Saturday, March 05, 2005

Using SSH version 2 on Cisco Routers

My CCNA class did not cover this, but I think it is important to enable SSH version 2 on Cisco gear that supports it. You can use the Cisco Software Advisor to find IOS images that support the Secure Shell Server version 2 feature. Once you have an appropriate image loaded, follow these instructions to get your SSH v2 server running. Here's what I did:

gill(config)#hostname gill
gill(config)#ip domain-name taosecurity.com
gill(config)#crypto key generate rsa
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.

How many bits in the modulus [512]: 1024
% Generating 1024 bit RSA keys ...[OK]
gill(config)#ip ssh time-out 60
gill(config)#ip ssh authentication-retries 3
gill(config)#ip ssh version 2
gill(config-line)#login local
gill(config-line)#transport input ssh
gill(config-line)#exit
gill(config)#username me privilege 15 password mypassword
gill(config)#end

Here are a few notes. First, choose a key bigger than 512 bits. When I tried this the first time and accepted the default, I got this error message from my FreeBSD OpenSSH client:

ssh_rsa_verify: RSA modulus too small: 512 < minimum 768 bits
key_verify failed for server_host_key

Second, you'll see I specified 'login local'. This means I have to create a user (here, 'me') to allow connection to the SSH daemon. If I just said 'login', I'd have to enter the console password.

Third, I did not really need to specify a hostname in this example, since it was already set. I did so to show how to do it.

Last, Cisco's documentation recommends 'ip ssh timeout 60' when the real syntax is 'ip ssh time-out 60'.

I recommend running SSH v2 as SSH v1 is susceptible to various attacks.

When you connect to the server, your client will see this:

debug1: Remote protocol version 2.0, remote software version Cisco-1.25
debug1: no match: Cisco-1.25
debug1: Enabling compatibility mode for protocol 2.0

On the router, try the 'show ssh' command to see active sessions:

gill#sh ssh
Connection Version Mode Encryption Hmac State Username
0 2.0 IN aes128-cbc hmac-md5 Session started me
0 2.0 OUT aes128-cbc hmac-md5 Session started me
%No SSHv1 server connections running.

4 comments:

Anonymous said...
This comment has been removed by a blog administrator.
Anonymous said...

This helped mucho, thanks!

Richard Bejtlich said...

Updated procedure:

C2950T-24#conf t
Enter configuration commands, one per line. End with CNTL/Z.
C2950T-24(config)#aaa new-model
C2950T-24(config)#username myuser password 0 mypass
C2950T-24(config)#line vty 0 4
C2950T-24(config-line)#transport input telnet
C2950T-24(config-line)#transport input ssh
C2950T-24(config-line)#exit
C2950T-24(config)#ip domain-name taosecurity.com
C2950T-24(config)#cry key generate rsa
The name for the keys will be: C2950T-24.taosecurity.com
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.

How many bits in the modulus [512]: 1024
Generating RSA keys ...
[OK]

01:12:54: %SSH-5-ENABLED: SSH 1.99 has been enabled
C2950T-24(config)#ip ssh time-out 60
C2950T-24(config)#ip ssh authentication-retries 2
C2950T-24(config-line)#end


Works!


richard@neely:~$ ssh -v myuser@10.7.1.50
OpenSSH_4.7p1 Debian-8ubuntu1.2, OpenSSL 0.9.8g 19 Oct 2007
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to 10.7.1.50 [10.7.1.50] port 22.
debug1: Connection established.
debug1: identity file /home/richard/.ssh/identity type -1
debug1: identity file /home/richard/.ssh/id_rsa type -1
debug1: identity file /home/richard/.ssh/id_dsa type 2
debug1: Remote protocol version 1.99, remote software version Cisco-1.25
debug1: no match: Cisco-1.25
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1.2
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client 3des-cbc hmac-md5 none
debug1: kex: client->server 3des-cbc hmac-md5 none
debug1: sending SSH2_MSG_KEXDH_INIT
debug1: expecting SSH2_MSG_KEXDH_REPLY
The authenticity of host '10.7.1.50 (10.7.1.50)' can't be established.
RSA key fingerprint is 60:7e:47:92:b3:8a:6b:fa:e0:45:3c:d9:13:93:8f:5a.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.7.1.50' (RSA) to the list of known hosts.
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: password
debug1: Next authentication method: password
myuser@10.7.1.50's password:
debug1: Authentication succeeded (password).
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8

C2950T-24>

Anonymous said...

I was following a video tutorial on security on a switch and everything was fine and dandy until we got to configuring ssh. I was able to configure the switch, but I was unable to login using ssh. I found your blog post and I was able to correctly setup ssh on my switch and successfully login. thanks for your post.