How to configure SSH on Cisco IOS

This topic is to discuss the following lesson:

https://networklessons.com/cisco/ccna-routing-switching-icnd1-100-105/configure-ssh-cisco-ios/

If I connect a router R3 to R2 (configured static route) and configure an access list to allow only R3 access to R1 SSH, it just keeps asking for the password again and again. Is this because of the presence of R2 in the middle?

Hello Balagopal!

If you are receiving the prompt for a password, then you have routing configured correctly between the two routers, regardless of what devices may be in between. If it’s asking for the password over and over, it may be that the password being entered is incorrect. Check your config again, and if you still have problems, you can share the relevant portions of your configs so we can take a look.

I hope this has been helpful!

Laz

Hi Rene,

I have always done this using the command:

ip http secure-server

And then:

control-plane host
  management-interface FastEthernet0/0 allow ftp https ssh tftp snmp

And:

transport input ssh

I tried it the way you show by generating the crypto key as you have shown above and using the control-plane host lines and it seems to achieve the same results without specifying transport input ssh on the VTY lines. You can only SSH into the router. Is this achieving the same end? The only difference I can see by using your method and issuing a sh run is you don’t get the following output:

crypto pki trustpoint TP-self-signed-232639783
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-232639783
 revocation-check none
 rsakeypair TP-self-signed-232639783
!
!
crypto pki certificate chain TP-self-signed-232639783
 certificate self-signed 01
  30820229 30820192 A0030201 02020101 300D0609 2A864886 F70D0101 05050030 
  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274 
.
. (14 more lines of hex)
. 
  6915529D 797D5C61 FB5EA16D 6C8996CE E3C8B88C DFBF6DE4 0FFAB54F D73B2F60 
  C60CA794 AB67E712 12516124 7A
        quit

Which is good as this clutters the screen. Is there any command to use to show the crypto key? I’ve included my full config below.

Matt.

R1843# sh run 
Building configuration...

Current configuration : 2222 bytes
!
! Last configuration change at 17:24:16 Sydney Thu Sep 8 2016 by admin
! NVRAM config last updated at 17:16:13 Sydney Thu Sep 8 2016 by admin
! NVRAM config last updated at 17:16:13 Sydney Thu Sep 8 2016 by admin
version 15.1
service config
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname R1843
!
boot-start-marker
boot system flash c1841-adventerprisek9-mz.151-4.M10.bin
boot-end-marker
!
!
logging buffered 4096
no logging console
enable secret 5 $1$RF5I$AqJBlcOiKCsYPpJ212XM0.
!
no aaa new-model
!
clock timezone Sydney 10 0
clock summer-time sydney date Oct 2 2016 2:00 Apr 2 2017 2:00
clock calendar-valid
dot11 syslog
ip source-route
!
!
!
!
!
ip cef
no ip domain lookup
ip domain name bde.local
no ipv6 cef
!
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!
!
!
!
license udi pid CISCO1841 sn FHK12392C83
vtp version 2
username admin privilege 15 view root password 7 032C524B1207245E4B
!
redundancy
!
!
ip ssh version 2
! 
!
!
!
!
!
!
interface Loopback0
 ip address 1.8.4.3 255.255.255.255
!
interface FastEthernet0/0
 ip address 192.168.1.3 255.255.255.0
 speed 100
 full-duplex
!
interface FastEthernet0/1
 no ip address
 speed 100
 full-duplex
!
interface Dot11Radio0/0/0
 no ip address
 shutdown
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
 station-role root
!
interface ATM0/1/0
 no ip address
 shutdown
 no atm ilmi-keepalive
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
!
!
!
!
!
!
control-plane host
 management-interface FastEthernet0/0 allow ftp https ssh tftp snmp 
!
!
control-plane
!
!
!
line con 0
 exec-timeout 0 0
 logging synchronous
 length 512
 width 100
 history size 25
 escape-character 3
 stopbits 1
line aux 0
line vty 0 4
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 login local
 terminal-type exit
 length 0
 width 250
 history size 25
 transport input all
 escape-character 3
line vty 5 15
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 login local
 terminal-type exit
 length 0
 width 250
 history size 25
 transport input all
 escape-character 3
!
scheduler allocate 20000 1000
end

R1843#

Hello Matt!

The way that you implement your configuration achieves something similar, but not exactly the same as that which Rene has done in his example.

Rene’s example applies SSH on the VTY line. This means that you can connect to the device via SSH from any of its interfaces to the VTY connections. In your configuration, you are binding the ssh configuration only to the management interface. This of course is a legitamite configuration assuming you only apply out of band management, and if it works for you that’s great.

Also, in your configuration the ip http secure-server is not necessary for the ssh portion of the connectivity that you provide as this allows HTTPS, that is, port 443.

As for a command that allows you to view the crypto key, take a look at these two commands:

show crypto key mypubkey rsa
and
show crypto key pubkey-chain rsa

You can learn more about them at this Cisco CLI reference guide:
http://www.cisco.com/en/US/products/ps6017/products_command_reference_chapter09186a00808ab5a9.html#wp1010372
http://www.cisco.com/en/US/products/ps6017/products_command_reference_chapter09186a00808ab5a9.html#wp1010509

I hope this has been helpful!

Laz

Thanks Lazaros, that all makes sense, no need to tie up a port when you can use a virtual interface that can be access from any port. I’ll try this when I gat a chance. Matt.

Hello,

is it possible to add to this lesson how to configures ssh authentication based on ssh keys ?

And I assume, that this procedure is the same on routers and L3 switches.

Peter

Hello Petr

That’s a great idea. I will convey it to Rene to see if that can be added.

Thanks!

Laz

@lagapides @naf1973 Here we go:

https://networklessons.com/uncategorized/ssh-public-key-authentication-cisco-ios/

Why we use transport output ssh command ???

Hello Muhammad

The command initiated on the VTY line configuration is transport input ssh. This indicates that only the SSH protocol will be used for incoming CLI management requests. If we use transport output ssh, then we are specifying the protocol that will be used when this VTY line is used as a client to connect to another SSH server. Such a configuration is possible, cut is not often implemented.

I hope this has been helpful!

Laz

I have a question please…can you advise on a configuration to increase the ssh timeout, may be for like 10mins or more

Hello Temitope

You can use the exec-timeout command on the vty line that you are configuring. You can find out how to configure it at the following Cisco command line reference:

I hope this has been helpful!

Laz