Configure SSH v2 in Cisco IOS

Set the device’s hostname
hostname hercules

Set the device’s membership to a domain. Generating an RSA key requires a domain name.
ip domain-name

Check to see if SSH is already running
show ip ssh

Generate an RSA key
crypto key generate rsa

You will get something like the following:

hercules(config)#crypto key generate rsa
The name for the keys will be
Choose the size of key modules in the range of 360 to 4096 for your
General Purpose Keys.  Choosing a key modulus greater than 512 may take a few minutes

How many bits in the modulus [512]: 2048
%Generating 2048 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 0 seconds)


If you skipped the ip domain-name, you will get the following:
% Please define a domain-name first.

Or you could do a more specific command
crypto key generate rsa general-keys modulus 2048

hercules(config)#crypto key generate rsa general-keys modulus 2048
The name for the keys will be:

% The key modulus size is 2048 bits
% Generating 2048 bit RSA keys, keys will be non-exportable...[OK]

*Apr 12 05:12:36.775: %SSH-5-ENABLED: SSH 2.0 has been enabled

At this point, when you check the output of show ip ssh and it shows version 1.99, that means that it is supports or run both versions 1 and 2. Note that 1.99 is not an actual version but a method to identify backwards compatibility.

To run only version 2
ip ssh version 2

Set up a local user
username elton privilege 15 secret cisco

Few more commands

line vty 0 4
  login local

Allow only SSH
transport input ssh

Allow both SSH and telnet
transport input ssh telnet

Few ways to verify

Check if the SSH service is running on the device
show ip ssh

Check who are logged in

Check the SSH port
show control-plane host open-ports

hercules#show control-plane host open-ports
Active internet connections (servers and established)
Prot               Local Address             Foreign Address                  Service    State
 tcp                        *:22                         *:0               SSH-Server   LISTEN
 tcp                        *:23                         *:0                   Telnet   LISTEN

Check active TCP sessions. These are not TCP traffic through the router but those terminated at this router.
show tcp

hercules#show tcp

tty194, virtual tty from host Achilles
Connection state is ESTAB, I/O status: 1, unread input bytes: 0
Connection is ECN Disabled, Mininum incoming TTL 0, Outgoing TTL 255
Local host:, Local port: 22
Foreign host:, Foreign port: 2326
Connection tableid (VRF): 0

Enqueued packets for retransmit: 0, input: 0  mis-ordered: 0 (0 bytes)

Event Timers (current time is 0x1838E4):
Timer          Starts    Wakeups            Next
Retrans            13          0             0x0
TimeWait            0          0             0x0
AckHold             9          0             0x0
SendWnd             0          0             0x0
KeepAlive           0          0             0x0
GiveUp              0          0             0x0
PmtuAger            0          0             0x0
DeadWait            0          0             0x0
Linger              0          0             0x0
ProcessQ            0          0             0x0

iss: 1184651233  snduna: 1184653125  sndnxt: 1184653125     sndwnd:  17104
irs: 3330383746  rcvnxt: 3330385707  rcvwnd:       3800  delrcvwnd:    328

SRTT: 247 ms, RTTO: 663 ms, RTV: 416 ms, KRTT: 0 ms
minRTT: 4 ms, maxRTT: 300 ms, ACK hold: 200 ms
Status Flags: passive open, active open
Option Flags: 0x1000000
IP Precedence value : 6

TCB is waiting for TCP Process (55)

Datagrams (max data segment is 1460 bytes):
Rcvd: 20 (out of order: 0), with data: 12, total data bytes: 1960
Sent: 17 (retransmit: 0, fastretransmit: 0, partialack: 0, Second Congestion: 0), with data: 14, total data bytes: 1891
 Packets received in fast path: 0, fast processed: 0, slow path: 0
 fast lock acquisition failures: 0, slow path: 0

Comments are closed.