SSH server configuration
Configuring a network device to use SSH requires that an administrator perform the following basic steps for each network device that is to be SSH enabled:
- Enable the SSH transport support for the virtual-terminal connections.
- Generate a public/private key pair.The public key of the generated public/private key pair is referred to as the “public host key” or just “host key.”To configure the SSH server on a Cisco device:
- Ensure that the device has a session password and a privileged-mode enable password.For example:Router>enableRouter#configure terminalRouter(config)#passwd secretRouter(config)#enable password secretRouter(config)#exitRouter#
- Verify that the device supports the SSH server feature.Run the following command to display the loaded IOS software image:Router#show flash(OR)Router#show flash:(Cisco IOS 12.3)The SSH server feature for SSH1 support is available in the following Cisco IOS release trains: 12.0S, 12.0ST, 12.1T, 12.1E, 12.2, 12.2T, and 12.2S. The SSH server feature for SSH2 support is available in the following Cisco IOS release trains: 12.3(4)T, 12.3(2)XE, 12.2(25)S, and 12.3(7)JA.TheCisco IOS Configuration Fundamentals and Network Management Configuration Guideprovides information about downloading an IOS software image.
- Ensure that the device has a hostname and a properly configured host domain.For example:Router#configure terminalRouter(config)#hostname ciscosystemciscosystem(config)#ip domain-name cisco.comThe hostname is the name of the device, and the domain name is the host domain that the device services. The IOS software uses the domain name to complete unqualified hostnames.
- For Cisco IOS release train 12.0S, 12.0ST, 12.1T, 12.1E, 12.2, 12.2T, or 12.2S, enable the SSH server by generating an RSA key pair.For example:ciscosystem(config)#crypto key generate rsaGenerating an RSA key pair automatically enables the SSH server. Deleting the RSA key pair, by entering the crypto key zeroize rsa command, automatically disables the SSH server.
- For Cisco IOS release train 12.3(4)T, 12.3(2)XE, 12.2(25)S, or 12.3(7)JA, enable the SSH server by generating a DSA key pair.For example:ciscosystem(config)#crypto key generate dsaGenerating an DSA key pair automatically enables the SSH server. Deleting the DSA key pair, by entering the crypto key zeroize dsa command, automatically disables the SSH server.
- Configure Authentication, Authorization, and Accounting (AAA) for SSH client access control.When configuring AAA, the administrator specifies usernames and passwords, the session timeout, and the number of retries allowed during an SSH connection attempt. For example:ciscosystem(config)#aaa new-modelciscosystem(config)#username ServerUser password 0 ciscociscosystem(config)#ip ssh timeout 60ciscosystem(config)#ip ssh authentication-retries 3ciscosystem(config)#exitciscosystem#Authentication timeout is the interval, measured in seconds, that the SSH server waits for the SSH client to respond. Authentication retries is the number of SSH client connection attempts after which the interface is reset.TheCisco IOS Security Configuration Guideand theCisco IOS Security Command Referenceprovide more information about AAA.
- Verify that the SSH server is enabled and view its configuration.To view the status, version, and configuration of the SSH server, execute the show ip ssh command. For example:ciscosystem#show ip sshSSH Enabled - version 2.0Authentication timeout: 60 secs; Authentication retries: 3
- Force the users that were added during the AAA configuration to use SSH instead of Telnet.Complete this step by specifying SSH as the virtual-terminal (vty) connection of choice. For example:ciscosystem#configure terminalciscosystem(config)#line vty 0 4ciscosystem(config-line)#transport input SSHciscosystem(config-line)#exitciscosystem(config)#The number of allowable SSH connections is limited to the maximum number of vtys that is configured for the device. Five vtys (0-4) are configured by default. Each SSH connection uses a vty resource.
- Optional: For Cisco IOS release train 12.3(4)T, 12.3(2)XE, 12.2(25)S, or 12.3(7)JA), specify the version of SSH to be run on the device.For example:ciscosystem(config)#ip ssh version 2ciscosystem(config)#exitciscosystem#exitciscosystem>By default, SSH for Cisco 12.3(4)T, 12.3(2)XE, 12.2(25)S, and 12.3(7)JA allows both SSH1 and SSH2 connections to the device. The ip ssh version 2 command restricts the connections to SSH2 only.
- Open the SSH server configuration file and check that password authentication is enabled:
- For a device that is running an OpenSSH server, ensure that PasswordAuthentication is set to yes in the sshd_config file.
- For a device that is running an SSH Secure Shell server, ensure that AllowedAuthentications is set to password in the sshd2_config file.
- Log out.ciscosystem>logout