Configuring a network device to use SSH requires that an administrator perform the following basic steps for each network device that is to be SSH enabled:

  • Enable the SSH transport support for the virtual-terminal connections.

  • Generate a public/private key pair.

    The public key of the generated public/private key pair is referred to as the “public host key” or just “host key.”

    To configure the SSH server on a Cisco device:

    1. Ensure that the device has a session password and a privileged-mode enable password.

      For example:

      Router> enable

      Router# configure terminal

      Router(config)# passwd secret

      Router(config)# enable password secret

      Router(config)# exit

      Router#

    2. Verify that the device supports the SSH server feature.

      Run the following command to display the loaded IOS software image:

      Router# show flash (OR)

      Router# show flash: (Cisco IOS 12.3)

      The SSH server feature for SSH1 support is available in the following Cisco IOS release trains: 12.0S, 12.0ST, 12.1T, 12.1E, 12.2, 12.2T, and 12.2S. The SSH server feature for SSH2 support is available in the following Cisco IOS release trains: 12.3(4)T, 12.3(2)XE, 12.2(25)S, and 12.3(7)JA.

      The Cisco IOS Configuration Fundamentals and Network Management Configuration Guide provides information about downloading an IOS software image.

    3. Ensure that the device has a hostname and a properly configured host domain.

      For example:

      Router# configure terminal

      Router(config)# hostname ciscosystem

      ciscosystem(config)# ip domain-name cisco.com

      The hostname is the name of the device, and the domain name is the host domain that the device services. The IOS software uses the domain name to complete unqualified hostnames.

    4. For Cisco IOS release train 12.0S, 12.0ST, 12.1T, 12.1E, 12.2, 12.2T, or 12.2S, enable the SSH server by generating an RSA key pair.

      For example:

      ciscosystem(config)# crypto key generate rsa

      Generating an RSA key pair automatically enables the SSH server. Deleting the RSA key pair, by entering the crypto key zeroize rsa command, automatically disables the SSH server.

    5. For Cisco IOS release train 12.3(4)T, 12.3(2)XE, 12.2(25)S, or 12.3(7)JA, enable the SSH server by generating a DSA key pair.

      For example:

      ciscosystem(config)# crypto key generate dsa

      Generating an DSA key pair automatically enables the SSH server. Deleting the DSA key pair, by entering the crypto key zeroize dsa command, automatically disables the SSH server.

    6. Configure Authentication, Authorization, and Accounting (AAA) for SSH client access control.

      When configuring AAA, the administrator specifies usernames and passwords, the session timeout, and the number of retries allowed during an SSH connection attempt. For example:

      ciscosystem(config)# aaa new-model

      ciscosystem(config)# username ServerUser password 0 cisco

      ciscosystem(config)# ip ssh timeout 60

      ciscosystem(config)# ip ssh authentication-retries 3

      ciscosystem(config)# exit

      ciscosystem#

      Authentication timeout is the interval, measured in seconds, that the SSH server waits for the SSH client to respond. Authentication retries is the number of SSH client connection attempts after which the interface is reset.

      The Cisco IOS Security Configuration Guide and the Cisco IOS Security Command Reference provide more information about AAA.

    7. Verify that the SSH server is enabled and view its configuration.

      To view the status, version, and configuration of the SSH server, execute the show ip ssh command. For example:

      ciscosystem# show ip ssh

      SSH Enabled - version 2.0

      Authentication timeout: 60 secs; Authentication retries: 3

    8. Force the users that were added during the AAA configuration to use SSH instead of Telnet.

      Complete this step by specifying SSH as the virtual-terminal (vty) connection of choice. For example:

      ciscosystem# configure terminal

      ciscosystem(config)# line vty 0 4

      ciscosystem(config-line)# transport input SSH

      ciscosystem(config-line)# exit

      ciscosystem(config)#

      The number of allowable SSH connections is limited to the maximum number of vtys that is configured for the device. Five vtys (0-4) are configured by default. Each SSH connection uses a vty resource.

    9. Optional: For Cisco IOS release train 12.3(4)T, 12.3(2)XE, 12.2(25)S, or 12.3(7)JA), specify the version of SSH to be run on the device.

      For example:

      ciscosystem(config)# ip ssh version 2

      ciscosystem(config)# exit

      ciscosystem# exit

      ciscosystem>

      By default, SSH for Cisco 12.3(4)T, 12.3(2)XE, 12.2(25)S, and 12.3(7)JA allows both SSH1 and SSH2 connections to the device. The ip ssh version 2 command restricts the connections to SSH2 only.

    10. Open the SSH server configuration file and check that password authentication is enabled:

      • For a device that is running an OpenSSH server, ensure that PasswordAuthentication is set to yes in the sshd_config file.

      • For a device that is running an SSH Secure Shell server, ensure that AllowedAuthentications is set to password in the sshd2_config file.

    11. Log out.

      ciscosystem> logout