15.3 Secure shell access
Secure Shell (SSH) is a protocol, similar to Telnet, for remote access to computers and other devices. Unlike Telnet, SSH is secure because all traffic is encrypted, and it is essential to use it for remote access over the internet. SSH uses the same type of encryption as secure websites.
Watch the video below, which is about 3 minutes long. You will see how to generate SSH keys and to configure the router only to accept connections from particular users.
Activity 5 Try it out
Openin a new tab or window so you can read these instructions.
In this activity you will configure the router in the network to only accept SSH connections from the PC.
Open the router console and enter global configuration mode using the password ‘opennetlab’.
Set the hostname and domain name as ‘ONLRouter1’ and ‘example.com’.
Generate the SSH keys with a size of 2048.
Create a username, either ‘jason’ or your own name, with a secret password such as ‘onlssh’.
Make sure that SSH is used rather than Telnet for connections.
Now open the PC command line and start an SSH session to the router, giving the appropriate password.
Confirm that you are connected to the router.
Finish the SSH session by entering exit.
Confirm that you can no longer connect to the router using Telnet.
Some configuration is required before SSH can be used. A set of keys must be generated on the router, and this will use information such as the router name and a domain name to generate unique keys.
Open the router console window and enter global configuration mode. Set the hostname with the command hostname ONLRouter1 and the domain name with command ip domain-name example.com. (You would replace these by appropriate names in a real installation.)
Use the command crypto key generate rsa, giving an appropriate key size such as 2048, to create the keys.
To create a user account with a secret password, enter a command such as username jason secret onlssh.
To ensure that only SSH is accepted for connection, the vty lines must be configured with a sequence of commands. First, use line vty 0 15 to enter line configuration mode. Then login local will require a username to be given, and transport input ssh will mean that only SSH connections are accepted.
This completes the setup for the router. To test the connection, you will need to turn to the command line on the PC.
To open an SSH session, you should enter the command ssh -l jason 192.168.0.1, giving the password ‘onlvty’ which you previously set on the router. You will see the message of the day and the prompt will change to ‘Router>’ showing that you are now giving commands to the router.
You can now work with the router’s command line, for example entering global configuration mode (you will need the password ‘opennetlab’) and show the running configuration.
You should exit from the SSH session using exit and confirm that you are back on the PC command line.