Using SSH for Secure Access

Problem

You want to use SSH for secure encrypted remote access to your router.

Solution

You can configure your router to run an SSH Version 1 server for VTY access:

Router1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router1(config)#hostname Router1 Router1(config)#ip domain-name oreilly.com Router1(config)#crypto key generate rsa The name for the keys will be: Router1.oreilly.com Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus [512]: 1024 Generating RSA keys ... [OK] Router1(config)# Jun 27 15:04:15: %SSH-5-ENABLED: SSH 1.5 has been enabled Router1(config)#ip ssh time-out 120 Router1(config)#ip ssh authentication-retries 4 Router1(config)#end Router1#

SSH became available in Cisco's IOS, starting with release 12.1(1)T. However, only versions of IOS that support IPSec (DES or 3DES) encryption include SSH support. Note that there are severe restrictions on exporting any software that includes 3DES outside of United States and Canada.

Beginning with IOS Version 12.3(4)T, Cisco introduced support for SSH Version 2. The configuration is identical. However, only IOS versions that support 3DES encryption will support SSH Version 2. Also, the RSA key-pair size must be greater than or equal to 768.

Discussion

SSH provides a secure method of communication between network entities by the means of transparent encryption. It is a protocol that encrypts all traffic, including passwords, between a client and a server. This makes it an excellent replacement for Telnet and Rlogin protocols.

The main reason to consider replacing Telnet with SSH is security. The entire Telnet session, including passwords, is transmitted in clear-text. If anybody has a protocol analyzer in between the Telnet client and server, they can easily discover the username and password, as well as see all of the data sent by both ends of the conversation. SSH, on the other hand, uses strong encryption algorithms to ensure the entire session is unintelligible to anybody except for the intended party. This allows for secure communication, even through a public network such as the Internet.

The transparent encryption scheme used by SSH ensures that, except for initial configuration, SSH behaves much the same way as Telnet does. The SSH protocol hides the security functionality from the end user, leaving a session that operates like a native Telnet session would. The actual encryption algorithm used in a given SSH session is negotiated between the client and host devices, with the best available technique selected.

Configuring SSH Version 1 requires the following steps:

Generating a set of SSH keys automatically enables the SSH protocol. As soon as you have created the keys, the router is able to start accepting SSH sessions. The first time you attempt to access an SSH enabled device, your SSH client software will prompt you store the device host key. This prevents other devices from masquerading as a legitimate device. As a general rule, you do not need to generate keys on the client device to use SSH:

Freebsd% ssh -l ijbrown Router1 The authenticity of host 'Router1 (172.25.1.5)' can't be established. RSA1 key fingerprint is 7a:97:99:2a:ef:08:40:fb:c3:dd:c4:8c:29:fc:2f:4d. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'Router1' (RSA1) to the list of known hosts. ijbrown@Router's password: xxxxxxxxxx Router1>exit Connection to Router1 closed.

SSH will pass the current username to the SSH server, which in turn will prompt for the password of the current user. However, with the Unix version of SSH, you can override this behavior by specifying the l option, followed by an alternate username. In the example above, we explicitly specified a particular username (ijbrown). The default behavior looks like this:

Freebsd% ssh Router1 ijbrown@Router1's password: xxxxxxxxx Router1>

No username was defined, yet the router prompted for the password for the username ijbrown, the current Unix username.

If you decide to use SSH as your transport protocol for administrative access to your routers, we recommend that you disable all other forms of VTY access using the transport input configuration command. Running nonsecure protocols defeats the purpose of implementing SSH in the first place. For more information on disabling transport protocols on virtual terminals, see Recipe 3.10. The following example illustrates how to disable all inbound protocols except SSH:

Router1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router1(config)#line vty 0 4 Router1(config-line)#transport input ssh Router1(config-line)#exit Router1(config)#end Router1#

Starting with Version 12.1(3)T, Cisco's IOS began to support SSH client functionality as well. SSH clients allow you to access other SSH servers, including SSH enabled routers. In the following example we initiate a SSH session from our router to an SSH-enabled Unix server:

Router1#ssh -l ijbrown server Trying server.oreilly.com (172.25.1.3)... Open Password: xxxxxxxxxxx FreeBSD 4.6-STABLE (IJB) Welcome to FreeBSD! You have new mail. Freebsd%

Many SSH clients and servers are readily available for most popular operating systems. There are also several free SSH packages available on the Internet, including OpenSSH and PuTTY (see Appendix A for more details).

The show ssh EXEC command displays the active SSH sessions and their attributes, such as VTY number, SSH version, encryption type, session state, and username:

Router1#show ssh Connection Version Encryption State Username 0 1.5 3DES Session started ijbrown 3 1.5 3DES Session started morewood

The command show ip ssh displays the SSH server configuration status, including the SSH version, authentication timeout, and number of retries:

Router1#show ip ssh SSH Enabled - version 1.5 Authentication timeout: 120 secs; Authentication retries: 4 Router1#

Configuring SSH Version 2 requires the following steps:

By default, the router will run in compatibility mode, meaning it will enable both versions of SSH. Since SSH Version 2 has significant security advantages over SSH Version 1 we highly suggest you disable SSH Version 1 whenever possible. To enable only SSH Version 2, use the ip ssh version command:

Router1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router1(config)#ip ssh version 2 Router1(config)#end Router1#

 

See Also

Recipe 3.1; Chapter 4

Категории