SSH

Nov 17 2009   6:38AM GMT

How to disable SSH in Cisco Devices?

Posted by: Yasir Irfan
How to disable SSH in Cisco devices, SSH, Cisco Router, Cisco Switch, crypto key zeroize rsa, enable SSH, Disable SSH, Cisco-remote-access, remote access, Routing and Switching, ssh disable, ssh enable, ssh reconfigure, Cisco Tips, Cisco Networking, Router Configuration, Switch Configuration, disable SSH in Cisco routers, disable SSH in Cisco Switches, Network Technologies and Trends, Cisco Commands

We all know the importance of SSH, and it is one of most used method for remote access of Cisco Devices either it might be a Cisco Router or a Cisco Switch. Most of the Network Engineers I come across say it is so complicated to either enable or disable the SSH in Cisco Devices.

 If you simply try to use “no commands” used to enable SSH it will not work. Here is the tip to disable the SSH in either Cisco Router or Cisco Switches.

 Commands used to enable SSH in a Cisco Device

ITKE-AS1(config)#ip domain-name itke.com

ITKE-AS1(config)#crypto key generate rsa general-keys modulus 512

The name for the keys will be: ITKE-AS1.itke.com

 

% The key modulus size is 512 bits

% Generating 512 bit RSA keys, keys will be non-exportable…[OK]

 

ITKE-AS1(config)#

ITKE-AS1(config)#aaa new-model

ITKE-AS1(config)#aaa authentication login default local

ITKE-AS1(config)#aaa authentication exec default local

 

Commands used to disable SSH in a Cisco Device

Do notice if you use the command “no crypto key generate rsa” it will not work rather the device will suggest you to use the ‘crypto key zeroize rsa’ command, amazing isn’t it

ITKE-AS1(config)#no crypto key generate rsa

% Use ‘crypto key zeroize rsa’ to delete signature keys.

 

ITKE-AS1(config)#crypto key zeroize rsa

% All RSA keys will be removed.

% All router certs issued using these keys will

will also be removed.

Do you really want to remove these keys? [yes/no]: yes

ITKE-AS1(config)#

Nov 14 2009   7:13AM GMT

How to configure Secure Copy (SCP) in Cisco Devices?

Posted by: Yasir Irfan
How to configure Secure Copy, How to configure SCP, Secure Copy, SCP, SSH, SSH Protocol, Port 22, encrypted tunnel, IOS transfer, Configuration backup, Cisco IOS 12.0(21)S, Cisco IOS 12.2(25)S, PIX/ASA firewalls 7.1, FWSM 3.1, Cisco Catalyst Switches, Cisco Routers, Cisco PIX/ASA TFPT, FTP, HTTPS, What is Secure Copy (SCP), secure, authenticated, Cisco Systems, Cisco Tips, Cisco Router tips, Cisco Switches tips, Network Tips, Network Technologies and Trends

In my previous post I was talking about the Secure Copy (SCP) what is it?  , now let’s see how to configure Secure Copy (SCP) in a Cisco Router or a Switch.

In order to configure Secure Copy (SCP) in a Cisco Router make sure the SSH is enabled and its working.

Step 1) Lets enable the SSH and AAA features in the Cisco Device

 

ITKE-AS1(config)#ip domain-name itke.com

ITKE-AS1(config)#crypto key generate rsa general-keys modulus 512

The name for the keys will be: ITKE-AS1.itke.com

 

% The key modulus size is 512 bits

% Generating 512 bit RSA keys, keys will be non-exportable…[OK]

 

ITKE-AS1(config)#

ITKE-AS1(config)#aaa new-model

ITKE-AS1(config)#aaa authentication login default local

ITKE-AS1(config)#aaa authentication exec default local

 

Step 2) In order to use the SCP feature to manage configuration we must have at least once user account with enough privilege to access it

ITKE-AS1(config)#

ITKE-AS1(config)#username itke privilege 15 password secret itkeleads

 

Step 3) Now you are ready to enable the SCP server on:

ITKE-AS1(config)#ip scp server enable

 

 

Just by following these 3 simple steps we can enable Secure Copy (SCP) in a Cisco router or a Switch. For any further clarifications you can always have a close look at Cisco’s document on Secure Copy (SCP). 

