Cisco Configuring Secure Shell (SSH) on Cisco IOS Router



Similar documents
Configuring Secure Shell on Routers and Switches Running Cisco IOS

Lab Configure Basic AP Security through IOS CLI

Lab 2.5.2a Configure SSH

Secure Shell (SSH) FAQ

Telnet, Console and AUX Port Passwords on Cisco Routers Configuration Example

Configuring the Cisco Secure PIX Firewall with a Single Intern

PT Activity: Configure Cisco Routers for Syslog, NTP, and SSH Operations

Configuring CSS Remote Access Methods

CISCO IOS NETWORK SECURITY (IINS)

Implementing Secure Shell

External Authentication with Cisco VPN 3000 Concentrator Authenticating Users Using SecurAccess Server by SecurEnvoy

CCNA Security. Chapter Two Securing Network Devices Cisco Learning Institute.

Table of Contents. Cisco Using the Cisco IOS Firewall to Allow Java Applets From Known Sites while Denying Others

Configuration Professional: Site to Site IPsec VPN Between Two IOS Routers Configuration Example

Network Security and AAA

Configuring TACACS+, RADIUS, and Kerberos on Cisco Catalyst Switches

Configuring Access Service Security

How To Monitor Cisco Secure Pix Firewall Using Ipsec And Snmp Through A Pix Tunnel

BRI to PRI Connection Using Data Over Voice

Encrypted Preshared Key

P and FTP Proxy caching Using a Cisco Cache Engine 550 an

8 steps to protect your Cisco router

Scenario: Remote-Access VPN Configuration

Firewall Authentication Proxy for FTP and Telnet Sessions

Lab a Configure Remote Access Using Cisco Easy VPN

Encrypted Preshared Key

Table of Contents. Cisco Configuring IPSec Cisco Secure VPN Client to Central Router Controlling Access

Cisco QuickVPN Installation Tips for Windows Operating Systems

Cisco Certified Security Professional (CCSP)

Using LiveAction with Cisco Secure ACS (TACACS+ Server)

Chapter 8 Lab B: Configuring a Remote Access VPN Server and Client

Configuring SSH and Telnet

athenahealth Interface Connectivity SSH Implementation Guide

Phone: Fax: Box: 230

OBM (Out of Band Management) Overview

Viking VPN Guide Linux/UNIX

7750 SR OS System Management Guide

Table of Contents. Configuring IP Access Lists

Campus VPN. Version 1.0 September 22, 2008

Transition Networks White Paper. Network Security. Why Authentication Matters YOUR NETWORK. OUR CONNECTION.

Brazosport College VPN Connection Installation and Setup Instructions. Draft 2 March 24, 2005

Tera Term Telnet. Introduction

Configuring RADIUS Authentication for Device Administration

ASA 8.x: VPN Access with the AnyConnect VPN Client Using Self Signed Certificate Configuration Example

Configuring RADIUS Dial Up with Livingston Server Authentication

HTTP 1.1 Web Server and Client

Note: This case study utilizes Packet Tracer. Please see the Chapter 5 Packet Tracer file located in Supplemental Materials.

Borderware Firewall Server Version 7.1. VPN Authentication Configuration Guide. Copyright 2005 CRYPTOCard Corporation All Rights Reserved

SSL SSL VPN

VPN Lesson 2: VPN Implementation. Summary

Scenario: IPsec Remote-Access VPN Configuration

Computer Networks. Secure Systems

Executive Summary and Purpose

RemotelyAnywhere. Security Considerations

General Network Security

Network Management Card Security Implementation

Lab 8.3.3b Configuring a Remote Router Using SSH

Case Study for Layer 3 Authentication and Encryption

Lab Developing ACLs to Implement Firewall Rule Sets

Astaro Security Gateway V8. Remote Access via SSL Configuring ASG and Client

iguring an IPSec Tunnel Cisco Secure PIX Firewall to Checkp

ActivIdentity 4TRESS AAA Web Tokens and SSL VPN Fortinet Secure Access. Integration Handbook

Table of Contents. Cisco Cisco VPN Client FAQ

Secure Shell SSH provides support for secure remote login, secure file transfer, and secure TCP/IP and X11 forwarding. It can automatically encrypt,

TABLE OF CONTENTS NETWORK SECURITY 2...1

Chapter 5 Virtual Private Networking Using IPsec

Understanding the Cisco VPN Client

Configuring Timeout, Retransmission, and Key Values Per RADIUS Server

NAT TCP SIP ALG Support

Lab Configure Remote Access Using Cisco Easy VPN

For the protocol access paths listed in the following table, the Sentry firmware actively listens on server ports to provide security for the CDU.

