Configure SSH Access

Cisco Documents:
Security>AAA>Secure Shell Configuration Guide
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_ssh/configuration/12-4t/sec-cfg-secure-shell.html

First step would be to make sure that all the devices within your network SUPPORT the Secure Shell. The you need to make sure HOW you want to implement it, as there are 2 options:
1. Configuring a Router for SSH Version 2 Using a Hostname and Domain Name
2. Configuring a Router for SSH Version 2 Using RSA Key Pairs

In the first configuration type, these are the steps to follow:

Step 1: Be sure to have the Hostname and the IP Domain Name configured:
(config)#ip domain name SNArchs

Step 2: Decide the key pair (in bits, by defaut its 512 bits) and generate the RSA key. This ENABLES SSHv2:
(config)#crypto key generate rsa usage-keys
The name for the keys will be: ES-MAT-AES-SR04.SNArchs
Choose the size of the key modulus in the range of 360 to 2048 for your
  Signature Keys. Choosing a key modulus greater than 512 may take a few minutes.
How many bits in the modulus [512]:
Choose the size of the key modulus in the range of 360 to 2048 for your
  Encryption Keys. Choosing a key modulus greater than 512 may take a few minutes.
How many bits in the modulus [512]: 512
% Generating 512 bit RSA keys, keys will be non-exportable...[OK]
% Generating 512 bit RSA keys, keys will be non-exportable...[OK]
*Dec  5 12:58:48.123: %SSH-5-ENABLED: SSH 2.0 has been enabled

Then configure the VTY port for the user database to use (TACACS or LOCAL), and to use SSH:
(config)#line vty 0 4
(config-line)#login local <-WONT BE AVAILABLE AFTER SSH IS ENABLED
(config-line)#transport input ssh
*When testing the access via SSH don't forget to use the "-l" to define the username:
#ssh -l mat 10.1.12.2

You can also use AAA to define the AUTHENTICATION PROFILE (AAA_AUTH), that can later be applied to ALL VTY ports:
(config)#aaa new-model
(config)#aaa authentication login AAA_AUTH local

Now apply it to the VTY port:
(config)#line vty 0 4
(config-line)#transport input ssh
(config-line)#login authentication AAA_AUTH
*"rotary" command under the VTY changes the telnet port to that line. "rotary 5" sets the port on that line to 3005

No comments:

Post a Comment

Most Popular Posts