SSH server configuration

Configuring a network device to use SSH requires that an administrator perform the following basic steps for each network device that is to be SSH enabled:
  • Enable the SSH transport support for the virtual-terminal connections.
  • Generate a public/private key pair.
    The public key of the generated public/private key pair is referred to as the “public host key” or just “host key.”
    To configure the SSH server on a Cisco device:
    1. Ensure that the device has a session password and a privileged-mode enable password.
      For example:
      Router>
      enable
      Router#
      configure terminal
      Router(config)#
      passwd secret
      Router(config)#
      enable password secret
      Router(config)#
      exit
      Router#
    2. Verify that the device supports the SSH server feature.
      Run the following command to display the loaded IOS software image:
      Router#
      show flash
      (OR)
      Router#
      show flash:
      (Cisco IOS 12.3)
      The SSH server feature for SSH1 support is available in the following Cisco IOS release trains: 12.0S, 12.0ST, 12.1T, 12.1E, 12.2, 12.2T, and 12.2S. The SSH server feature for SSH2 support is available in the following Cisco IOS release trains: 12.3(4)T, 12.3(2)XE, 12.2(25)S, and 12.3(7)JA.
      The
      Cisco IOS Configuration Fundamentals and Network Management Configuration Guide
      provides information about downloading an IOS software image.
    3. Ensure that the device has a hostname and a properly configured host domain.
      For example:
      Router#
      configure terminal
      Router(config)#
      hostname ciscosystem
      ciscosystem(config)#
      ip domain-name cisco.com
      The hostname is the name of the device, and the domain name is the host domain that the device services. The IOS software uses the domain name to complete unqualified hostnames.
    4. For Cisco IOS release train 12.0S, 12.0ST, 12.1T, 12.1E, 12.2, 12.2T, or 12.2S, enable the SSH server by generating an RSA key pair.
      For example:
      ciscosystem(config)#
      crypto key generate rsa
      Generating an RSA key pair automatically enables the SSH server. Deleting the RSA key pair, by entering the crypto key zeroize rsa command, automatically disables the SSH server.
    5. For Cisco IOS release train 12.3(4)T, 12.3(2)XE, 12.2(25)S, or 12.3(7)JA, enable the SSH server by generating a DSA key pair.
      For example:
      ciscosystem(config)#
      crypto key generate dsa
      Generating an DSA key pair automatically enables the SSH server. Deleting the DSA key pair, by entering the crypto key zeroize dsa command, automatically disables the SSH server.
    6. Configure Authentication, Authorization, and Accounting (AAA) for SSH client access control.
      When configuring AAA, the administrator specifies usernames and passwords, the session timeout, and the number of retries allowed during an SSH connection attempt. For example:
      ciscosystem(config)#
      aaa new-model
      ciscosystem(config)#
      username ServerUser password 0 cisco
      ciscosystem(config)#
      ip ssh timeout 60
      ciscosystem(config)#
      ip ssh authentication-retries 3
      ciscosystem(config)#
      exit
      ciscosystem#
      Authentication timeout is the interval, measured in seconds, that the SSH server waits for the SSH client to respond. Authentication retries is the number of SSH client connection attempts after which the interface is reset.
      The
      Cisco IOS Security Configuration Guide
      and the
      Cisco IOS Security Command Reference
      provide more information about AAA.
    7. Verify that the SSH server is enabled and view its configuration.
      To view the status, version, and configuration of the SSH server, execute the show ip ssh command. For example:
      ciscosystem#
      show ip ssh
      SSH Enabled - version 2.0
      Authentication timeout: 60 secs; Authentication retries: 3
    8. Force the users that were added during the AAA configuration to use SSH instead of Telnet.
      Complete this step by specifying SSH as the virtual-terminal (vty) connection of choice. For example:
      ciscosystem#
      configure terminal
      ciscosystem(config)#
      line vty 0 4
      ciscosystem(config-line)#
      transport input SSH
      ciscosystem(config-line)#
      exit
      ciscosystem(config)#
      The number of allowable SSH connections is limited to the maximum number of vtys that is configured for the device. Five vtys (0-4) are configured by default. Each SSH connection uses a vty resource.
    9. Optional: For Cisco IOS release train 12.3(4)T, 12.3(2)XE, 12.2(25)S, or 12.3(7)JA), specify the version of SSH to be run on the device.
      For example:
      ciscosystem(config)#
      ip ssh version 2
      ciscosystem(config)#
      exit
      ciscosystem#
      exit
      ciscosystem>
      By default, SSH for Cisco 12.3(4)T, 12.3(2)XE, 12.2(25)S, and 12.3(7)JA allows both SSH1 and SSH2 connections to the device. The ip ssh version 2 command restricts the connections to SSH2 only.
    10. Open the SSH server configuration file and check that password authentication is enabled:
      • For a device that is running an OpenSSH server, ensure that PasswordAuthentication is set to yes in the sshd_config file.
      • For a device that is running an SSH Secure Shell server, ensure that AllowedAuthentications is set to password in the sshd2_config file.
    11. Log out.
      ciscosystem>
      logout