15.3 Secure shell access
Secure Shell (SSH) is a protocol, similar to Telnet, for remote access to computers and other devices. Unlike Telnet, SSH is secure because all traffic is encrypted, and it is essential to use it for remote access over the internet. SSH uses the same type of encryption as secure websites.
Watch the video below, which is about 3 minutes long. You will see how to generate SSH keys and to configure the router only to accept connections from particular users.
Box _unit9.1.3 Secure shell access
Telnet is an insecure protocol for connecting to terminals – SSH, or Secure Shell, should be used instead wherever you need to make a connection over the internet because all the data that travels over the network is encrypted. It is a bit more trouble to configure, but an essential stage in making your router properly secure.
I am going to get the router to generate some cryptographic keys that will be used to set up encrypted connections. Before I do that, I need to make sure that the router has been given a host name. To do this, we go to global configuration and use the command hostname ONLRouter1. I also need to add a domain name – this would be the domain name offor whatever organisation owns the router but I am going to use example.com. From global configuration, I will use the command ip domain-name example.com.
Now I can go ahead and create the keys that SSH will use. I will use the command crypto key generate rsa, then I will choose a key size – the bigger the number the more complex and secure the key becomes – I will use 2048, although it will take a while to be generated by the router. The key generation uses the host and domain name, which is why I had to set that up first. The new key is unique to that router, so the bad guys can’t setup another router and pretend to be me.
I need to do several more things to make the security as tight as a I can.
First I am going to set up an individual user for the router with their own password, rather than have a shared password for all users. From global configuration mode, type userthen the username, so jason, followed by secretand the user’s password, onlssh.
Secondly, I’m going to set the vty line to use the new configuration, so use line vty 0 15. To make this use the username I created, I will enter login local.
Finally, to force SSH to be used, I’ll use the command transport input ssh – this will disable Telnet and force the users to use SSH.
Let’s test our configuration. I’ll try first to Telnet from the PC to the router – as you can see I get ‘denied access’ with the network error ‘connection refused’.
Now I’ll try SSH. The command for that is ssh -l followed by the username, so jason, and then followed by the IP address of the router, which is 192.168.1.1. I’m now prompted for my password, which if I remember correctly was onlssh. You can see the banner I made earlier.
If you’re using PuTTY to connect to a real router, you’ll get a key caching message like this one. If you’re sure you have the correct IP for the router then you can answer ‘Yes’ and you won’t receive this message again.
Now I’ve made my router as secure as possible. Only specified individuals can log in, they must know their password, and they must use SSH. If we look at a packet capture of the SSH session, you will see the data is encrypted and we can no longer see the passwords; SSH encryption is very strong and effectively unbreakable.
Activity _unit9.1.5 Activity 5 Try it out
Open PT Anywhere [Tip: hold Ctrl and click a link to open it in a new tab. (Hide tip)] in a new tab or window so you can read these instructions.
In this activity you will configure the router in the network to only accept SSH connections from the PC.
Open the router console and enter global configuration mode using the password ‘opennetlab’.
Set the hostname and domain name as ‘ONLRouter1’ and ‘example.com’.
Generate the SSH keys with a size of 2048.
Create a username, either ‘jason’ or your own name, with a secret password such as ‘onlssh’.
Make sure that SSH is used rather than Telnet for connections.
Now open the PC command line and start an SSH session to the router, giving the appropriate password.
Confirm that you are connected to the router.
Finish the SSH session by entering exit.
Confirm that you can no longer connect to the router using Telnet.
Some configuration is required before SSH can be used. A set of keys must be generated on the router, and this will use information such as the router name and a domain name to generate unique keys.
Open the router console window and enter global configuration mode. Set the hostname with the command hostname ONLRouter1 and the domain name with command ip domain-name example.com. (You would replace these by appropriate names in a real installation.)
Use the command crypto key generate rsa, giving an appropriate key size such as 2048, to create the keys.
To create a user account with a secret password, enter a command such as username jason secret onlssh.
To ensure that only SSH is accepted for connection, the vty lines must be configured with a sequence of commands. First, use line vty 0 15 to enter line configuration mode. Then login local will require a username to be given, and transport input ssh will mean that only SSH connections are accepted.
This completes the setup for the router. To test the connection, you will need to turn to the command line on the PC.
To open an SSH session, you should enter the command ssh -l jason 192.168.0.1, giving the password ‘onlvty’ which you previously set on the router. You will see the message of the day and the prompt will change to ‘Router>’ showing that you are now giving commands to the router.
You can now work with the router’s command line, for example entering global configuration mode (you will need the password ‘opennetlab’) and show the running configuration.
You should exit from the SSH session using exit and confirm that you are back on the PC command line.