gill(config)#ip domain-name taosecurity.com
gill(config)#crypto key generate rsa
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.
How many bits in the modulus : 1024
% Generating 1024 bit RSA keys ...[OK]
gill(config)#ip ssh time-out 60
gill(config)#ip ssh authentication-retries 3
gill(config)#ip ssh version 2
gill(config-line)#transport input ssh
gill(config)#username me privilege 15 password mypassword
Here are a few notes. First, choose a key bigger than 512 bits. When I tried this the first time and accepted the default, I got this error message from my FreeBSD OpenSSH client:
ssh_rsa_verify: RSA modulus too small: 512 < minimum 768 bits
key_verify failed for server_host_key
Second, you'll see I specified 'login local'. This means I have to create a user (here, 'me') to allow connection to the SSH daemon. If I just said 'login', I'd have to enter the console password.
Third, I did not really need to specify a hostname in this example, since it was already set. I did so to show how to do it.
Last, Cisco's documentation recommends 'ip ssh timeout 60' when the real syntax is 'ip ssh time-out 60'.
I recommend running SSH v2 as SSH v1 is susceptible to various attacks.
When you connect to the server, your client will see this:
debug1: Remote protocol version 2.0, remote software version Cisco-1.25
debug1: no match: Cisco-1.25
debug1: Enabling compatibility mode for protocol 2.0
On the router, try the 'show ssh' command to see active sessions:
Connection Version Mode Encryption Hmac State Username
0 2.0 IN aes128-cbc hmac-md5 Session started me
0 2.0 OUT aes128-cbc hmac-md5 Session started me
%No SSHv1 server connections running.