Scribd
Upload
12 views8 pages

Client Switch SSH Instructions V3a

Uploaded by

Kevin Bahamondes
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
12 views8 pages

Client Switch SSH Instructions V3a

Uploaded by

Kevin Bahamondes
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 8

To confirm that the switch has the K9 version, the administrator should log into the switch and

show version

System image file is "flash:c2960-lanbasek9-mz.122-40.SE.bin"

This section generates the RSA crypto keys used by SSH.

IOS Command Description


relo in 15 Use with caution. Will reload switch in 10 minutes, in case the
configuration causes loss in network connectivity to switch.

conf t This is probably already configured. If not, should be added.


!
ip domain name state.sbu Required for SSH.
!
crypto key generate rsa usage-keys label IRM2048SSH modulus 2048 Generates crypto keys for SSH. This will take several minutes. BE
PATIENT.
!
ip ssh rsa keypair-name IRM2048SSH Command may not be accepted, depending on IOS versions. SSH will
still work if it isn’t accepted.
!
end

This section configures IP SSH.

IOS Command Description


conf t
!
enable secret 0 ncgn3eutWqmA This is probably already configured. If not, should be added.
!
username SNTAdmin secret 96Qgt7s6 Generates local admin id/pswd used to SSH to switch.
!
ip ssh version 2 IP SSH Version 2 only is supported
ip ssh time-out 120
ip ssh authentication-retries 3
!
line con 0
transport preferred none
transport output ssh
!
line vty 0 15
login local
transport preferred none
transport input telnet ssh Both Telnet and SSH are supported to assist in the configuration
transport output telnet ssh Both Telnet and SSH are supported to assist in the configuration
end

Verify:
Sh ip ssh
Sh ssh
sh crypto key mypubkey rsa
This section removes telnet access from the switch, and allows only SSH.

IOS Command Description


conf t
!
line vty 0 15
login local
transport preferred none
transport input ssh Configures ONLY SSH support.
transport output ssh Configures ONLY SSH support.
end
wr mem Saves the configuration to NVRAM
relo cancel *VERY IMPORTANT** Cancels the pending reload.

Client Switch SSH Instructions


Assumptions
 The approved image loaded onto the client switch is the K9 version. This is needed in order for
the IOS image to support SSH and encryption.
 Each client switch is currently reachable via Telnet, e.g. that it is configured with a default-
gateway and a management VLAN.
 Telnet will be used to configure each client switch to support SSH.
 AAA/TACACS is not configured on the client switch.

NOTE that ONLY SSHv2 is allowed or supported on OpenNet.

Steps:
1. Ensure the appropriate IOS K9 image is loaded. If not, do not proceed until it has been
successfully loaded and the switch rebooted to load in the K9 image.

To confirm that the switch has the K9 version, the administrator should log into the switch and
issue the command “show version.” The System image file should indicate “K9” (see Figure 1.)

Figure 1: K9 IOS Verification


2. Enter the following commands from the switch enable prompt. The configuration script is
broken into 3 sections, for ease of deployment.
This section generates the RSA crypto keys used by SSH.

IOS Command Description


relo in 15 Use with caution. Will reload switch in 10 minutes, in case the
configuration causes loss in network connectivity to switch.

conf t This is probably already configured. If not, should be added.


!
ip domain name state.sbu Required for SSH.
!
crypto key generate rsa usage-keys label IRM2048SSH modulus 2048 Generates crypto keys for SSH. This will take several minutes. BE
PATIENT.
!
ip ssh rsa keypair-name IRM2048SSH Command may not be accepted, depending on IOS versions. SSH will
still work if it isn’t accepted.
!
end

This section configures IP SSH.

