Configure SSH Access on Routers and Switches (Cisco)


Configure SSH input on Cisco switches and routers


Enable SSH:

conf t hostname Switch32
ip domain-name
aaa new-model
crypto key generate rsa

If you have not yet set up user credentials, or want to add a new user:

conf t
username john secret cat12345

Where cat12345 is the password you wish to set for the user john.


To enable SSH on a Cisco iOS device, you need two things: specify a management interface (see this guide), and actually enable SSH. To do the latter, your router or switch needs to be configured with a hostname, and a domain name:

conf t
hostname iSwitch
ip domain-name

Then, allow users configured on the switch to login with SSH or Telnet connections:

aaa new-model

Generate your RSA key:

crypto key generate rsa

User credentials

If you have not yet configured a user, you should do so now (choose one):

user john password cat12345
user john secret 12345

Secret and password can be used to set a password for user john. However, secret stores the password as a hash, instead of showing it in plaintext. If you store your password in plaintext, it is quite easy to reveal it if you let someone at the console, or for someone reading your NVRAM:

Switch32#sh run | include password
username john password 0 cat12345

Security considerations

By default, both SSH and Telnet connections are allowed to Cisco devices. In some environments, it may not matter (such as a completely isolated lab for studying or testing your configs), but in others, it will open you up to malicious hackers since information is sent over Telnet as plain text. Therefore, someone will be able to capture packets on your network, such as the commands you send to the switch or router. The hacker can then parse them for sensitive data like passwords. To disable Telnet:

conf t
line vty 0 4
transport input ssh

This only allows SSH connections via the network to your Cisco device. If physical access to the device is restricted, it may not matter so much if you leave Telnet on over the console port, but if you wish to disable Telnet via console as well:

line con 0
transport input ssh

Default SSH authentication timeout (time you have to enter correct user credentials after making the initial connection) is set to 120 seconds. If you wish to change it:

ip ssh time-out 60

Change number of retries:

ip ssh authentication-retries 4


Don't forget to exit configuration mode and save your changes!


Was this article helpful?

mood_bad Dislike 2
mood Like 4
visibility Views: 25500