How to Enable SSH on a Cisco Catalyst Switch or Router
In this tutorial, we’ll cover the steps to enable SSH access on a Cisco switch or router running IOS, IOS-XE, or IOS-XR. Secure Shell (SSH) is an encrypted protocol that allows secure remote login and other network services over an unsecured network. SSH provides stronger encryption than Telnet and allows secure system administration and file transfers over a network.
Enabling SSH is simple and only takes a few configuration commands on the Cisco device. The benefits of SSH include strong encryption of transmitted data, secure remote access, and the ability to tunnel or port forward other protocols through an SSH connection.
For our scenario we will configure SSH on a Catalyst 9k series running IOS-XE 17.03.05.
These steps will be applicable for Cisco Switches and Routers running IOS, IOS-XE, and IOS-XR.
Configuring SSH on a Catalyst 9k switch step-by-step
Prerequisites
For this scenario we take in consideration that the below is already applied:
- Your computer has connectivity to the switch via Telnet or Console
- You have a terminal program or connection manager
- Your switch is running an image that supports IPsec (Data Encryption Standard [DES] or 3DES) encryption. In this example the switch is running IOS-XE 17.03.05
Topology
- We take in consideration the below topology and IP addressing for our scenario.
- We take the scenario where PC and switch are on the same network, but this is not mandatory as different networks can be used as long as routing and access rules are in place.
Step 1: Connect to the Switch
First, you need to connect to the switch console. You can do this using a console cable or via telnet with a terminal program such as PuTTY.
Step 2: Enter enable mode
Once you’re connected to the switch console CLI, you’ll likely be in user EXEC mode. Enter the following command to move into privileged EXEC mode (you may need to enter a password if one has already been set):
Switch>enable Switch#
Step 3. Enter in global configuration mode
Now that you’re in privileged EXEC mode, enter the following command to move into global configuration mode:
Switch# configure terminal Switch(config)#
Step 4: Set the host name and domain name
SSH requires a host name and domain name to generate and name the RSA key pair used for encryption. Use the following commands to set these:
Switch(config)# hostname Switch9k
Switch9k(config)#
Switch9k(config)# ip domain name npg.com
Step 5: Generate the RSA key that is required for the encryption process
The RSA key length can be chosen from range 512 to 4096. The longer the key, the longer it takes to generate it but the more secure it is.
According to the National Institute of Standards and Technology (NIST) the minimum key length to be used is 2048. This is the length we will use in our scenario.
Switch9K(config)# crypto key generate rsa Choose the size of the key modulus in the range of 512 to 4096 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus [1024]: 2048 % Generating 2048 bit RSA keys, keys will be non-exportable... [OK] (elapsed time was 3 seconds)
Check the key length
Switch9k(config)# do show ip ssh | i size Minimum expected Diffie Hellman key size : 2048 bits
Step 6: Enable SSH
With the RSA key pair generated, you can now enable SSH. Most Cisco switch software images will still allow SSH version 1 by default. If you run the “show ip ssh” command and it reports 1.99, you still have SSHv1 allowed.
Switch9k(config)# do show ip ssh | i SSH SSH Enabled - version 1.99
We want to change this to only allow SSH version 2 as it is more secure.
Switch9k(config)# ip ssh version 2
Step 7: Verify that the SSH server is enabled and display the version and configuration data
Switch9k(config)# do show ip ssh SSH Enabled - version 2.0 Authentication methods:publickey,keyboard-interactive,password Authentication Publickey Algorithms:x509v3-ssh-rsa,ssh-rsa Hostkey Algorithms:x509v3-ssh-rsa,ssh-rsa Encryption Algorithms:aes128-ctr,aes192-ctr,aes256-ctr MAC Algorithms:hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-sha1-96 KEX Algorithms:diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1 Authentication timeout: 120 secs; Authentication retries: 3 Minimum expected Diffie Hellman key size : 2048 bits IOS Keys in SECSH format(ssh-rsa, base64 encoded): TP-self-signed-1692485518 Modulus Size : 2048 bits ssh-rsa ****************
Step 8: Configure user credentials
SSH requires user credentials for authentication. Use the following commands to create a user account with a secure password:
Switch9k(config)# service password-encryption Switch9k(config)# username rsanchez privilege 15 secret $up3r$ecr3tP@$$
Step 9: Enable local login and ssh on VTY lines
We need to allow authentication using the local credentials we set above (or that you already have set) and limit connection to the switch to SSH (thereby disabling telnet which is less secure). To do this we need to configure the VTY lines with the following:
Switch9k(config)# line vty 0 15 Switch9k(config-line)# login local Switch9k(config-line)# transport input ssh Switch9k(config-line)# exit Switch9k(config)#
Step 10: Test the connection
After these configuration steps you should be able to connect to the switch using the same IP and terminal, but this time using tcp port 22 and choosing SSH as protocol. We will use PuTTY for this example.
