Enabling Secure access with SSH

From Peter Pap's Technowiki
Jump to: navigation, search

In order to be able to enable SSH access to a switch, you first need to make sure you have an IOS crypto image installed on the switch. I usually do not configure SSH or telnet on my switches. Being a paranoid Sys Admin, I prefer y switches to only be accessible from a console switch, on a secure management network. That being said, it's sometimes handy to have SSH enabled on a switch. Here's how you do it.

1. Set a hostname and default domain 

  conf t
  hostname somehostname
  ip domain-name somedomain.com

2. Generate the crypto keys 

  cry key generate rsa

Choose 1024 minimum!

3. Set SSH parameters 

  ip ssh time-out 60
  ip ssh authentication-retries 2

4. Create a username and password to log on with 

  aaa new-model
  aaa authentication login local_auth local
  username someuser secret somepassword

5. Enable SSH and disable telnet 

  line vty 0 4
  login authentication local_auth
  transport input ssh
  line vty 5 15
  transport input ssh
  login authentication local_auth
  end

6. Write your changes to flash 

  wr mem
Retrieved from "https://peterpap.net/index.php?title=Enabling_Secure_access_with_SSH&oldid=66"