Categories
CCNP Enterprise Core (350-401) Cisco Security

Establishing VTY Access via SSH

Telnet is a popular but insecure method of accessing IOS devices.

Telnet sessions are sent in plain text and can make it easy to sniff and capture confidential session information.

SSH can provide encryption and strong authentication as an alternative, it is available in two versions

SSH Version 1

Improvement over telnet in its handling of information between two devices; but there are some flaws in its implementation

SSH Version 2

The stronger version of SSH that is not compatible with SSHv1. SSHv2 has many benefits and is certified under the National Institute of Standards and Technology (NIST) Federal Information Processing Standards (FIPS) 140-1 and 140-2.

Configuring SSH

Configure a hostname on the device with the global configuration command hostname <hostname>

Configure a domain name using the global configuration command ip domain-name <domain-name>

Generate cryptographic keys using the command crypto key generate rsa

The command will respond asking for a key modulus length. The longer the length the stronger the security, but the longer it will take to generate.

The modulus length needs to be at least 768 bits for SSHv2

Finally, force the router to use only Version 2 SSH with the global command ip ssh version 2

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.