What is telnet and SSH and why to use them?
SSH is a network protocol used to remotely access and manage Cisco devices. The key difference between Telnet and SSH is that SSH uses encryption, which means that all data transmitted over a network is secure from eavesdropping. The opposite is true of telnet, all data is transmitted in clear text including passwords. If there is one take away from this post it is this, there is absolutely no good reason to use telnet, ever. Telnet is a legacy protocol by today's standards and was superseded by SSH long ago.
In the network below there is one router and two end-user computers. In real world deployments a network could have dozens or hundreds of routers or devices depending on the scale of the network. It is important to have the ability to remotely manage devices and is equally important to do so securely. In the below example we will configure NTP to ensure reliable time stamps, configure authentication and RSA keys for SSH, and create access list to ensure only approved hosts or networks can access the Cisco router.
Steps to configure SSH
Step 1: Configure the appropriate timezone and daylight savings time on the router.
R1(config)#clock timezone est -5 R1(config)#clock summer-time est recurring
Step 2: If you have an NTP server on your network, recommended, you can use NTP in place of the local clock. Additionally you can set the router as an authoritative time source using the ntp mater command so other devices can sync from this router.
R1(config)#ntp server 10.1.0.3 R1(config)#ntp update-calendar R1(config)#ntp master 1
Step 3: OPTIONAL If you do not have a valid NTP server you should configure the local clock. In this example we do not have a NTP server available so we will set the clock manually.
R1#clock set 21:20:00 1 Jan 2010
Step 4: Configure a local login, set the enable password and encrypt the passwords.
R1(config)#username admin privilege 15 secret supersecretpassword R1(config)#enable secret supersecretpassword R1(config)#service password-encryption
Step 5: Configure the router to use the local user database as well as authentication, authorization and accounting.
R1(config)#aaa new-model R1(config)#aaa session-id common
Step 6: Configure a access list that will be used to permit connection to the router from the LAN only.
R1(config)#access-list 1 permit 10.10.0.0 0.0.0.255 log R1(config)#access-list 1 deny any log
Step 7: Generate a RSA key with a label of sshkey that will be used for SSH connections. Set both modulus to 768.
R1(config)#crypto key generate rsa usage-keys label sshkey
Step 8: Configure SSH to use the new RSA key we generated in step 7, set the SSH version to version 2, and audit both successful and failed login attempts.
R1(config)#ip ssh rsa keypair-name sshkey R1(config)#ip ssh version 2 R1(config)#login on-success log R1(config)#login on-failure log
Step 9: Configure the router console and vty interfaces. The below configuration will enforce SSH connections in place of telnet, enforce session timeouts and prevent console messages from being injected when typing.
R1(config)#line con 0 R1(config-line)#session-timeout 15 R1(config-line)#logging synchronous R1(config-line)#transport preferred none ! R1(config)#line vty 0 15 R1(config-line)#session-timeout 15 R1(config-line)#access-class 1 in R1(config-line)#logging synchronous R1(config-line)#transport preferred none R1(config-line)#transport input ssh
Verify the configuration
Now that the configuration is finished lets verify our SSH deployment. Using the ssh command on PC1 to verify remote connectivity to R1. You will find ssh to R1 is successful from PC1. Repeat the same steps but try to connect this time from PC2. Your connection will fail.
Using the show log command on R1 to display time of logins, if they were successful, the source, port, and when the sessions were terminated.
Jan 2 03:28:45.763: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: admin] [Source: 10.1.0.2] [localport: 22] at 22:28:45 est Fri Jan 1 2010 Jan 2 03:28:48.051: %SYS-6-LOGOUT: User admin has exited tty session 2(10.1.0.2)