2651XM & SSH

Discussion in 'Cisco' started by Scott O'Connell, Jul 8, 2003.

  1. I have two 2651XM's with 12.2(8)T5.

    I would like to enable SSH for secure remote configuration.

    Is there a document somewhere with the steps required to achieve this?

    Thanks in advance,
    scotto
     
    Scott O'Connell, Jul 8, 2003
    #1
    1. Advertisements

  2. Scott O'Connell

    kcrumz

    Joined:
    Aug 8, 2008
    Messages:
    2
    Likes Received:
    0
    Ssh

    I don't know if your IOS has the crypto features to generate rsa keys. The best was to find out is do a show version & if you see this:

    This product contains cryptographic features and is subject to United
    States and local country laws governing import, export, transfer and
    use. Delivery of Cisco cryptographic products does not imply
    third-party authority to import, export, distribute or use encryption.
    Importers, exporters, distributors and users are responsible for
    compliance with U.S. and local country laws. By using this product you
    agree to comply with applicable laws and regulations. If you are unable
    to comply with U.S. and local laws, return this product immediately.


    Then you can if not you will need to upgrade your IOS....If you have crypro use this:


    HOSTNAME(config)#crypto key generate rsa
    Choose the size of the key modulus in the range of 360 to 2048 for your
    General Purpose Keys. Choosing a key modulus greater than 512 may take
    a few minutes.

    How many bits in the modulus [512]: 1024
    % Generating 1024 bit RSA keys ...[OK]
     
    kcrumz, Aug 8, 2008
    #2
    1. Advertisements

  3. Scott O'Connell

    macdaddy

    Joined:
    Aug 9, 2008
    Messages:
    3
    Likes Received:
    0
    Or you can simply reference the filename of the IOS image you're running and look for the "k9".

    7613-1.clr# sh ver | i k9
    System image file is "bootdisk:c7600s72033-advipservicesk9-mz.122-33.SRB1.bin"

    Note that kcrumz also recommended you use a 1024 bit key pair instead of the default 512. That's a very good idea. If your device is fast enough and is publicly-accessible you might even want to generate 2048 bit key pairs.

    Also, do not enable SSH without disabling SSH v1 support. Configuring explicit support for SSHv2 will disable SSHv1.

    ip ssh version 2

    By default v1 and v2 will be supported. 'sh ip ssh' will report that the version is 1.99 if both v1 and v2 support is enabled, 1.5 if only v1 is enabled per the command above, and 2.0 if only v2 is enabled. You don't want your equipment to allow support for SSHv1, nor do you want your SSH clients to use it. Explicitly limit support to v2 only.

    In case you explicitly permitted telnet on the VTYs prior to loading a k9 image to disable support for rlogin, PAD, LAT, and UDPTN (or whatever your platform happens to support) you'll also have to modify your VTY transport statements to allow SSH.

    sh run | b ^line vty

    line vty 0 4 ! where 4 is whatever VTY # up to 15 you have configured
    transport input telnet ssh

    This is also the easiest way to restrict telnet access short of iACLs or CoPP.

    J
     
    macdaddy, Aug 9, 2008
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.