The first time we connect we will get a security alert about the RSA key fingerprint. This is normal and expected. Click yes to proceed.
Now you just need to enter the username and password you set and you should be dropped to the command line of your switch.
Basic SSH hardening configurations (optional but recommended)
Using the above configurations, we are now able to connect and configure the switch. However, the switch is now accessible via SSH from any computer that is on the same subnet or that has network connectivity to that switch’s IP.
In order to control and limit access to the switch, we can use access lists that filter the source IP addresses.
Step 1: Configure access lists ACL
After defining to use only SSH, it is also recommended to filter ssh requests by using access lists. We aren’t going to go into too much detail here, as that really deserves its own topic. For now we’ll keep it short and simple.
There are 2 types of ACL that we can configure Standard and Extended.
- Standard ACL are used when we need to filter only based on the source IP, regardless of the destination IP or service port.
- Extended ACL are used when we need to filter based on source and destination IP. In this case we can also define what port the filter should apply to.
In our scenario, to filter SSH access to the switch, we can use standard ACL as only source IP are to be limited. The configuration is as below.
Switch9k(config)# ip access-list standard SSH-IN Switch9k(config-std-nacl)# permit host 192.168.1.10 Switch9k(config-std-nacl)# end Switch9k# show access-lists SSH-IN Standard IP access list SSH-IN 10 permit 192.168.1.10
On the example above we use name SSH-IN to define the ACL. When naming an ACL it is possible to use your preferred convention, however you can use only number from 1-99 when deciding to use numbering. I prefer naming as it provides an opportunity to convey more information to anyone that may work on the switch later.
We are permitting IP 192.168.1.10. This could be the IP of your computer, a secure jump host, a server, etc…
There is an implicit deny rule at the end of every ACL, therefor we do not need to add one.
Step 2: Apply ACL on VTY lines
Once we configure the ACL to be used, we need to apply it on the VTY lines in order to filter incoming SSH requests. The ACL will allow SSH requests only from IP 192.168.1.10 and will drop requests from other sources.
Switch9k(config)# line vty 0 15 Switch9k(config-line)# access-class SSH-IN in
Step 3: Prevent outbound connection on VTY lines
To prevent your switch from providing a means for someone to move laterally through your network, I recommend disabling outbound interactive connections on any protocol. We do this with the following command:
Switch9k(config)# line vty 0 15 Switch9k(config-line)# transport output none
Step 4: Set session timeout on VTY lines
This is used to set the duration of time that the SSH session can remain idle before it is automatically disconnected, preventing someone from commandeering your session should you walk away from your console. In this example we’re setting it to 3 minutes and 0 seconds.
Switch9k(config)# line vty 0 15 Switch9k(config-line)# exec-timeout 3 0
Step 5: Disable weak SSH ciphers and mac algorithms
Finally, to take it to the next level, I suggest following our guide on disabling weak SSH ciphers and mac algorithms. This will ensure any pen test of your devices pass.
Save your work
Once you’ve configured SSH to your liking and tested that it works, remember to save your configuration.
Switch9k(config)# end Switch9k# copy running-config startup-config
Cisco switch SSH troubleshooting tips
Verify configuration and status of SSH
The first place to start is to check the configuration of ssh, verify it’s enabled, and check the version.
Switch9k# show ip ssh
Then we want to verify the status of any existing SSH connections.
Switch9k# show ssh
Debugging SSH
If the configuration doesn’t reveal anything obvious, you can display debugging messages for SSH on the console.
Switch9k# debug ip ssh [detail|packet]
On the client attempting to authenticate, increase the verbosity. For PuTTy , enable logging by navigating to Logging and selecting the radio button by SSH Packets before connecting. If using OpenSSH, run it using the -v flag.
If the failure is in negotiation of ciphers, key exchange, etc…, you should see it on the client.
Regenerate crypto keys
A great many issues with SSH can be resolved by simply regenerating the RSA key. Common symptoms include CLI errors and the connection closing suddenly after presenting the username and password prompt. To regenerate the key simply run the original configuration command agian.
Switch9K(config)# crypto key generate rsa
