Remote access via SSH

The legacy protocol to manage devices remotely is Telnet. Telnet is not secure. Data contained within a Telnet packet is transmitted unencrypted. Using a tool like Wireshark, it is possible for someone to “sniff” a Telnet session and obtain password information. For this reason, it is highly recommended to enable SSH on devices for secure remote access. It is possible to configure a Cisco device to support SSH using four steps, as shown in the figure.

Step 1. Ensure that the router has a unique host name, and then configure the IP domain name of the network using the ip domain-name domain-name command in global configuration mode.

Step 2. One-way secret keys must be generated for a router to encrypt SSH traffic. The key is what is actually used to encrypt and decrypt data. To create an encryption key, use the crypto key generate rsa general-keys modulus modulus-size command in global configuration mode. The specific meaning of the various parts of this command are complex and out of scope for this course, but for now, just note that the modulus determines the size of the key and can be configured from 360 bits to 2048 bits. The larger the modulus, the more secure the key, but the longer it takes to encrypt and decrypt information. The minimum recommended modulus length is 1024 bits.

Router(config)# crypto key generate rsa general-keys modulus 1024

Step 3. Create a local database username entry using the username name secret secret global configuration command.

Step 4. Enable vty inbound SSH sessions using the line vty commands login local and transport input ssh.

The router SSH service can now be accessed using an SSH client software.