Client Switch SSH Instructions V3a
Client Switch SSH Instructions V3a
show version
Verify:
Sh ip ssh
Sh ssh
sh crypto key mypubkey rsa
This section removes telnet access from the switch, and allows only SSH.
Steps:
1. Ensure the appropriate IOS K9 image is loaded. If not, do not proceed until it has been
successfully loaded and the switch rebooted to load in the K9 image.
To confirm that the switch has the K9 version, the administrator should log into the switch and
issue the command “show version.” The System image file should indicate “K9” (see Figure 1.)
3. Verify SSH functionality by using an SSH client like Putty on a workstation to open an SSH session
to the switch management IP.
4. If successful, apply the remaining configuration script to finalize the SSH configuration. If
unsuccessful, determine reason, and do not forget about the pending reload.
This section removes telnet access from the switch, and allows only SSH.
5. After saving the config, Verify SSH by opening a new SSH session to the client switch.
6. NOTE: DO NOT FORGET TO CANCEL THE PENDING RELOAD WHEN DONE.
Putty Alert
If using Putty as your SSH client, the first time you SSH into the switch after configuring it for SSH, you
will get the following error. This is ok, as Putty just has not cached the RSA key fingerprint of the switch
yet. This alert will only appear the first time you attempt an SSH session.
Verify:
Sh ip ssh
Sh ssh
sh crypto key mypubkey rsa
SSH:
You can use the privileged mode commands to view SSH configurations and connections (if any). In the
following example, the SSHv2 configuration from a Cisco 3550 switch is verified using “show ip ssh” and
a single SSHv2 connection is displayed using the command “show ssh”.
Switch#sh ip ssh
SSH Enabled - version 2.0
Authentication timeout: 120 secs; Authentication retries: 3
Switch#
Switch#sh ssh
Connection Version Mode Encryption Hmac State Username
0 2.0 IN aes256-cbc hmac-sha1 Session started test
0 2.0 OUT aes256-cbc hmac-sha1 Session started test
%No SSHv1 server connections running.
Switch#
RSA Keys:
You can use the privileged mode command to view the RSA crypto keys generated by the above
configuration. In the following example, the RSA crypto public keys from a Cisco 3550 switch are
verified using “show crypto key mypubkey rsa”. The output should be similar to the output below.
Configuration Log:
The following log was captured using the above configuration script on a Cisco 3550. It should be
representative of most client switches.
Switch#
Switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#!
Switch(config)#ip domain name state.sbu
Switch(config)#!
Switch(config)#$generate rsa usage-keys label IRM2048SSH modulus 2048
The name for the keys will be: IRM2048SSH
Switch(config)#!
Switch(config)#$depending on IOS versions. SSH will still work if it isnt.
Switch(config)#ip ssh rsa keypair-name IRM2048SSH
^
% Invalid input detected at '^' marker.
Switch(config)#!
Switch(config)#end
Switch#
Switch#
Switch#
Switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#!
Switch(config)#! V== Not needed if already configured.
Switch(config)#enable secret 0 ******
Switch(config)#!
Switch(config)#username ****** secret ******
Switch(config)#!
Switch(config)#ip ssh version 2
Switch(config)#ip ssh time-out 120
Switch(config)#ip ssh authentication-retries 3
Switch(config)#!
Switch(config)#line con 0
Switch(config-line)# transport preferred none
Switch(config-line)# transport output ssh
Switch(config-line)#!
Switch(config-line)#line vty 0 15
Switch(config-line)# login local
Switch(config-line)# transport preferred none
Switch(config-line)# transport input telnet ssh
Switch(config-line)# transport output telnet ssh
Switch(config-line)#end
Switch#
Switch#
Switch#
Switch#! Verify SSH at this point
Switch#
Switch#!If works, remove telnet from VTY lines
Switch#
Switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#!
Switch(config)#line vty 0 15
Switch(config-line)# login local
Switch(config-line)# transport preferred none
Switch(config-line)# transport input ssh
Switch(config-line)# transport output ssh
Switch(config-line)#end
Switch#
Switch#
Switch#! Verify SSH again, if works write config to NVRAM.
Switch#
Switch#wr mem
Building configuration...
[OK]
Switch#