Objectives. Background. Required Resources. CCNA Security

Supported Platforms. Supported Standards, MIBs, and RFCs. Prerequisites. Related Features and Technologies. Related Documents. Improved Server Access

Network Security 2. Module 6 Configure Remote Access VPN

Firewalls, Tunnels, and Network Intrusion Detection

Module 6 Configure Remote Access VPN

L2F Case Study Overview

This topic discusses Cisco Easy VPN, its two components, and its modes of operation. Cisco VPN Client > 3.x

ISE TACACS+ Configuration Guide for Cisco NX-OS Based Network Devices. Secure Access How-to User Series

Use Shrew Soft VPN Client to connect with IPSec VPN Server on RV130 and RV130W

Catapult PCI Compliance

Cisco Secure PIX Firewall with Two Routers Configuration Example

Enabling Remote Access to the ACE

RADIUS Authentication and Accounting

ASA 8.X: Routing SSL VPN Traffic through Tunneled Default Gateway Configuration Example

Lab 4.4.8a Configure a Cisco GRE over IPSec Tunnel using SDM

Using Two-Factor Authentication Configuration to Combat Cybersecurity Threats

CTS2134 Introduction to Networking. Module Network Security

Compliance and Industry Regulations

ACS 5.x and later: Integration with Microsoft Active Directory Configuration Example

External authentication with Fortinet Fortigate UTM appliances Authenticating Users Using SecurAccess Server by SecurEnvoy

Table of Contents. Cisco Blocking Peer to Peer File Sharing Programs with the PIX Firewall

VPN L2TP Application. Installation Guide

TELE 301 Network Management. Lecture 16: Remote Terminal Services

Cisco CCNP Implementing Secure Converged Wide Area Networks (ISCW)

Web Authentication Application Note

Configuring the Firewall Management Interface

What IT Auditors Need to Know About Secure Shell. SSH Communications Security

Securing Cisco Network Devices (SND)

Transcription:

Cisco Configuring Secure Shell (SSH) on Cisco IOS Router

Table of Contents Configuring Secure Shell (SSH) on Cisco IOS Routers...1 Contents...1 Introduction...1 Hardware and Software Versions...1 SSHv1 vs. SSHv2...2 Network Diagram...2 Testing Authentication...3 Testing Authentication Without SSH...3 Testing Authentication With SSH...3 Optional Configuration Settings...4 Preventing Non SSH Connections...4 Setting Up an IOS Router as SSH Client...4 Adding SSH Terminal Line Access...4 debug and show Commands...5 Sample Debug Output...5 Router Debug...5 Server Debug...6 What Can Go Wrong...6 SSH from an SSH client not compiled with Data Encryption Standard (DES)...6 Bad Password...7 SSH client sends unsupported (blowfish) cipher...7 Tools Information...8 Related Information...8 i

Configuring Secure Shell (SSH) on Cisco IOS Routers Contents Introduction Hardware and Software Versions SSHv1 vs. SSHv2 Network Diagram Testing Authentication Testing Authentication Without SSH Testing Authentication With SSH Optional Configuration Settings Preventing Non SSH Connections Setting Up an IOS Router as an SSH Client Adding SSH Terminal Line Access debug and show Commands Sample Debug Output What Can Go Wrong Tools Information Related Information Introduction This document discusses configuring and debugging Secure Shell (SSH) on a Cisco router running a version of Cisco IOS Software that supports SSH. See below for more information on specific versions and software images. Hardware and Software Versions The information in this document is based on the software version below. Cisco IOS 3600 Software (C3640 IK9S M), Version 12.2(2)T1 SSH was introduced into IOS platforms/images as shown below. SSH Version 1.0 (SSHv1) server was introduced in some IOS platforms/images starting in 12.0.5.S. SSH client was introduced in some IOS platforms/images starting in 12.1.3.T. SSH terminal line access (also known as reverse telnet) was introduced in some IOS platforms/images starting in 12.2.2.T. For a complete list of feature sets supported in different Cisco IOS versions and on different platforms, refer

