Configuring SSH Security


To enable SSH on the router, the following parameters must be configured:

Hostname
Domain name
Asymmetrical keys
Local authentication

Optional configuration parameters include:
Timeouts
Retries

The following steps configure SSH on a router.

Step 1: Set router parameters
Configure the router hostname with the hostnamehostname command from configuration mode.

Step 2: Set the domain name
A domain name must exist to enable SSH. In this example, enter the ip domain-name cisco.com command from global configuration mode.

Step 3: Generate asymmetric keys
You need to create a key that the router uses to encrypt its SSH management traffic with the crypto keygenerate rsa command from configuration mode. The router responds with a message showing the naming convention for the keys. Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes. As a best practice, Cisco recommends using a minimum modulus length of 1024. You should be aware that a longer modulus takes longer to generate and to use, but it offers stronger security.

You can learn more about the crypto key command in the Network Security course.
Step 4: Configure local authentication and vty
You must define a local user and assign SSH communication to the vty lines as shown in the figure.

Step 5: Configure SSH timeouts (optional)
Timeouts provide additional security for the connection by terminating lingering, inactive connections. Use the command ip ssh time-outsecondsauthentication-retriesinteger to enable timeouts and authentication retries. Set the SSH timeout to 15 seconds and the amount of retries to 2:

To connect to a router configured with SSH, you have to use an SSH client application such as PuTTY or TeraTerm. You must be sure to choose the SSH option and that it uses TCP port 22.
Using TeraTerm to connect securely to the R2 router with SSH, once the connection is initiated, the R2 displays a username prompt, followed by a password prompt. Assuming that the correct credentials are provided, TeraTerm displays the router R2 user EXEC prompt.

0 comments:

Post a Comment

 

NBA Live Streaming. Copyright 2008 All Rights Reserved Revolution Two Church theme by Brian Gardner Converted into Blogger Template by Bloganol dot com | Distributed by Blogger Templates Blog