Configuring SSH

Objectives View the default internetwork configuration. Enable SSH. Interconnect using SSH. Background/Scenario Traditionally, remote administrative access on routers was configured using Telnet on TC !ort "#. However, Telnet was develo!ed in the days when security was not an issue. $or this reason, all Telnet traffic is forwarded in !lain te%t. SSH has re!laced Telnet as the best !ractice for !roviding remote router administration with connections that su!!ort strong !rivacy and session integrity. SSH uses !ort TC "". It !rovides functionality that is similar to that of an outbound Telnet connection, e%ce!t that the connection is encry!ted. &ith authentication and encry!tion, SSH allows for secure communications over an insecure network. In this configuration, four routers are interconnected in a hub' and's!oke $rame (elay configuration. (outer () is the hub, and routers (", (#, and (* are the s!okes. +ynamic routing has been configured using multiarea ,S $.

Task 1: View the Default Configuration

Step 1. Verify the Frame Relay configuration on the routers. a. ,n all four routers, enter user E-EC mode with the !assword cisco. b. Enter !rivileged E-EC mode with the !assword cisco. c. $rom !rivileged E-EC mode on all four routers, issue the show frame'relay ma! command to verify $rame (elay connectivity. Step 2. Verify the routing tables. $rom !rivileged E-EC mode on all four routers, issue the show i! route command to verify the all network segments are being advertised. Step 3. Verify connectivity between routers. a. $rom (), !ing all ./0 interfaces to verify connectivity. b. /gain from router (), Telnet to (" using it1s ./0 interface I address. E%it and re!eat the ste! for routers (# and (*. ing other Cs on the same network.

Task !: Configure SS" on the "ub #outer $#1%

Step 1. nable an! configure SSH on R1. To enable SSH on the router, the following !arameters must be configured2 ' Hostname ' +omain name ' /symmetrical keys ' .ocal authentication a. The hostname on () is !re'configured. Therefore configure the domain name cisco.com using the i! domain'name domain'name command. b. The asymmetrical (S/ keys must be generated on () using the cry!to key generate rsa command. &hen !rom!ted for a modulus si3e, s!ecify a modulus of )4"* bits. c. SSH will !rom!t for a username and !assword combination when enabled. Therefore, a local username database entry must be configured using the username name !assword !assword command. Create a local account for the user admin and !assword cisco. d. Configure the SSH version using the i! ssh version command. In this lab, we will be configuring to use version ". e. 0e%t, we need to disable Telnet and enable SSH communication to the VT5 lines. To do so, enter the following commands on (). ()6config78 line vty " # ()6config'line78 no transport input all ()6config'line78 transport input ssh ()6config'line78 login local ()6config'line78 en! f. Save the configuration. Step 2. Chec$ results. 5our com!letion !ercentage should be "9:. If not, click Check (esults to see which re;uired com!onents are not yet com!leted.

Task &: Configure SS" on the S'oke #outers #!( #& and #)
Step 1. Configure SSH on routers R2% R3% an! R#. (e!eat the Ste!s from Task " on routers (", (# and (*. Step 2. Chec$ results. 5our com!letion !ercentage should be )44:. If not, click Check (esults to see which re;uired com!onents are not yet com!leted.

Task ): Verif* SS"

Step 1. Verify the SSH configuration. /fter configuring SSH on all routers, verify the SSH configuration on (). a. Issue the show ip ssh command to verify which version of SSH is configured, and what the default settings are. ()8 sho ip ssh SSH Enabled ' version ).<< /uthentication timeout2 )"4 secs= /uthentication retries2 # b. 0e%t, issue the show ip ssh command to verify if SSH is currently running. ()8show ssh :0o SSHv" server connections running. :0o SSHv) server connections running.

Step 2. connect to R2.e&t.

a. 0ow Telnet to router (".e%t, to issue the show i! ssh command to verify if SSH is currently running. ()8 telnet 1".2".2".1 Trying )4."4."4.) ... >Connection to )4."4."4.) closed by foreign host? (ecall that Telnet was deactivated using the no trans!ort in!ut all command. ,nly SSH can be used to establish a remote connection. b. @sing () as the SSH client, SSH to router (" using the ssh Al username i!' address command.

()8ssh 'l a!min 1".2".2".1 assword2 c. &hen !rom!ted for a !assword, enter cisco. 5ou should now be connected to router (".