to the Feature Navigator tool described in the Tools Information section. SSHv1 vs. SSHv2 At this time, IOS only supports SSHv1; Cisco has no plans to implement SSHv2. There are several reasons for this, as explained below. Primarily, Cisco wishes to keep its engineering talent working on core features within devices rather than developing and maintaining other features that provide infrastructure security through encryption. Cisco implemented SSH in Cisco IOS when IP Security (IPSec) was being developed through the Internet Engineering Task Force (IETF). IPSec is a core feature, while the implementation of SSH in IOS was more of a tactical move to provide a secure method of accessing routers during the IPSec development process. Cisco dedicates staff to maintaining the SSH feature for fixes, but requests for enhancements will be given low priority. Cisco is committed to deploying IPSec for securing all traffic, including management traffic to and from Cisco network devices. If vulnerabilities are found in the protocol or implementation of SSHv1, their review will be given top priority, as will all potential security vulnerabilities. Note that Cisco IOS code is not the same as the code found in UNIX, Windows, or any other devices. As such, a coding problem in one of those implementations most likely will not be found in Cisco IOS. Additionally, not all SSHv1 features can be found in the Cisco implementations. Notably, SSH in Cisco IOS does not provide "session forwarding", nor does it provide tunnelling of X11. Defects in these parts of the common code will not be a problem in Cisco IOS. If a review of any claimed protocol defects shows that SSHv1 protocol in Cisco IOS is fundamentally broken, then Cisco will determine if it is appropriate to migrate to SSHv2 at that time. Network Diagram

Testing Authentication Testing Authentication Without SSH We will test authentication without SSH first to make sure that authentication works with the router Carter prior to adding SSH. Authentication can be with a local username/password or with an authentication, authorization, and accounting (AAA) server running TACACS+ or RADIUS. (Authentication via the line password is not possible with SSH.) The example below shows local authentication, which lets us Telnet into the router with username "cisco" and password "cisco".! aaa new model causes the local username/password on the router! to be used in the absence of other aaa statements. aaa new model username cisco password 0 cisco line vty 0 4! Instead of aaa new model, the login local command may be used. Testing Authentication With SSH To test authentication with SSH, we add to the previous statements, enabling SSH on Carter and testing SSH from the PC and UNIX stations. ip domain name rtp.cisco.com cry key generate rsa ip ssh time out 60

ip ssh authentication retries 2 At this point, the show cry key mypubkey rsa command should show the generated key. After adding the SSH configuration, we test accessing the router from the PC and Unix station; if this does not work, refer to the debug section. Optional Configuration Settings Preventing Non SSH Connections If we want to prevent non SSH connections, we add transport input ssh under the lines to limit the router to SSH connections only. Straight (non SSH) Telnets will be refused. line vty 0 4! Prevent non SSH telnets. transport input ssh We test to be sure non SSH users cannot Telnet to the router Carter. Setting Up an IOS Router as SSH Client If we want to have one router act as an SSH client to the other, we can add SSH to a second router, Reed. The routers will then be in a client server arrangement, with Carter acting as the server and Reed acting as the client. The IOS SSH client configuration on Reed is the same as required for the SSH server configuration on Carter.! aaa new model causes the local username/password on the router! to be used in the absence of other aaa statements. aaa new model username cisco password 0 cisco ip domain name rtp.cisco.com cry key generate rsa ip ssh time out 60 ip ssh authentication retries 2 line vty 0 4! Instead of aaa new model, the login local command may be used. To test this, issue the following command to SSH from the IOS SSH client (Reed) to the IOS SSH server (Carter): ssh l cisco c 3des 10.13.1.99 Adding SSH Terminal Line Access If we need outbound SSH terminal line authentication, we can configure and test SSH for outbound reverse Telnets through Carter, which is acting as a comm server to Philly. ip ssh port 2001 rotary 1 line 1 16

