{"id":211,"date":"2015-01-15T16:24:32","date_gmt":"2015-01-15T16:24:32","guid":{"rendered":"http:\/\/eltonoverip.com\/blog\/?p=211"},"modified":"2015-01-17T19:17:07","modified_gmt":"2015-01-17T19:17:07","slug":"configure-ssh-v2-in-cisco-ios","status":"publish","type":"post","link":"https:\/\/eltonoverip.com\/blog\/2015\/01\/configure-ssh-v2-in-cisco-ios\/","title":{"rendered":"Configure SSH v2 in Cisco IOS"},"content":{"rendered":"<p>Set the device&#8217;s hostname<br \/>\n<code>hostname hercules<\/code><\/p>\n<p>Set the device&#8217;s membership to a domain.  Generating an RSA key requires a domain name.<br \/>\n<code>ip domain-name routers.eltonoverip.com<\/code><\/p>\n<p>Check to see if SSH is already running<br \/>\n<code>show ip ssh<\/code><\/p>\n<p>Generate an RSA key<br \/>\n<code>crypto key generate rsa<\/code><\/p>\n<p>You will get something like the following:<\/p>\n<pre>\r\n<code>\r\nhercules(config)#crypto key generate rsa\r\nThe name for the keys will be hercules.routers.eltonoverip.com\r\nChoose the size of key modules in the range of 360 to 4096 for your\r\nGeneral Purpose Keys.  Choosing a key modulus greater than 512 may take a few minutes\r\n\r\nHow many bits in the modulus [512]: 2048\r\n%Generating 2048 bit RSA keys, keys will be non-exportable...\r\n[OK] (elapsed time was 0 seconds)\r\n\r\nhercules(config)#\r\n<\/code>\r\n<\/pre>\n<p><\/p>\n<p>If you skipped the <code>ip domain-name whateverdomain.com<\/code>, you will get the following:<br \/>\n<code>% Please define a domain-name first.<\/code><\/p>\n<p>Or you could do a more specific command<br \/>\n<code>crypto key generate rsa general-keys modulus 2048<\/code><\/p>\n<pre>\r\n<code>\r\nhercules(config)#crypto key generate rsa general-keys modulus 2048\r\nThe name for the keys will be: hercules.eltonoverip.com\r\n\r\n% The key modulus size is 2048 bits\r\n% Generating 2048 bit RSA keys, keys will be non-exportable...[OK]\r\n\r\n*Apr 12 05:12:36.775: %SSH-5-ENABLED: SSH 2.0 has been enabled\r\n<\/code>\r\n<\/pre>\n<p><\/p>\n<p>At this point, when you check the output of <code>show ip ssh<\/code> and it shows version 1.99, that means that it is supports or run both versions 1 and 2.  Note that 1.99 is not an actual version but a method to identify backwards compatibility.<\/p>\n<p><a href=\"http:\/\/en.wikipedia.org\/wiki\/Secure_Shell#Version_1.99\" title=\"SSH version 1.99\">http:\/\/en.wikipedia.org\/wiki\/Secure_Shell#Version_1.99<\/a><\/p>\n<p>To run only version 2<br \/>\n<code>ip ssh version 2<\/code><\/p>\n<p>Set up a local user<br \/>\n<code>username elton privilege 15 secret cisco<\/code><\/p>\n<p>Few more commands<\/p>\n<pre>\r\n<code>\r\nline vty 0 4\r\n  login local\r\n<\/code>\r\n<\/pre>\n<p><\/p>\n<p>Allow only SSH<br \/>\n<code>transport input ssh<\/code><\/p>\n<p>Allow both SSH and telnet<br \/>\n<code>transport input ssh telnet<\/code><\/p>\n<p>Few ways to verify<\/p>\n<p>Check if the SSH service is running on the device<br \/>\n<code>show ip ssh<\/code><\/p>\n<p>Check who are logged in<br \/>\n<code>who<\/code><\/p>\n<p>Check the SSH port<br \/>\n<code>show control-plane host open-ports<\/code><\/p>\n<pre>\r\n<code>\r\nhercules#show control-plane host open-ports\r\nActive internet connections (servers and established)\r\nProt               Local Address             Foreign Address                  Service    State\r\n tcp                        *:22                         *:0               SSH-Server   LISTEN\r\n tcp                        *:23                         *:0                   Telnet   LISTEN\r\n<\/code>\r\n<\/pre>\n<p><\/p>\n<p>Check active TCP sessions.  