http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp

I’m running a Cisco 3660 with c3660-ik9o3s-mz.124-6.T.bin which has IPSec and 3DES – so we’re good to go.

SSH doesn’t like a router that doesn’t have a configured hostname or domain name. So, we’ll make sure that both of them are done now:

 Router# conf term
 Router(config)# hostname phbrouter
 phbrouter(config)# ip domain-name phirebird.net
 phbrouter(config)#

Right. Now you’re ready to create an RSA encryption key pair. Whilst generating, you’ll notice that it asks how many bits you’d like to use in the modulus. Don’t accept the default of 512. Instead, select at least 1024 bits.

 phbrouter(config)# crypto key generate rsa
 The name for the keys will be: phbrouter.phirebird.net
 Choose the size of the key modulus in the range of 360 to 2048
        for your General Purpose Keys. Choosing a key modulus greater than
        512 may take a few minutes.
 How many bits in the modulus [512]: 1024
 % Generating 1024 bit RSA keys …[OK]
 phbrouter(config)#
 * May  16 10:05:28.283: %SSH-5-ENABLED: SSH 1.99 has been enabled
 phbrouter(config)#

To make sure that everything has been configured correctly, you can issue these commands:

 show ip ssh  (Displays the version and basic configuration)
 show ssh  (Displays the status of any connections)

You may stop reading here, but it’s a good idea to familiarise yourself with the other SSH configuration options open to you:

phbrouter(config)#ip ssh ?
  authentication-retries  Specify number of authentication retries
  break-string            break-string
  logging                 Configure logging for SSH
  maxstartups             Maximum concurrent sessions allowed
  port                    Starting (or only) Port number to listen on
  rsa                     Configure RSA keypair name for SSH
  source-interface        Specify interface for source address in SSH
                          connections
  time-out                Specify SSH time-out interval
  version                 Specify protocol version to be supported

Most notable here is thatrunning SSH on a differnt port is probably a good idea (but try leaving it on the default 22 and see how many connection attempts you get!). The number of authentication-retries default is 3 – which is fair enough, and the timeout default is 120 seconds (maybe a bit long?).

Did you find this hint useful? Are you looking to learn more? Well, here’s a few books that I’ve found useful – have a goosie!

Cisco: A Beginner’s Guide

CCNA – Cisco Certified Network Associate Study Guide

Cisco Networking for Dummies

Cisco IOS in a Nutshell – O’Reilly

fbsd1# /usr/sbin/sshd
Could not load host key: /etc/ssh/ssh_host_dsa_key
Disabling protocol version 2. Could not load host key
sshd: no hostkeys available — exiting.
fbsd1#

To keep it happy, you could generate /etc/ssh/ssh_host_dsa_key
manually by using ssh_keygen (as you used to in previous FreeBSD releases) - but a much more straight forward way of
enabling it now exists. All you have to do is to edit /etc/rc.conf and tag on this line:

sshd_enable=”YES”

Next time the system starts, it’ll automatically generate any
necessary keys for you and start accepting SSH requests. If you’re
of the impatient type and want SSH to start right now, use this:

killall sshd
/etc/rc.d/sshd start

And that’s it!

Did you find this hint useful? Are you looking to learn more? Well, here’s a few books that I’ve found useful – have a goosie!

Absolute FreeBSD: The Complete Guide

FreeBSD unleashed

Design and Implementation of FreeBSD

The Best of FreeBSD Basics