Friday, September 23, 2005

SSH On Cisco Router

Last week we had and very peculiar requirement and requirement is like that in our Indian datacenter some engineers are trying to enable HDV (High density voice module) for voice call routing with our existing EPBAX. I am helping them too from different continent itself. But unfortunately I am not able to access that router on our dedicated MPLS circuit. But from my hotel room I am able to access that router because one of its interface is also connected to internet. And its my requirement to access router till time its not get configured properly because I am also doing lots or R&D on that . Suddenly after one day some one raised an security concern because I am accessing that router through telnet session (Means clear text password transfer on internet) Very dangerous man. And then research started to enable the SSH on router too ASAP. Although with small effort its started working . Enclosed steps evolved.

Configure Host Name

Router(config)# hostname Keekar-Router

Configure a domain name on your router using the ip domain-name command.

Keekar-Router(config)# ip domain-name

Then, create an RSA encryption key pair for the router to use for authentication and encryption of the SSH data.

Keekar-Router(config)# crypto key generate rsa
The name for the keys will be:

Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes.

How many bits in the modulus [512]: 768
% Generating 768 bit RSA keys ...[OK]

*Mar 1 00:17:13.337: %SSH-5-ENABLED: SSH 1.5 has been enabled

As you can see from this example, after the system generates the key, you'll receive a message that it has automatically enabled SSH 1.5 on the router.
What is this SSH 1.5 ? (We are wondering)
Then got to know CISCO call SSH1 --> SSH 1.5. Its quite funny Yes I know . :) Imagine 1.5 Man, In palce of Willian-2 , William-1.5 . OK thats enough concentrate.
If the system has enabled support for both SSH1 and SSH2, this message would say SSH 1.99. :)) (Sorry buddy I am not able to control my self.
If the system has only enabled support for SSH2, the message would say SSH 2.0.

You can also configure SSH settings if you choose. To do so, use the ip ssh command with which ever parameters you choose to set. (Different IOS versions have different
options because they support different versions of SSH.) Here's an example:

Keekar-Router(config)# ip ssh ?
authentication-retries Specify number of authentication retries
Port Starting (or only) port number to listen
Rsa Configure RSA keypair name for SSH
source-interface Specify interface for source address in SSH
time-out Specify SSH time-out interval

Keekar-Router(config)# ip ssh

Configuring optional SSH settings completes the process of configuring SSH on the router. Now, let's take a look at showing the SSH status.
To view the status of SSH, you can use the following commands:

* Use show ip ssh to view SSH settings.
* Use show ssh to view SSH connections.

Here's an example:

Keekar-Router# show ip ssh
SSH Enabled - version 1.5
Authentication timeout: 120 secs; Authentication retries: 3
Keekar-Router# show ssh
%No SSH server connections running.

SSH debug commands are also available by using the debug ip ssh command.

You can use a device's built-in SSH client to connect to other SSH servers. The Privileged Mode command is ssh. Here's an example:

Keekar-Router# ssh ?
-c Select encryption algorithm
-l Log in using this username
-o Specify options
-p Connect to this port
WORD IP address or hostname of a remote system

Keekar-Router# ssh


Anonymous said...

Hey, you have a great blog here! I'm definitely going to bookmark you!
I have a selling structured settlement site/blog. It pretty much covers selling structured settlement related stuff.

Come and check it out if you get time :-)

Anonymous said...

Photo from my Best weekend in this year ! ! ! ( phentermine )
Look it here :

I and my Girl or My friends girl

Anonymous said...

You may probably be very interested to know how one can make real money on investments.
There is no need to invest much at first.
You may begin to get income with a sum that usually goes
for daily food, that's 20-100 dollars.
I have been participating in one company's work for several years,
and I'll be glad to let you know my secrets at my blog.

Please visit my pages and send me private message to get the info.

P.S. I make 1000-2000 per day now. [url=]Online Investment Blog[/url]

Anonymous said...

Your blog keeps getting better and better! Your older articles are not as good as newer ones you have a lot more creativity and originality now. Keep it up!
And according to this article, I totally agree with your opinion, but only this time! :)

Anonymous said...

You have to express more your opinion to attract more readers, because just a video or plain text without any personal approach is not that valuable. But it is just form my point of view

Anonymous said...

Good brief and this enter helped me alot in my college assignement. Gratefulness you for your information.

Anonymous said...

Making money on the internet is easy in the undercover world of [URL=]blackhat forums[/URL], It's not a big surprise if you don't know what blackhat is. Blackhat marketing uses little-known or not-so-known avenues to build an income online.

Anonymous said...

Hello. And Bye.

Anonymous said...

Just want to say what a great blog you got here!
I've been around for quite a lot of time, but finally decided to show my appreciation of your work!

Thumbs up, and keep it going!