IOS Command Description


conf t
!
enable secret 0 ncgn3eutWqmA This is probably already configured. If not, should be added.
!
username SNTAdmin secret 96Qgt7s6 Generates local admin id/pswd used to SSH to switch.
!
ip ssh version 2 IP SSH Version 2 only is supported
ip ssh time-out 120
ip ssh authentication-retries 3
!
line con 0
transport preferred none
transport output ssh
!
line vty 0 15
login local
transport preferred none
transport input telnet ssh Both Telnet and SSH are supported to assist in the configuration
transport output telnet ssh Both Telnet and SSH are supported to assist in the configuration
end

3. Verify SSH functionality by using an SSH client like Putty on a workstation to open an SSH session
to the switch management IP.
4. If successful, apply the remaining configuration script to finalize the SSH configuration. If
unsuccessful, determine reason, and do not forget about the pending reload.
This section removes telnet access from the switch, and allows only SSH.

IOS Command Description


conf t
!
line vty 0 15
login local
transport preferred none
transport input ssh Configures ONLY SSH support.
transport output ssh Configures ONLY SSH support.
end
wr mem Saves the configuration to NVRAM
relo cancel *VERY IMPORTANT** Cancels the pending reload.

5. After saving the config, Verify SSH by opening a new SSH session to the client switch.
6. NOTE: DO NOT FORGET TO CANCEL THE PENDING RELOAD WHEN DONE.

Putty Alert
If using Putty as your SSH client, the first time you SSH into the switch after configuring it for SSH, you
will get the following error. This is ok, as Putty just has not cached the RSA key fingerprint of the switch
yet. This alert will only appear the first time you attempt an SSH session.
Verify:
Sh ip ssh
Sh ssh
sh crypto key mypubkey rsa

SSH:
You can use the privileged mode commands to view SSH configurations and connections (if any). In the
following example, the SSHv2 configuration from a Cisco 3550 switch is verified using “show ip ssh” and
a single SSHv2 connection is displayed using the command “show ssh”.

Switch#sh ip ssh
SSH Enabled - version 2.0
Authentication timeout: 120 secs; Authentication retries: 3
Switch#
Switch#sh ssh
Connection Version Mode Encryption Hmac State Username
0 2.0 IN aes256-cbc hmac-sha1 Session started test
0 2.0 OUT aes256-cbc hmac-sha1 Session started test
%No SSHv1 server connections running.
Switch#

RSA Keys:
You can use the privileged mode command to view the RSA crypto keys generated by the above
configuration. In the following example, the RSA crypto public keys from a Cisco 3550 switch are
verified using “show crypto key mypubkey rsa”. The output should be similar to the output below.