These are not TCP traffic through the router but those terminated at this router.<br \/>\n<code>show tcp<\/code><\/p>\n<pre>\r\n<code>\r\nhercules#show tcp\r\n\r\ntty194, virtual tty from host Achilles\r\nConnection state is ESTAB, I\/O status: 1, unread input bytes: 0\r\nConnection is ECN Disabled, Mininum incoming TTL 0, Outgoing TTL 255\r\nLocal host: 10.42.21.109, Local port: 22\r\nForeign host: 10.42.21.81, Foreign port: 2326\r\nConnection tableid (VRF): 0\r\n\r\nEnqueued packets for retransmit: 0, input: 0  mis-ordered: 0 (0 bytes)\r\n\r\nEvent Timers (current time is 0x1838E4):\r\nTimer          Starts    Wakeups            Next\r\nRetrans            13          0             0x0\r\nTimeWait            0          0             0x0\r\nAckHold             9          0             0x0\r\nSendWnd             0          0             0x0\r\nKeepAlive           0          0             0x0\r\nGiveUp              0          0             0x0\r\nPmtuAger            0          0             0x0\r\nDeadWait            0          0             0x0\r\nLinger              0          0             0x0\r\nProcessQ            0          0             0x0\r\n\r\niss: 1184651233  snduna: 1184653125  sndnxt: 1184653125     sndwnd:  17104\r\nirs: 3330383746  rcvnxt: 3330385707  rcvwnd:       3800  delrcvwnd:    328\r\n\r\nSRTT: 247 ms, RTTO: 663 ms, RTV: 416 ms, KRTT: 0 ms\r\nminRTT: 4 ms, maxRTT: 300 ms, ACK hold: 200 ms\r\nStatus Flags: passive open, active open\r\nOption Flags: 0x1000000\r\nIP Precedence value : 6\r\n\r\nTCB is waiting for TCP Process (55)\r\n\r\nDatagrams (max data segment is 1460 bytes):\r\nRcvd: 20 (out of order: 0), with data: 12, total data bytes: 1960\r\nSent: 17 (retransmit: 0, fastretransmit: 0, partialack: 0, Second Congestion: 0), with data: 14, total data bytes: 1891\r\n Packets received in fast path: 0, fast processed: 0, slow path: 0\r\n fast lock acquisition failures: 0, slow path: 0\r\nhercules#<\/code>\r\n<\/pre>\n","protected":false},"excerpt":{"rendered":"<p>Set the device&#8217;s hostname hostname hercules Set the device&#8217;s membership to a domain. Generating an RSA key requires a domain name. ip domain-name routers.eltonoverip.com Check to see if SSH is already running show ip ssh Generate an RSA key crypto key generate rsa You will get something like the following: hercules(config)#crypto key generate rsa The [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4,12],"tags":[],"class_list":["post-211","post","type-post","status-publish","format-standard","hentry","category-cisco","category-ios"],"_links":{"self":[{"href":"https:\/\/eltonoverip.com\/blog\/wp-json\/wp\/v2\/posts\/211","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/eltonoverip.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/eltonoverip.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/eltonoverip.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/eltonoverip.com\/blog\/wp-json\/wp\/v2\/comments?post=211"}],"version-history":[{"count":17,"href":"https:\/\/eltonoverip.com\/blog\/wp-json\/wp\/v2\/posts\/211\/revisions"}],"predecessor-version":[{"id":479,"href":"https:\/\/eltonoverip.com\/blog\/wp-json\/wp\/v2\/posts\/211\/revisions\/479"}],"wp:attachment":[{"href":"https:\/\/eltonoverip.com\/blog\/wp-json\/wp\/v2\/media?parent=211"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/eltonoverip.com\/blog\/wp-json\/wp\/v2\/categories?post=211"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/eltonoverip.com\/blog\/wp-json\/wp\/v2\/tags?post=211"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}