In the CCNA level, we only know how to connect to Cisco devices using console connection and telnet connection.
We know that no one can tap on the console connection since it's directly connected to the Cisco device, but different story for the telnet connection.
Anyone can tap messages from the telnet session.
All messages send in clear text, so it's dangerous to leave default communication with Cisco devices just using telnet.
We can use SSH for secure connection to the Cisco devices. The SSH will encrypt all messages going from your computer to the Cisco devices.
First you're going to need Cisco IOS image that support SSH or IPSec, DES, or 3DES. How would you know that. Well you can just issue the following command:
router# show ip ssh
% Invalid input detected at '^' marker.
If it's showing % Invalid input detected at '^' marker., then the IOS does not support SSH. Next is to generate the rsa keypair used for the encryption, your device name plus the domain name will be the name of the key. The name for the keys will be: netrouter.ciscolab.home How many bits in the modulus [512]: 1024 You can also configure some additional parameters for the SSH Connection:
The first command sets the number of retries if you failed or mistyped the username and password. Now we have generated keypair for the encryption, how will the Cisco device authenticates the users coming with SSH connection. By now you have successfully configure SSH for Cisco, lets try the SSH, you can use putty for SSH connection, the default port for SSH is 22, you can use other port if you want by issuing ip ssh port 2000 from the global configuration mode. Here I'm using the default terminal from Macintosh:
netrouter> There, the SSH is working. But the telnet session is also still working, now I want to restrict the Cisco device to only accept SSH connection and deny telnet connection.
Do not disconnect from your current connection especially if it's telnet session, in case you messed up with the configuration, you can always undo the changes.
Now if I try to connect using telnet, the router will deny it:
Hope this is useful for you.
If you're using macintosh, and you change the rsa key by issuing crypto key generate rsa again on the same device,
Now start with the configuration, you have to define a hostname for the Cisco device, and also the domain name for it.
In this example I use hostname of "netrouter" and domain name of "ciscolab.home".
netrouter (config)# ip domain-name ciscolab.home
The modulus is the length of the key, the default value is 512 bits, Cisco recommends a length of 1024 bits.
Choose the size of the key modulus in the range of 360 to 2048
for your General Purpose Keys. Choosing a key modulus greater than
512 may take a few minutes.
% Generating 1024 bit RSA keys ...[OK]
netrouter (config)# ip ssh time-out 120
netrouter (config)# ip ssh version 2
The second command sets the time out, the time required to enter the username and password in seconds.
The last command sets the version you want to use for the SSH.
You can either use a AAA server like RADIUS or TACACS+ or you can just use the Cisco device local username and password. For now I'd just use local authentication, first set the username and password then configure the device to accept local authentication for the line vty connections.
netrouter (config)# line vty 0 4
netrouter (config-line)# login local
Change the 2000 with other port ranging from 2000 to 10,000.
Cisco@192.168.1.1's password:
netrouter (config-line)# transport input ssh
Trying 192.168.1.1...
telnet: connect to address 192.168.1.1: Connection refused
telnet: Unable to connect to remote host
Your mac will deny the SSH connection, telling you a warning about a man in the middle attack or the rsa key has changed.
All you need to do is open your text editor, open a file /users/yourname/.ssh/known_hosts
wipe out the content of known_hosts file and save.
That should do the trick.