no exec rotary 1 transport input ssh exec timeout 0 0 modem In Out Stopbits 1 If Philly is attached to Carter's port 2, we would SSH to Philly through Carter from Reed with the following command: ssh c 3des p 2002 10.13.1.99 From Solaris, we would use the following command: ssh c 3des p 2002 x v 10.13.1.99 debug and show Commands Before issuing the debug commands described and illustrated below, please see Important Information on Debug Commands. debug ip ssh Displays debug messages for SSH. show ssh Displays the status of SSH server connections. carter#show ssh Connection Version Encryption State Username 0 1.5 DES Session started cisco show ip ssh Displays the version and configuration data for SSH. carter#sho ip ssh SSH Enabled version 1.5 Authentication timeout: 60 secs; Authentication retries: 2 Sample Debug Output Note that some of this "good" debug output has been wrapped to multiple lines because of spacing considerations. Router Debug 00:23:20: SSH0: starting SSH control process 00:23:20: SSH0: sent protocol version id SSH 1.5 Cisco 1.25 00:23:20: SSH0: protocol version id is SSH 1.5 1.2.26 00:23:20: SSH0: SSH_SMSG_PUBLIC_KEY msg 00:23:21: SSH0: SSH_CMSG_SESSION_KEY msg length 112, type 0x03 00:23:21: SSH: RSA decrypt started 00:23:21: SSH: RSA decrypt finished 00:23:21: SSH: RSA decrypt started 00:23:21: SSH: RSA decrypt finished

00:23:21: SSH0: sending encryption confirmation 00:23:21: SSH0: keys exchanged and encryption on 00:23:21: SSH0: SSH_CMSG_USER message received 00:23:21: SSH0: authentication request for userid cisco 00:23:21: SSH0: SSH_SMSG_FAILURE message sent 00:23:23: SSH0: SSH_CMSG_AUTH_PASSWORD message received 00:23:23: SSH0: authentication successful for cisco 00:23:23: SSH0: requesting TTY 00:23:23: SSH0: setting TTY requested: length 24, width 80; set: length 24, width 80 00:23:23: SSH0: invalid request 0x22 00:23:23: SSH0: SSH_CMSG_EXEC_SHELL message received 00:23:23: SSH0: starting shell for vty Server Debug Note: This output was captured on a Solaris machine. rtp evergreen.rtp.cisco.com# ssh c 3des l cisco v 10.31.1.99 rtp evergreen# /opt/cisssh/bin/ssh c 3des l cisco v 10.13.1.99 SSH Version 1.2.26 [sparc sun solaris2.5.1], protocol version 1.5. Compiled with RSAREF. rtp evergreen: Reading configuration data /opt/cisssh/etc/ssh_config rtp evergreen: ssh_connect: getuid 0 geteuid 0 anon 0 rtp evergreen: Allocated local port 1023. rtp evergreen: Connecting to 10.13.1.99 port 22. rtp evergreen: Connection established. rtp evergreen: Remote protocol version 1.5, remote software version Cisco 1.25 rtp evergreen: Waiting for server public key. rtp evergreen: Received server public key (768 bits) and host key (512 bits). rtp evergreen: Host '10.13.1.99' is known and matches the host key. rtp evergreen: Initializing random; seed file //.ssh/random_seed rtp evergreen: Encryption type: 3des rtp evergreen: Sent encrypted session key. rtp evergreen: Installing crc compensation attack detector. rtp evergreen: Received encrypted confirmation. rtp evergreen: Doing password authentication. cisco@10.13.1.99's password: rtp evergreen: Requesting pty. rtp evergreen: Failed to get local xauth data. rtp evergreen: Requesting X11 forwarding with authentication spoofing. Warning: Remote host denied X11 forwarding, perhaps xauth program could not be run on the server side. rtp evergreen: Requesting shell. rtp evergreen: Entering interactive session. What Can Go Wrong Below is sample debug output from several incorrect configurations. SSH from an SSH client not compiled with Data Encryption Standard (DES) Solaris Debug rtp evergreen# /opt/cisssh/bin/ssh c des l cisco v 10.13.1.99