Nov 9 2009   6:47AM GMT

What is Secure Copy (SCP)?

Posted by: Yasir Irfan
Secure Copy, SCP, SSH, SSH Protocol, Port 22, encrypted tunnel, IOS transfer, Configuration backup, Cisco IOS 12.0(21)S, Cisco IOS 12.2(25)S, PIX/ASA firewalls 7.1, FWSM 3.1, Cisco Catalyst Switches, Cisco Routers, Cisco PIX/ASA TFPT, FTP, HTTPS, What is Secure Copy (SCP), secure, authenticated, Cisco Systems, Cisco Tips, Cisco Router tips, Cisco Switches tips, Network Tips, Network Technologies and Trends

 

We are all aware of the traditional way of transferring IOS files from and to Cisco Catalyst Switches, Cisco Routers and Cisco PIX/ASA firewall devices using TFPT, FTP and lately https. However there is also one more way to copy the IOS files, which is known as Secure Copy (SCP). The Secure Copy (SCP) is a secure and authenticated method of copying a configuration file or transferring an Image files to Cisco Catalyst Switches, Cisco Routers and Cisco PIX/ASA firewall devices.

 

Cisco Systems introduced the Secure Copy (SCP) feature in the following IOS releases

 

Release	Modification
12.2(2)T	This feature was introduced.
12.0(21)S	This feature was integrated into Cisco IOS 12.0(21)S.
12.2(25)S	This feature was integrated into Cisco IOS 12.2(25)S.

PIX/ASA firewalls 7.1 and above, FWSM 3.1 and above.

  

The Secure Copy (SCP) works on SSH protocol on port 22 which is like an encrypted tunnel. This tool is very useful especially to transfer files for upgrades or to perform safe backups.

 

In my next post you will find the commands to configure SCP in a Cisco Router and Switch.

Sep 12 2009   7:34AM GMT

How to capture a text using PuTTY client?

Posted by: Yasir Irfan
PuTTY, Telnet, SSH, Telnet Client, Backup, running config, Startup config, Cisco Router, Cisco Switch, Cisco Tips, Cisco backup

 

PuTTY doesn’t need any introduction as its one of the widely used for remote console utility. PuTTY is an SSH and telnet client.

In day to day operational activities we do telnet or SSH to our Cisco routers or Switches, at times we need to backup a running or startup config or   a Cisco router or a switch or even some times we need to capture the terminal session logs for technical information etc.  This is can be easily done by using the PuTTY client.

I will show you how to capture a text using PuTTY client.

Once you have established a remote session with a Cisco router or a Switch, follow the following steps

 

Step 1: Right Click on the menu bar and select “Change Settings”

 

Step 2: Click logging under the icon Session.

 

Step 3: Then select “All Session Output”.

 

Step 4: Select the location using the browse button and enter the desired file name and click apply.

 

These steps will create the log file in the specified location and it will log everything you did in that particular telnet or SSH session.

Sep 8 2009   9:45AM GMT

Remote Telnet useful tips!

Posted by: Yasir Irfan
Switches, Cisco, Cisco Tips, Cisco 3560, Cisco Learning, Network Troubleshooting, IOS commands, Cisco Routers, reload, Cisco Switch, Cisco Troubleshooting, Router Troubleshooting, Telnet, SSH

 

We all work remotely with Cisco routers and Switches, we often do login to do some configuration changes in the Cisco routers and Switches. What if we configured wrongly in the live Cisco routers and Switches which are located in the remote sites, we don’t enjoy the liberty of resetting the devices unless we have control over the power distribution.

 

In this scenario the “reload” command proves to be very handy and useful. Just before making any changes to the configuration we can use the “reload” command as demonstrated below

 

ITKE-Cisco#reload in ?

