Configure Secure Remote Access On A Cisco Device Using SSH
Aug 26, 2022
·
2 mins read
In the video below, we show you how to configure Cisco SSH on an IOS device such as a router or switch
By default, Cisco IOS devices provide Telnet for remote sessions, which is insecure as everything, including the username and password are exchanged in plain text
Although SSH is supported, the device requires a key pair creating and configured to allow encrypted, remote access
But that access should also be restricted, by limiting what IP addresses can connect as well as restricting the encryption algorithms allowed
Example Cisco Configuration:
enable
configure terminal
!
! Host and domain
!
hostname uklon01wan01
ip domain-name ciscolab.lan
!
! Generate key
!
crypto key generate rsa modulus 4096
!
! Create username
!
username cisco privilege 15 algorithm-type sha256 secret cisco
!
! Configure IP address
!
interface GigabitEthernet0/0
ip address 172.16.22.50 255.255.255.0
no shutdown
!
! Enable local authentication
! Only allow SSH access
!
line vty 0 15
login local
transport input ssh
!
! Restrict to SSH v2 only
! Tighten SSH algorithms
!
ip ssh version 2
ip ssh server algorithm mac hmac-sha2-256
ip ssh server algorithm encryption aes256-ctr
ip ssh server algorithm kex diffie-hellman-group14-sha1
ip ssh dh min size 4096
!
! Restrict device access by network range
! Timeout idle sessions after 10 minutes
!
ip access-list standard SSH_ACL
permit 172.16.22.0 0.0.0.255
!
line vty 0 15
access-class SSH_ACL in
exec-timeout 10 0
!
! Disconnect session after 3 failed login retries
! Remove half-open or orphaned sessions
!
ip ssh authentication-retries 3
service tcp-keepalives-in
service tcp-keepalives-out
!
! Enable SCP for file transfers
!
ip scp server enableExample Linux Configuration:
nano .ssh/configHost uklon01wan01
hostname=172.16.22.50
KexAlgorithms=diffie-hellman-group14-sha1
HostKeyAlgorithms=ssh-rsa
Sharing is caring!