11-7. SSH Telnet Configuration Telnet connections to the switch take place over TCP port 23 and are transmitted in plain text. If someone with a network analyzer captures packets going to a server, he can see the data transmitted in plain text, including the passwords. Secure Shell (SSH) is a method of communicating through Telnet that encrypts packets before they are transmitted between devices. SSH runs on TCP port 22 between a SSH-compatible client and a device configured to accept SSH connections. Cisco switches support SSH version 1 only. To implement SSH on your switch, it must be Crypto-compatible code. By default SSH is disabled on the switch and must be enabled before clients can connect. Configuration To provide secure Telnet communications between the switch and a SSH Telnet client, you must configure the switch to allow SSH connectivity. The following commands outline the configuration steps to activate SSH. 1. | Set the Crypto key:
COS | set crypto key rsa number | IOS | (global) crypto key generate rsa |
Before you can configure SSH, you must allow the switch to generate a key for encoding the data. The crypto key rsa command generates that key. For COS switches, the number option specifies the modulus length. For IOS you are prompted for a value. The greater the length, the stronger the encryption. The recommended modulus is 1024 or greater.
| 2. | Specify the devices allowed to SSH:
COS | set ip permit address mask ssh | IOS | N/A |
For the COS switches, SSH is enabled using IP permit lists. To enable the process, you must first specify who will be allowed to Telnet to the switch using SSH. If you don't want to specify any particular address or range of addresses using this command, enter any address with a mask of 0.0.0.0 to allow anyone to use the SSH process.
| 3. | Enable the SSH permit list:
COS | set ip permit enable ssh | IOS | (global) ip ssh |
To actually enable the SSH process, use the command set ip permit ssh for a COS switch. This command allows the IP addresses specified in Step 2 to attach to the SSH Telnet process. For an IOS switch, turn on SSH with the global command ip ssh.
| Verification To verify configuration of SSH, use the following commands: IOS | show ip ssh show ip permit |
Feature Example This example shows the configuration that allows any device to access the switch using SSH. The RSA modulus for the switch will be set to 1024. An example of the Catalyst OS configuration follows: Catalyst (enable)>set crypto key rsa 1024 Catalyst (enable)>set ip permit 0.0.0.0 0.0.0.0 ssh Catalyst (enable)>set ip permit ssh An example of the Supervisor IOS configuration follows: Switch(config)#crypto key generate rsa Enter modulus:1024 Switch(config)#ip ssh Switch(config)#end Switch(config)#copy running-config startup-config |