Switch#sh crypto key mypubkey rsa


% Key pair was generated at: 10:05:43 UTC Mar 31 2016
Key name: IRM2048SSH
Storage Device: not specified
Usage: Signature Key
Key is not exportable.
Key Data:
30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101
00DCC9F8 B9CAC09B 281E6872 153AE95B BA15CE61 2614D23B 9554D281 EE75237C
48A6B4DF 36135427 EC3AE7B0 B7EE309B 627CC731 6F6D38EB 31AF0E95 FF08F3D1
9AD37287 88C20AAC A4B1A479 C6B96619 EAC18740 6EFD651A D7F7F777 190972D3
1F791D3F 665D75E2 799EBF28 CBCE2F76 D1FF8BE3 E04B8D82 38535DAE 46969301
72511978 48DB9E77 EA6DCDD6 7DC285C4 29B87277 7D922768 43C1DD02 AAE68412
3B34B811 54D30B7D E3C9D49D 9416DA2F 5629EF11 19151421 A00066CC F6EA6DE2
2B24DE5B DFCD83F8 02BD16C0 E9C30880 16809812 C69A936C 3DCBE2D8 09347DD0
DAAAE0A3 130B4536 BF1D34CE 8F1F00BB 534F2C92 111D6036 ECD533F9 08B6B47C
B7020301 0001
% Key pair was generated at: 10:06:04 UTC Mar 31 2016
Key name: IRM2048SSH
Storage Device: not specified
Usage: Encryption Key
Key is not exportable.
Key Data:
30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101
00BB0AFF 837D2530 0A9930A3 7F117899 0C19CB95 D65D9F17 0A6CD336 11BF05E8
B2C4DDE5 EDBACFD2 E1A79393 D793DFC5 F4A8606A 6B75EF38 FBBD0A50 9647612C
AC7DFA68 27F4D17B 28EDFFE3 3CF19F3A B13E97B0 A38B1DD1 EF4C1605 00DF3D3C
5F9F3124 81899BB9 DB876CD4 FD480A88 D9DF67DF 9F924594 D8975C1D DEB881EB
FBE9E21D DFD2C492 25B3D947 5FBEB470 2DF5925C C6C9CAD4 14CB9FEC 46A1651B
2EBAE783 27CA55CC 299D07DC 1B627E66 2498695C C312F42E F7D51A3B 7F05E58F
F5366AAF A5E5154A 348F4D3D F7E9BA7C 0841D666 06C1B193 583547A2 7C2872F3
4476C11A C363694F 49B71574 BBDA7BE6 AF3DC2A3 01FD07AA 5EEB9AA5 D0AFE483
A9020301 0001
% Key pair was generated at: 10:06:05 UTC Mar 31 2016
Key name: IRM2048SSH.server
Temporary key
Usage: Encryption Key
Key is not exportable.
Key Data:
307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00F36163 E9F2D7DC
2E8C8D4B 2BD9300C 8BB5DEFB 6846A1FA B1077D2C 14BA9529 A841FB3C 934CF08E
69621786 5BAC3283 F73E80F5 24B8818E ADA1ABBE 5A3D633C 5C944C02 5051AD25
5868E21D 3385FA2A 3042A2B6 E750EC15 9AA06DF0 1642FA6C 0F020301 0001
Switch#

Configuration Log:

The following log was captured using the above configuration script on a Cisco 3550. It should be
representative of most client switches.

Switch#
Switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#!
Switch(config)#ip domain name state.sbu
Switch(config)#!
Switch(config)#$generate rsa usage-keys label IRM2048SSH modulus 2048
The name for the keys will be: IRM2048SSH

% The key modulus size is 2048 bits


% Generating 2048 bit RSA keys, keys will be non-exportable...[OK]
% Generating 2048 bit RSA keys, keys will be non-exportable...[OK]

Switch(config)#!
Switch(config)#$depending on IOS versions. SSH will still work if it isnt.
Switch(config)#ip ssh rsa keypair-name IRM2048SSH
^
% Invalid input detected at '^' marker.

Switch(config)#!
Switch(config)#end
Switch#
Switch#
Switch#
Switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#!
Switch(config)#! V== Not needed if already configured.
Switch(config)#enable secret 0 ******
Switch(config)#!
Switch(config)#username ****** secret ******
Switch(config)#!
Switch(config)#ip ssh version 2
Switch(config)#ip ssh time-out 120
Switch(config)#ip ssh authentication-retries 3
Switch(config)#!
Switch(config)#line con 0
Switch(config-line)# transport preferred none
Switch(config-line)# transport output ssh
Switch(config-line)#!
Switch(config-line)#line vty 0 15
Switch(config-line)# login local
Switch(config-line)# transport preferred none
Switch(config-line)# transport input telnet ssh
Switch(config-line)# transport output telnet ssh
Switch(config-line)#end
Switch#
Switch#
Switch#
Switch#! Verify SSH at this point
Switch#
Switch#!If works, remove telnet from VTY lines
Switch#
Switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#!
Switch(config)#line vty 0 15
Switch(config-line)# login local
Switch(config-line)# transport preferred none
Switch(config-line)# transport input ssh
Switch(config-line)# transport output ssh
Switch(config-line)#end
Switch#
Switch#
Switch#! Verify SSH again, if works write config to NVRAM.
Switch#
Switch#wr mem
Building configuration...
[OK]
Switch#

You might also like