How to configure SSH on Cisco IOS

matthew.wilson · September 8, 2016, 9:38am

Hi Rene,

I have always done this using the command:

ip http secure-server

And then:

control-plane host
  management-interface FastEthernet0/0 allow ftp https ssh tftp snmp

And:

transport input ssh

I tried it the way you show by generating the crypto key as you have shown above and using the control-plane host lines and it seems to achieve the same results without specifying transport input ssh on the VTY lines. You can only SSH into the router. Is this achieving the same end? The only difference I can see by using your method and issuing a sh run is you don’t get the following output:

crypto pki trustpoint TP-self-signed-232639783
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-232639783
 revocation-check none
 rsakeypair TP-self-signed-232639783
!
!
crypto pki certificate chain TP-self-signed-232639783
 certificate self-signed 01
  30820229 30820192 A0030201 02020101 300D0609 2A864886 F70D0101 05050030 
  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274 
.
. (14 more lines of hex)
. 
  6915529D 797D5C61 FB5EA16D 6C8996CE E3C8B88C DFBF6DE4 0FFAB54F D73B2F60 
  C60CA794 AB67E712 12516124 7A
        quit

Which is good as this clutters the screen. Is there any command to use to show the crypto key? I’ve included my full config below.

Matt.

R1843# sh run 
Building configuration...

Current configuration : 2222 bytes
!
! Last configuration change at 17:24:16 Sydney Thu Sep 8 2016 by admin
! NVRAM config last updated at 17:16:13 Sydney Thu Sep 8 2016 by admin
! NVRAM config last updated at 17:16:13 Sydney Thu Sep 8 2016 by admin
version 15.1
service config
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname R1843
!
boot-start-marker
boot system flash c1841-adventerprisek9-mz.151-4.M10.bin
boot-end-marker
!
!
logging buffered 4096
no logging console
enable secret 5 $1$RF5I$AqJBlcOiKCsYPpJ212XM0.
!
no aaa new-model
!
clock timezone Sydney 10 0
clock summer-time sydney date Oct 2 2016 2:00 Apr 2 2017 2:00
clock calendar-valid
dot11 syslog
ip source-route
!
!
!
!
!
ip cef
no ip domain lookup
ip domain name bde.local
no ipv6 cef
!
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!
!
!
!
license udi pid CISCO1841 sn FHK12392C83
vtp version 2
username admin privilege 15 view root password 7 032C524B1207245E4B
!
redundancy
!
!
ip ssh version 2
! 
!
!
!
!
!
!
interface Loopback0
 ip address 1.8.4.3 255.255.255.255
!
interface FastEthernet0/0
 ip address 192.168.1.3 255.255.255.0
 speed 100
 full-duplex
!
interface FastEthernet0/1
 no ip address
 speed 100
 full-duplex
!
interface Dot11Radio0/0/0
 no ip address
 shutdown
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
 station-role root
!
interface ATM0/1/0
 no ip address
 shutdown
 no atm ilmi-keepalive
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
!
!
!
!
!
!
control-plane host
 management-interface FastEthernet0/0 allow ftp https ssh tftp snmp 
!
!
control-plane
!
!
!
line con 0
 exec-timeout 0 0
 logging synchronous
 length 512
 width 100
 history size 25
 escape-character 3
 stopbits 1
line aux 0
line vty 0 4
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 login local
 terminal-type exit
 length 0
 width 250
 history size 25
 transport input all
 escape-character 3
line vty 5 15
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 login local
 terminal-type exit
 length 0
 width 250
 history size 25
 transport input all
 escape-character 3
!
scheduler allocate 20000 1000
end

R1843#