639783
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-232639783
revocation-check none
rsakeypair TP-self-signed-232639783
!
!
crypto pki certificate chain TP-self-signed-232639783
certificate self-signed 01
30820229 30820192 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
.
. (14 more lines of hex)
.
6915529D 797D5C61 FB5EA16D 6C8996CE E3C8B88C DFBF6DE4 0FFAB54F D73B2F60
C60CA794 AB67E712 12516124 7A
quit
Which is good as this clutters the screen. Is there any command to use to show the crypto key? I’ve included my full config below.
Matt.
R1843# sh run
Building configuration...
Current configuration : 2222 bytes
!
! Last configuration change at 17:24:16 Sydney Thu Sep 8 2016 by admin
! NVRAM config last updated at 17:16:13 Sydney Thu Sep 8 2016 by admin
! NVRAM config last updated at 17:16:13 Sydney Thu Sep 8 2016 by admin
version 15.1
service config
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname R1843
!
boot-start-marker
boot system flash c1841-adventerprisek9-mz.151-4.M10.bin
boot-end-marker
!
!
logging buffered 4096
no logging console
enable secret 5 $1$RF5I$AqJBlcOiKCsYPpJ212XM0.
!
no aaa new-model
!
clock timezone Sydney 10 0
clock summer-time sydney date Oct 2 2016 2:00 Apr 2 2017 2:00
clock calendar-valid
dot11 syslog
ip source-route
!
!
!
!
!
ip cef
no ip domain lookup
ip domain name bde.local
no ipv6 cef
!
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!
!
!
!
license udi pid CISCO1841 sn FHK12392C83
vtp version 2
username admin privilege 15 view root password 7 032C524B1207245E4B
!
redundancy
!
!
ip ssh version 2
!
!
!
!
!
!
!
interface Loopback0
ip address 1.8.4.3 255.255.255.255
!
interface FastEthernet0/0
ip address 192.168.1.3 255.255.255.0
speed 100
full-duplex
!
interface FastEthernet0/1
no ip address
speed 100
full-duplex
!
interface Dot11Radio0/0/0
no ip address
shutdown
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
!
interface ATM0/1/0
no ip address
shutdown
no atm ilmi-keepalive
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
!
!
!
!
!
!
control-plane host
management-interface FastEthernet0/0 allow ftp https ssh tftp snmp
!
!
control-plane
!
!
!
line con 0
exec-timeout 0 0
logging synchronous
length 512
width 100
history size 25
escape-character 3
stopbits 1
line aux 0
line vty 0 4
exec-timeout 0 0
privilege level 15
logging synchronous
login local
terminal-type exit
length 0
width 250
history size 25
transport input all
escape-character 3
line vty 5 15
exec-timeout 0 0
privilege level 15
logging synchronous
login local
terminal-type exit
length 0
width 250
history size 25
transport input all
escape-character 3
!
scheduler allocate 20000 1000
end
R1843#Hello Matt!
The way that you implement your configuration achieves something similar, but not exactly the same as that which Rene has done in his example.
Rene’s example applies SSH on the VTY line. This means that you can connect to the device via SSH from any of its interfaces to the VTY connections. In your configuration, you are binding the ssh configuration only to the management interface. This of course is a legitamite configuration assuming you only apply out of band management, and if it works for you that’s great.
Also, in your configuration the ip http secure-server is not necessary for the ssh portion of the connectivity that you provide as this allows HTTPS, that is, port 443.
As for a command that allows you to view the crypto key, take a look at these two commands:
show crypto key mypubkey rsa
and
show crypto key pubkey-chain rsa
You can learn more about them at this Cisco CLI reference guide:
http://www.cisco.com/en/US/products/ps6017/products_command_reference_chapter09186a00808ab5a9.html#wp1010372
http://www.cisco.com/en/US/products/ps6017/products_command_reference_chapter09186a00808ab5a9.html#wp1010509
I hope this has been helpful!
Laz
1 Like
Thanks Lazaros, that all makes sense, no need to tie up a port when you can use a virtual interface that can be access from any port. I’ll try this when I gat a chance. Matt.
Hello,
is it possible to add to this lesson how to configures ssh authentication based on ssh keys ?
And I assume, that this procedure is the same on routers and L3 switches.
Peter
Hello Petr
That’s a great idea. I will convey it to Rene to see if that can be added.
Thanks!
Laz
@lagapidis @naf1973 Here we go:
https://networklessons.com/uncategorized/ssh-public-key-authentication-cisco-ios/
1 Like
Why we use transport output ssh command ???
Hello Muhammad
The command initiated on the VTY line configuration is transport input ssh. This indicates that only the SSH protocol will be used for incoming CLI management requests. If we use transport output ssh, then we are specifying the protocol that will be used when this VTY line is used as a client to connect to another SSH server. Such a configuration is possible, cut is not often implemented.
I hope this has been helpful!
Laz
I have a question please…can you advise on a configuration to increase the ssh timeout, may be for like 10mins or more
Hello Temitope
You can use the exec-timeout command on the vty line that you are configuring. You can find out how to configure it at the following Cisco command line reference:
I hope this has been helpful!
Laz
Hello,
how about domain name, I work at ISP: I have to make domain of my ISP?
This domain have to be the same of LDAP domain or it’s locally
If it’s locally what happened when we added?
Thank you,
Best regards,
Brahim
Hello Brahim
As far as SSH is concerned, you can use whatever domain name you like. If you don’t generally use domain names on your network devices to communicate with them, then you can choose to use anything. If however, you already configure your network devices with domain names, then you’re already set.
The point here is that the domain name is used as the name for the RSA keys that are generated. In other words, the domain is used as part of the algorithm for producing the keys. You could call the domain dummy.domain.com and it would work.
I hope this has been helpful!
Laz
Could you explain how to determine the IP for SSH?
The IP seems be to 192.168.12.1 in this chapter but I don’t see any configuration for that.
If I have multiple VLAN with different IP addresses, for example, Vlan 10 is 192.168.12.2 and Vlan 20 is 192.168.12.3, how can I make both 12.2 and12.3 to be the IP of SSH connection?
Hello Po
So which IP address does a Cisco device use for you to connect to SSH? The answer is, all of them. By default, a Cisco IOS device that is configured with SSH will be able to create SSH connections with all IP addresses configured on that device. This is not best practice, however, and it’s a good idea to limit connectivity via a particular interface.
You can do this by applying Management Plane Protection (MPP) about which you can learn more here:
I hope this has been helpful!
Laz
1 Like
Hello!
Please, what exactly is the use of the ip domain-name command? I often get the reply saying that it’s necessary to generate SSH keys, but that’s all…
What exactly does assigning a domain to the device do? There have to be some other uses to it than just SSH, right?
Thank you.
David
Hello David
SSH relies on public-key cryptography for secure communication. To enable SSH on a Cisco IOS device, you must generate an RSA key pair. In the process of this RSA key pair generation, the device’s hostname and domain name are used to form the label for the key pair. A Cisco device always has a default hostname, however, there is no domain name configured by default. For this reason, the domain name must be defined before RSA key pair generation takes place. Thus it is a prerequisite to configuring SSH.
Now it is important to note here that the domain name and hostname do not directly influence the mathematical generation of the RSA key pair. Instead, they are used to uniquely identify the generated key pair on the device. The combination of the hostname and domain name creates that label, which is associated with the key pair for identification purposes within the device’s configuration.
I hope this has been helpful!
Laz
2 Likes