cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3095
Views
18
Helpful
12
Replies

How to set up SSH in Cat Os and Disable telnet

madhu_g1985
Level 1
Level 1

Hi All,

I am trying to Disable Telnet and enable SSH in Cat Os for 6500 .

Can some one help with a step by step instruction ? I have been searching for a while but did not get a convincing answer yet. Please help.

Thanks,

12 Replies 12

Sandeep Sharma
Cisco Employee
Cisco Employee

Hi

-  To enable SSH on CATOS first you need to have the k9 or security image having the SSH feature available.

-  Commands  to enable SSH

          sec-cat6000> (enable) set crypto key rsa 1024

- Command to verify crypto key enabled or not

         sec-cat6000> (enable) show crypto key

-   If you want to restrict IPs to access the device via SSH use the below command

sec-cat6000> set ip permit 172.18.124.0 255.255.255.0

sec-cat6000> (enable) set ip permit enable ssh >>>> Command to turn SSH permit list.
 
- Command to verify the  ssh permit list
 
  sec-cat6000> (enable) show ip permit

Hope this will help you.

Thanks & Regards

Sandeep

Hi Sandeep,

Once you enable SSH , Dont we have to apply ssh as input under line vty ?

Or is this different in Cat OS ?

Hi Madhu,

There is no need to put the input ssh on cat os.

Please find the configuration of SSH:

http://www.cisco.com/en/US/tech/tk583/tk617/technologies_tech_note09186a0080094314.shtml

Regards

Inayath

Hi Inayathulla,

Thanks for the quick reply.

Do we need a permit list to restircit access to certain subnet ? Is that Mandatory?

Example :

sec-cat6000>

set ip permit 172.18.124.0 255.255.255.0 ..Becoz I dont want to put any filter any subnet  for SSH.

Also For disbaling Telnet access , If I fdon't have a subnets filtered for it , will just the below command necessary ..

set ip permit disable telnet

Hi Madhu,

I dont think the permit list is mandatory as per the link, I dont have the box as of now to test, but give it a try it should work.

  • CatOS Configuration

      set crypto key rsa 1024

      set ip permit enable ssh

    • Clear all Telnet and replace with ssh

      clear ip permit {10.1.1.1} telnet

      set ip permit {10.1.1.1} ssh

      set snmp trap enable ippermi

    • First set up SSH access

2-

Yes you are correct. Just running this command

set ip permit disable telnet

HTH

Regards

Inayath

I will try it out and let you know..Thank you

Hi Inayath,

It woked. But I needed to put a filter for a subnet. 

Here I am required to allow every one .

I tried

set ip permit 0.0.0.0 0.0.0.0 ssh -> but it did not take that command.

Do you know how to permit every one ?

Could you try this:

sec-cat6000> set ip permit 0.0.0.0 0.0.0.0
!--- Turn on SSH.

sec-cat6000> (enable) set ip permit enable ssh
SSH permit list enabled. 

!--- Verity SSH permit list.

sec-cat6000> (enable) show ip permit
Telnet permit list disabled.
Ssh permit list enabled.
Snmp permit list disabled.
Permit List Mask Access-Type 
---------------- ---------------- -------------
0.0.0.0 0.0.0.0  ssh snmp 

HTH

Regards

Inayath

Hi Inayath,

Sure . I will give  a try today. But when I tried this yestrday

set ip permit 0.0.0.0 0.0.0.0 ssh  -> It gave me a bad mask error.

So not sure it will help. Also it gives a potential vulnerability for snmp since it opens for every one other that our monitoring servers.

Do you agree ?

Thanks,

Madhu.

InayathUlla Sharieff
Cisco Employee
Cisco Employee

Hi Madhu,

Hi Mahdu,

Please find link below on configuring the SSH on Catos:-

http://www.cisco.com/en/US/tech/tk583/tk617/technologies_tech_note09186a0080094314.shtml

To disable telnet:

http://www.cisco.com/en/US/partner/docs/switches/lan/catalyst6500/catos/

8.x/configuration/guide/ip_perm.html

Here is the command to disable telnet on switches running CATOS:

set ip permit disable ?

  telnet                     Disable/Enable telnet permit

  snmp                       Disable/Enable snmp permit

  ssh                        Disable/Enable ssh permit

You may need to issue the command

"show ip permit" first. The following steps will work, if telnet permit

is disable.

example:

Console> (enable) show ip permit

Telnet permit list disabled.

If no hosts are defined in the telnet permit lists then there is nothing to allow telnet

from therefore disabling telnet.

However, if you need to limit telnet access on the CAT OS you need to define who is

permitted to telnet to the device. To do this use the command:

set ip permit telnet

set ip permit telnet

set ip permit telnet

set ip permit telnet

This creates a permit list, once you do this you can enable the list to be processed by

the switch

set ip permit enable telnet

This tells the switch to only allow telnet for IP addresses defined in the permit list.

HTH

Regards

Inayath

********Please rate and mark the post as answered so others can benefit from it.

madhu_g1985
Level 1
Level 1

Hi All,

Finally It worked. 

Below is the config I applied.

To Enable SSH

=======

set ip permit enable ssh

set ip permit 10.0.0.0 255.0.0.0 ssh

To Disable Telnet

===========

Set ip permit enable telnet

Thanks Inayath and all for all your help.