SSH Version 1.2.26 [sparc sun solaris2.5.1], protocol version 1.5. Compiled with RSAREF. rtp evergreen: Reading configuration data /opt/cisssh/etc/ssh_config rtp evergreen: ssh_connect: getuid 0 geteuid 0 anon 0 rtp evergreen: Allocated local port 1023. rtp evergreen: Connecting to 10.13.1.99 port 22. rtp evergreen: Connection established. rtp evergreen: Remote protocol version 1.5, remote software version Cisco 1.25 rtp evergreen: Waiting for server public key. rtp evergreen: Received server public key (768 bits) and host key (512 bits). rtp evergreen: Host '10.13.1.99' is known and matches the host key. rtp evergreen: Initializing random; seed file //.ssh/random_seed rtp evergreen: Encryption type: des rtp evergreen: Sent encrypted session key. cipher_set_key: unknown cipher: 2 Router Debug 00:24:41: SSH0: Session terminated normally 00:24:55: SSH0: starting SSH control process 00:24:55: SSH0: sent protocol version id SSH 1.5 Cisco 1.25 00:24:55: SSH0: protocol version id is SSH 1.5 1.2.26 00:24:55: SSH0: SSH_SMSG_PUBLIC_KEY msg 00:24:55: SSH0: SSH_CMSG_SESSION_KEY msg length 112, type 0x03 00:24:55: SSH: RSA decrypt started 00:24:56: SSH: RSA decrypt finished 00:24:56: SSH: RSA decrypt started 00:24:56: SSH: RSA decrypt finished 00:24:56: SSH0: sending encryption confirmation 00:24:56: SSH0: Session disconnected error 0x07 Bad Password Router Debug 00:26:51: SSH0: starting SSH control process 00:26:51: SSH0: sent protocol version id SSH 1.5 Cisco 1.25 00:26:52: SSH0: protocol version id is SSH 1.5 1.2.26 00:26:52: SSH0: SSH_SMSG_PUBLIC_KEY msg 00:26:52: SSH0: SSH_CMSG_SESSION_KEY msg length 112, type 0x03 00:26:52: SSH: RSA decrypt started 00:26:52: SSH: RSA decrypt finished 00:26:52: SSH: RSA decrypt started 00:26:52: SSH: RSA decrypt finished 00:26:52: SSH0: sending encryption confirmation 00:26:52: SSH0: keys exchanged and encryption on 00:26:52: SSH0: SSH_CMSG_USER message received 00:26:52: SSH0: authentication request for userid cisco 00:26:52: SSH0: SSH_SMSG_FAILURE message sent 00:26:54: SSH0: SSH_CMSG_AUTH_PASSWORD message received 00:26:54: SSH0: password authentication failed for cisco 00:26:54: SSH0: SSH_SMSG_FAILURE message sent 00:26:54: SSH0: authentication failed for cisco (code=7) 00:26:54: SSH0: Session disconnected error 0x07 SSH client sends unsupported (blowfish) cipher Router Debug

00:39:26: SSH0: starting SSH control process 00:39:26: SSH0: sent protocol version id SSH 1.5 Cisco 1.25 00:39:26: SSH0: protocol version id is SSH 1.5 W1.0 00:39:26: SSH0: SSH_SMSG_PUBLIC_KEY msg 00:39:26: SSH0: SSH_CMSG_SESSION_KEY msg length 112, type 0x03 00:39:26: SSH0: Session disconnected error 0x20 Tools Information To use the tool provided below, you must be a registered user and you must be logged in. Related Information More SSH Technical Tips SSH Product Support Page More Security Technical Tips All contents are Copyright 1992 2001 Cisco Systems Inc. All rights reserved. Important Notices and Privacy Statement.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information