Set the device’s hostname
hostname hercules
Set the device’s membership to a domain. Generating an RSA key requires a domain name.
ip domain-name routers.eltonoverip.com
Check to see if SSH is already running
show ip ssh
Generate an RSA key
crypto key generate rsa
You will get something like the following:
hercules(config)#crypto key generate rsa
The name for the keys will be hercules.routers.eltonoverip.com
Choose the size of key modules in the range of 360 to 4096 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes
How many bits in the modulus [512]: 2048
%Generating 2048 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 0 seconds)
hercules(config)#
If you skipped the ip domain-name whateverdomain.com, you will get the following:
% Please define a domain-name first.
Or you could do a more specific command
crypto key generate rsa general-keys modulus 2048
hercules(config)#crypto key generate rsa general-keys modulus 2048
The name for the keys will be: hercules.eltonoverip.com
% The key modulus size is 2048 bits
% Generating 2048 bit RSA keys, keys will be non-exportable...[OK]
*Apr 12 05:12:36.775: %SSH-5-ENABLED: SSH 2.0 has been enabled
At this point, when you check the output of show ip ssh and it shows version 1.99, that means that it is supports or run both versions 1 and 2. Note that 1.99 is not an actual version but a method to identify backwards compatibility.
http://en.wikipedia.org/wiki/Secure_Shell#Version_1.99
To run only version 2
ip ssh version 2
Set up a local user
username elton privilege 15 secret cisco
Few more commands
line vty 0 4
login local
Allow only SSH
transport input ssh
Allow both SSH and telnet
transport input ssh telnet
Few ways to verify
Check if the SSH service is running on the device
show ip ssh
Check who are logged in
who
Check the SSH port
show control-plane host open-ports
hercules#show control-plane host open-ports
Active internet connections (servers and established)
Prot Local Address Foreign Address Service State
tcp *:22 *:0 SSH-Server LISTEN
tcp *:23 *:0 Telnet LISTEN
Check active TCP sessions. These are not TCP traffic through the router but those terminated at this router.
show tcp
hercules#show tcp
tty194, virtual tty from host Achilles
Connection state is ESTAB, I/O status: 1, unread input bytes: 0
Connection is ECN Disabled, Mininum incoming TTL 0, Outgoing TTL 255
Local host: 10.42.21.109, Local port: 22
Foreign host: 10.42.21.81, Foreign port: 2326
Connection tableid (VRF): 0
Enqueued packets for retransmit: 0, input: 0 mis-ordered: 0 (0 bytes)
Event Timers (current time is 0x1838E4):
Timer Starts Wakeups Next
Retrans 13 0 0x0
TimeWait 0 0 0x0
AckHold 9 0 0x0
SendWnd 0 0 0x0
KeepAlive 0 0 0x0
GiveUp 0 0 0x0
PmtuAger 0 0 0x0
DeadWait 0 0 0x0
Linger 0 0 0x0
ProcessQ 0 0 0x0
iss: 1184651233 snduna: 1184653125 sndnxt: 1184653125 sndwnd: 17104
irs: 3330383746 rcvnxt: 3330385707 rcvwnd: 3800 delrcvwnd: 328
SRTT: 247 ms, RTTO: 663 ms, RTV: 416 ms, KRTT: 0 ms
minRTT: 4 ms, maxRTT: 300 ms, ACK hold: 200 ms
Status Flags: passive open, active open
Option Flags: 0x1000000
IP Precedence value : 6
TCB is waiting for TCP Process (55)
Datagrams (max data segment is 1460 bytes):
Rcvd: 20 (out of order: 0), with data: 12, total data bytes: 1960
Sent: 17 (retransmit: 0, fastretransmit: 0, partialack: 0, Second Congestion: 0), with data: 14, total data bytes: 1891
Packets received in fast path: 0, fast processed: 0, slow path: 0
fast lock acquisition failures: 0, slow path: 0
hercules#