Delay before reload (mmm or hhh:mm)

 

ITKE-Cisco#reload in 10

 

System configuration has been modified. Save? [yes/no]: no

Building configuration…

[OK]

Reload scheduled in 10 minutes by yasir on vty0 (10.0.0.5)

Proceed with reload? [confirm]

ITKE-Cisco#

ITKE-Cisco#

 

 

***

*** — SHUTDOWN in 0:05:00 —

***

 

The above demonstrated command will reload the device in 10 minutes. After applying the “reload” command we can proceed with the configuration changes. If things go wrong and we lost connectivity

to the device, then try back after 10 minutes as the device will get reloaded with the original startup-configuration which can helps us to restore the connectivity to the device.

 

Once we are sure about the new configuration and its working properly without any hassles there is always a way  “reload cancel” command is there to cancel the reload.

 

ITKE-Cisco#reload cancel

 

I find this command to be very handy and useful especially when we have to telnet or SSH to remote Cisco router or a Switch.

Jun 21 2008   5:42AM GMT

What is SSH ? and how it can be configured in a Cisco Switch.

Posted by: Yasir Irfan
Networking, Security, Switches, Cisco, SSH, Network Documentation Policy

Secure Shell (SSH) - TCP Port 22

SSH stands for “Secure Shell”. SSH commonly uses port 22 to connect your computer to another computer on the Internet. It is most often used by network administrators as a remote login / remote control way to manage their business servers. Examples would be: your email administrator needs to reboot the company email server from his home, or your network administrator needs to reset your office password while she is away at a conference.

If remote access to a switch is necessary, then consider using SSH instead of telnet. SSH provides encrypted connections remotely. However, only IOS versions that include encryption support SSH. Also, to include SSH capability the switch may need to have its IOS updated.

Before using SSH on the switch, the administrator must configure the switch with the following commands: hostname, ip domain-name, and crypto key generate rsa. The following example sets the hostname to Switch.

Switch(config)# hostname Switch
Refer to the previous subsection on DNS for an example using the ip domain-name command.
The crypto key generate rsa command depends on the hostname and ip domain-name commands. This crypto command generates a Rivest, Shamir, Adleman (RSA) key pair, which includes one public RSA key and one private RSA key.
The following example shows this crypto command, including the two parameters, the name for the keys
(e.g., switch.test.lab) and the size of the key modulus (e.g., 1024), that are prompted for.

Switch(config)# crypto key generate rsa
The name for the keys will be: switch.test.lab
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may
take a few minutes.
How many bits in the modulus[512]? 1024
Generating RSA keys…. [OK].

To restrict SSH access to the switch, configure an extended access-list (e.g., 101) that allows only the administrators’ systems to make these connections and apply this access-list to the virtual terminal lines. Allow only SSH connections to these lines by using the transport input ssh command. Set the privilege level to 0, and set the exec-timeout period to 9 minutes and 0 seconds to disconnect idle connections to these lines. Finally, use the login local command to enable local account checking at login that will prompt for a username and a password.

The following commands show the example configuration for SSH on the virtual terminal lines.

Switch(config)# no access-list 101
Switch(config)# access-list 101 remark Permit SSH access from
administrators’ systems
Switch(config)# access-list 101 permit tcp host 10.0.0.2 any eq 22 log
Switch(config)# access-list 101 permit tcp host 10.0.0.4 any eq 22 log
Switch(config)# access-list 101 deny ip any any log
Switch(config)# line vty 0 4
Switch(config-line)# access-class 101 in
Switch(config-line)# transport input ssh
Switch(config-line)# privilege level 0
Switch(config-line)# exec-timeout 9 0
Switch(config-line)# login local

The login local command cannot be used with AAA. Instead, use the login authentication command. Refer to the AAA section of this guide for more details.

Free SSH Clients
List of free SSH servers and Clients

Yasir

Personal Website: www.yasirirfan.com