cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Configure SSH in IOS

5373
Views
3
Helpful
1
Comments

Use the following commands in IOS to configure SSH. It may apply for all the IOx devices such as ISR819(C819), CGR1120/1240, and IR829/809.

CommandExplanation
enableEnter privilege execution mode
conf termEnter configuration mode
enable password cisco123create enable password

username admin password cisco123

ip domain name lab.cisco.com

Create the "admin" user and password

add a domain name

crypto key generate rsa modulus 1024 label SSHCreate RSA keys for SSH
ip ssh rsa keypair-name SSHAssociate the RSA keys with SSH
ip ssh version 2Enable SSH version 2
line vty 0 4Enable remote login
transport input ssh telnetEnable SSH access on the lines
exec-timeout 0disble remote login timeout
login localIn case of "no aaa new-model". No need to run it if it is “aaa new-model”, for details, please refer to the notes at the end of this post.
interface GigabitEthernet2/1Begin configuring the interface for connection with ISP.  If you connected another ethernet interface please substitute it's name in this command.
no switchportConvert interface to Layer 3
ip address 172.27.170.127 255.255.255.0Set I/F IPv4 address. Substitute IPv4 address and mask here with IPv4 address (global static or private)
no shutdownEnable interface
exitExit interface configuration
ip route 0.0.0.0 0.0.0.0 172.27.170.1Set default route.  Substitute the gateway address.
exitExit configuration
copy running startupSave Config in Flash memory -- This may be deferred till all the configs have been tested.

Please notify, for the authentication, the aaa new-model command causes the local username and password on the router to be used in the absence of other AAA statements. Instead of no aaa new-model, you can use the login local command.

Comments
brylevin
Beginner

note: for many versions of IOS, sshV2 has a 'behavior' that stops linux ssh/ssl from connecting.  I believe this was due to changes in ssl after the heartbleed bug.

the workaround is to edit your ssh config as follows:

----------snip------------

Host *
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1

StrictHostKeyChecking no

----------snip------------

this reorders the key exchange algs and allows a linux user to ssh (ssh -2) to a cisco router.

ssh v1 does not seem to have this issue, but if you want to use something that needs sshv2 (like netconf, for example) this fix will allow you to get sshv2 working again.

Content for Community-Ad

This widget could not be displayed.