What is telnet and SSH and why to use them?

SSH is a network protocol used to remotely access and manage Cisco devices. The key difference between Telnet and SSH is that SSH uses encryption, which means that all data transmitted over a network is secure from eavesdropping. The opposite is true of telnet, all data is transmitted in clear text including passwords. If there is one take away from this post it is this, there is absolutely no good reason to use telnet, ever. Telnet is a legacy protocol by today's standards and was superseded by SSH long ago.

In the network below there is one router and two end-user computers. In real world deployments a network could have dozens or hundreds of routers or devices depending on the scale of the network. It is important to have the ability to remotely manage devices and is equally important to do so securely. In the below example we will configure NTP to ensure reliable time stamps, configure authentication and RSA keys for SSH, and create access list to ensure only approved hosts or networks can access the Cisco router.

Steps to configure SSH

Step 1: Configure the appropriate timezone and daylight savings time on the router.

R1(config)#clock timezone est -5
R1(config)#clock summer-time est recurring

Step 2: If you have an NTP server on your network, recommended, you can use NTP in place of the local clock. Additionally you can set the router as an authoritative time source using the ntp mater command so other devices can sync from this router.

R1(config)#ntp server
R1(config)#ntp update-calendar
R1(config)#ntp master 1

Step 3: OPTIONAL If you do not have a valid NTP server you should configure the local clock. In this example we do not have a NTP server available so we will set the clock manually.

R1#clock set 21:20:00 1 Jan 2010

Step 4: Configure a local login, set the enable password and encrypt the passwords.

R1(config)#username admin privilege 15 secret supersecretpassword
R1(config)#enable secret supersecretpassword
R1(config)#service password-encryption

Step 5: Configure the router to use the local user database as well as authentication, authorization and accounting.

R1(config)#aaa new-model
R1(config)#aaa session-id common

Step 6: Configure a access list that will be used to permit connection to the router from the LAN only.

R1(config)#access-list 1 permit log
R1(config)#access-list 1 deny any log

Step 7: Generate a RSA key with a label of sshkey that will be used for SSH connections. Set both modulus to 768.

R1(config)#crypto key generate rsa usage-keys label sshkey

Step 8: Configure SSH to use the new RSA key we generated in step 7, set the SSH version to version 2, and audit both successful and failed login attempts.

R1(config)#ip ssh rsa keypair-name sshkey
R1(config)#ip ssh version 2
R1(config)#login on-success log
R1(config)#login on-failure log

Step 9: Configure the router console and vty interfaces. The below configuration will enforce SSH connections in place of telnet, enforce session timeouts and prevent console messages from being injected when typing.

R1(config)#line con 0
R1(config-line)#session-timeout 15
R1(config-line)#logging synchronous
R1(config-line)#transport preferred none
R1(config)#line vty 0 15
R1(config-line)#session-timeout 15
R1(config-line)#access-class 1 in
R1(config-line)#logging synchronous
R1(config-line)#transport preferred none
R1(config-line)#transport input ssh

Verify the configuration

Now that the configuration is finished lets verify our SSH deployment. Using the ssh command on PC1 to verify remote connectivity to R1. You will find ssh to R1 is successful from PC1. Repeat the same steps but try to connect this time from PC2. Your connection will fail.

Using the show log command on R1 to display time of logins, if they were successful, the source, port, and when the sessions were terminated.

Jan 2 03:28:45.763: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: admin] [Source:] [localport: 22] at 22:28:45 est Fri Jan 1 2010
Jan 2 03:28:48.051: %SYS-6-LOGOUT: User admin has exited tty session 2(

Related Posts

Cisco Networking

BGP Load Sharing

Load balancing with BGP is not possible in a multihomed environment with two ISPs. BGP selects only the single best path to a destination among the BGP paths that are learned from different ASs, which Read more…

Cisco Firewall

Configuring Dynamic Multipoint VPN and Zone Based Firewall

DMVPN provides the capability for creating a dynamic-mesh VPN network without having to pre-configure (static) all possible tunnel end-point peers, including IPsec (Internet Protocol Security) and ISAKMP (Internet Security Association and Key Management Protocol) peers. Read more…

Cisco Networking

Configuring Layer 2 MPLS VPN

Layer 2 VPNs are a type of Virtual Private Network (VPN) that uses MPLS labels to transport data. The communication occurs between routers that are known as Provider Edge routers (PEs), as they sit on Read more…