Help needed on SSH config

spremkumar · ‎06-11-2003

hi all

i m a beginner on SSH,i hve configured SSH in one of our router(3640).As explained in the cisco site i created the domain name,hostname,crypto key generate,authentication timeouts,retries.After doing all these i binded the same to the line vty .i got the key also generated by RSA by issuing the command show key mypubkey rsa.

i m using putty as ssh client ,can anyone tellme how i will have to use the key generated by rsa to etsablish the connection with the router ..

regds

prem

gfullage · ‎06-11-2003

Putty and the router will swap their public keys automatically, you won't have to do anything. The first time you connect to the router using Putty it will tell you that you haven't connected here before and do you want to swap the keys, just answer yes and you should get a username prompt.

Keep in mind that SSH requires botha username and a password, so on the router you'll have to have configured:

> aaa new-model

> aaa authentication login default local

> username password

then use that username/password to login from then on (even with Telnet connections).

scottmac · ‎06-12-2003

Remember: Cisco only uses SSH version 1. Most packages (including PuTTY) default to version 2. Version 1 is far less secure than version 2 but way more secure than Telnet ...

Also make sure that Putty is configured for DES or 3DES (whichever your router is rigged for).

Which version of IOS are you running on the 3640?

Good Luck

Scott

spremkumar · ‎06-12-2003

hi

i m using 12.2(3) ios version ,,

Cisco Internetwork Operating System Software

IOS (tm) 3600 Software (C3660-IK8S-M), Version 12.2(3), RELEASE SOFTWARE (fc1)

Compiled Wed 18-Jul-01 22:27 by pwade

thats the output ...

i m selecting SSH ver 1 only for establishing the connection ,it asks like connect as username ,password.since the AAA model is already configured and in use.

but some of my colleagues who r in server side security r saying tha once u use the key which is generated by the router to establish the connection

the router shuld not ask for the username and password since it works in the same fashion on the servers also(which is not asking for any username and password).

is this right ???can anyone clear me out ??

regds

prem

gfullage · ‎06-12-2003

The keys are swapped the first time and are then used for the encryption, but the router is always going to ask for a username and password. Otherwise anyone could sit at your laptop, SSH to this router and get in, very insecure.

spremkumar · ‎06-14-2003

hi

thks for the inputs i m clear about the authentication part now ..

regds

prem

metin · ‎07-01-2003

Could you send me a SSH config(form Telnet client)

mhoda · ‎07-02-2003

Hi,

Pl. refer to the following link -

http://www.cisco.com/en/US/tech/tk583/tk617/technologies_tech_note09186a00800949e2.shtml

Regards,

Mynul

spremkumar · ‎07-05-2003

Hi Mynul

Can u revert back about CISCOs plan on releasing SSH ver2 supported IOS ?

regds

prem

jackson.lancaster · ‎07-09-2003

SSH version 2 allows you to define on the server side a clients key that can authenticate without a password. Cisco only supports SSH v1 so using public key authentication w/o a password will not work. This is a very nice feature that I use on Linux boxes all the time.