Cisco Router as ssh Server

For Security reason, connect only over SSH
Telnet is bad by default (clear password)
Make sure, you have a hostename and a domainname
	hostname evil-router
	ip domain-name evil.net
Create now the key pair (here RSA)
	crypto key gen rsa

	How many bits in the modulus [512]: 1024
	% Generating 1024 but RSA keys ...[OK] 
And now, you need a simple authentication and authorization system for this example
	username chw secret 5 $1$9e4A$QIP5UAWxtz1vVh6L7Dx1I1
	aaa new-model
	aaa authentication login USERS_LOCAL local
Set the SSH Negotiation phase timeout interval (in seconds)
	ip ssh time-out 120
This sets the time period for the Cisco Router or Switch to wait for 120 seconds before timing out the client during the SSH Negotiation phase.
 
Set the Maximum retry attempts
	ip ssh authetication-retries 3
This sets the maximum number of the Authentication retires to be 3 times before the interface (vty) is reset.
 
To change the default port for SSH (default is 22) connection
	ip ssh port 4567
This sets the port number to listen for SSH connections to be 4567.(Sometimes reload requierd)
 
Try to logon and logoff the Cisco IOS Router or switch to ensure it works OK and then disable Telnet access to the switch. This can be done by making SSH as the only transport agent.
	line vty 0 4
	transport input ssh
This makes SSH as the only way to connect to the Cisco Routers or Switches remotely.

show ssh Server
show command around ssh
	sh ip ssh
	SSH Enabled - version 1.99
	Authentication timeout: 120 secs; Authentication retries: 3
	Minimum expected Diffie Hellman key size : 1024 bits
 
	      
	show ssh
	Connection Version Mode Encryption  Hmac         State                 Username
	0          2.0     IN   aes128-cbc  hmac-md5     Session started       haxor
	0          2.0     OUT  aes128-cbc  hmac-md5     Session started       haxor
	%No SSHv1 server connections running.

SSH RSA authentication
Since IOS Version 15.0 , you can import RSA SSH Public Key's
You can import your Public RSA Key into Cisco devices, for easyer login.
c871#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
c871(config)#ip ssh pubkey-chain
c871(conf-ssh-pubkey)#username ciscoworker
c871(conf-ssh-pubkey-user)#key string
% Incomplete command.

c871(conf-ssh-pubkey-user)#key-string
c871(conf-ssh-pubkey-data)#$On9sp93F6bA0wSw7K03QzuOoUbrvLDbcNqZpTi/pbSQES7fWX1atSH8g4tmu5JhPtvlBAwQyA1+UY6iQVLcILE= ciscoworker@mydomain.org
c871(conf-ssh-pubkey-data)#exit
c871(conf-ssh-pubkey-user)#exit
c871(conf-ssh-pubkey)#exit
c871(config)#exit
Show Commands
ip ssh version 2
ip ssh pubkey-chain
 username ciscoworker
  key-hash ssh-rsa 642AB4C1DB720CF8BFEB34BA821132EE ciscoworker@mydomain.org
 transport input telnet ssh

Disable ssh Server
Delete the RSA Key, and the ssh service is no longer running
	crypto key zeroize rsa

(c) 2009 by packetlevel.ch / last update: 20.06.2010