Enabling SSH on a Cisco Router
So, you want to configure SSH on your Cisco router, eh? Well, it’s a good choice to make! So how do you do it? Well, first you’ve got to make sure that your IOS image has IPSec (DES or 3DES) encryption and later than 12.1(1)T – which you can easily tell from entering the image filename into the Cisco feature navigator:
I’m running a Cisco 3660 with c3660-ik9o3s-mz.124-6.T.bin which has IPSec and 3DES – so we’re good to go.
SSH doesn’t like a router that doesn’t have a configured hostname or domain name. So, we’ll make sure that both of them are done now:
Router# conf term
Router(config)# hostname phbrouter
phbrouter(config)# ip domain-name phirebird.net
phbrouter(config)#
Right. Now you’re ready to create an RSA encryption key pair. Whilst generating, you’ll notice that it asks how many bits you’d like to use in the modulus. Don’t accept the default of 512. Instead, select at least 1024 bits.
phbrouter(config)# crypto key generate rsa
The name for the keys will be: phbrouter.phirebird.net
Choose the size of the key modulus in the range of 360 to 2048
for your General Purpose Keys. Choosing a key modulus greater than
512 may take a few minutes.
How many bits in the modulus [512]: 1024
% Generating 1024 bit RSA keys …[OK]
phbrouter(config)#
* May 16 10:05:28.283: %SSH-5-ENABLED: SSH 1.99 has been enabled
phbrouter(config)#
To make sure that everything has been configured correctly, you can issue these commands:
show ip ssh (Displays the version and basic configuration)
show ssh (Displays the status of any connections)
You may stop reading here, but it’s a good idea to familiarise yourself with the other SSH configuration options open to you:
phbrouter(config)#ip ssh ?
authentication-retries Specify number of authentication retries
break-string break-string
logging Configure logging for SSH
maxstartups Maximum concurrent sessions allowed
port Starting (or only) Port number to listen on
rsa Configure RSA keypair name for SSH
source-interface Specify interface for source address in SSH
connections
time-out Specify SSH time-out interval
version Specify protocol version to be supported
Most notable here is thatrunning SSH on a differnt port is probably a good idea (but try leaving it on the default 22 and see how many connection attempts you get!). The number of authentication-retries default is 3 – which is fair enough, and the timeout default is 120 seconds (maybe a bit long?).
Did you find this hint useful? Are you looking to learn more? Well, here’s a few books that I’ve found useful – have a goosie!
 Cisco: A Beginner’s Guide |
 CCNA – Cisco Certified Network Associate Study Guide |
 Cisco Networking for Dummies |
 Cisco IOS in a Nutshell – O’Reilly |
Enabling SSH under FreeBSD
Anyone that’s diddled around with SSH under FreeBSD will be all too familiar with this error message when trying to start the SSH daemon directly:
fbsd1# /usr/sbin/sshd
Could not load host key: /etc/ssh/ssh_host_dsa_key
Disabling protocol version 2. Could not load host key
sshd: no hostkeys available — exiting.
fbsd1#
To keep it happy, you could generate /etc/ssh/ssh_host_dsa_key
manually by using ssh_keygen (as you used to in previous FreeBSD releases) - but a much more straight forward way of
enabling it now exists. All you have to do is to edit /etc/rc.conf and tag on this line:
sshd_enable=”YES”
Next time the system starts, it’ll automatically generate any
necessary keys for you and start accepting SSH requests. If you’re
of the impatient type and want SSH to start right now, use this:
killall sshd
/etc/rc.d/sshd start
And that’s it!
Did you find this hint useful? Are you looking to learn more? Well, here’s a few books that I’ve found useful – have a goosie!
 Absolute FreeBSD: The Complete Guide |
 FreeBSD unleashed |
 Design and Implementation of FreeBSD |
 The Best of FreeBSD Basics |
