Sabtu, 05 Maret 2005

Using SSH version 2 on Cisco Routers

My CCNA class did not cover this, but I think it is important to enable SSH version 2 on Cisco gear that supports it. You can use the Cisco Software Advisor to find IOS images that support the Secure Shell Server version 2 feature. Once you have an appropriate image loaded, follow these instructions to get your SSH v2 server running. Here's what I did:


gill(config)#hostname gill
gill(config)#ip domain-name taosecurity.com
gill(config)#crypto key generate rsa
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.

How many bits in the modulus [512]: 1024
% Generating 1024 bit RSA keys ...[OK]
gill(config)#ip ssh time-out 60
gill(config)#ip ssh authentication-retries 3
gill(config)#ip ssh version 2
gill(config-line)#login local
gill(config-line)#transport input ssh
gill(config-line)#exit
gill(config)#username me privilege 15 password mypassword
gill(config)#end

Here are a few notes. First, choose a key bigger than 512 bits. When I tried this the first time and accepted the default, I got this error message from my FreeBSD OpenSSH client:

ssh_rsa_verify: RSA modulus too small: 512 < minimum 768 bits
key_verify failed for server_host_key

Second, you'll see I specified 'login local'. This means I have to create a user (here, 'me') to allow connection to the SSH daemon. If I just said 'login', I'd have to enter the console password.

Third, I did not really need to specify a hostname in this example, since it was already set. I did so to show how to do it.

Last, Cisco's documentation recommends 'ip ssh timeout 60' when the real syntax is 'ip ssh time-out 60'.

I recommend running SSH v2 as SSH v1 is susceptible to various attacks.

When you connect to the server, your client will see this:

debug1: Remote protocol version 2.0, remote software version Cisco-1.25
debug1: no match: Cisco-1.25
debug1: Enabling compatibility mode for protocol 2.0

On the router, try the 'show ssh' command to see active sessions:

gill#sh ssh
Connection Version Mode Encryption Hmac State Username
0 2.0 IN aes128-cbc hmac-md5 Session started me
0 2.0 OUT aes128-cbc hmac-md5 Session started me
%No SSHv1 server connections running.

0 komentar:

Posting Komentar