Having remote access to network devices is critical for effectively managing
a network. Traditionally, Cisco IOS supports Telnet, which allows users to
connect to a remote router using TCP port 23. However, this method provides no
security because all Telnet traffic goes over the network in clear text. Secure
Shell (SSH) replaces Telnet to provide remote router administration with
connections that support strong privacy and session integrity. This connection
provides functionality that is similar to that of an outbound Telnet connection
except that the connection is encrypted. With authentication and encryption,
SSH allows for secure communications over an insecure network. The components
that make up SSH are shown in Figure
.
There are
currently two versions of SSH available, SSH Version 1 (SSHv1) and SSH Version
2 (SSHv2). SSH was introduced into IOS platforms/images in the following
sequence:
SSHv1 server was introduced in some IOS platforms/images starting in
12.1.(1)T.
SSHv1 client was introduced in some IOS platforms/images starting in
12.1.(3).T.
SSHv1 terminal-line access, also known as reverse-Telnet, was introduced in
some IOS platforms/images starting in 12.2.(2).T.
SSHv2 was introduced into 12.3(4)T.
The SSH terminal-line access feature enables users to configure their
router with secure access and perform the following tasks:
Connect to a router that has multiple terminal lines connected to consoles
or serial ports of other routers, switches, or devices
Simplify connectivity to a router from anywhere by securely connecting to
the terminal server on a specific line
Allow modems attached to routers to be used for dial-out securely
Require authentication to each of the lines through a locally defined
username and password, TACACS+, or RADIUS
Cisco routers are capable of acting as the SSH client and server. By
default, both of these functions are enabled on the router when SSH is enabled.
These two functions are detailed in the following sections.
SSH
Client The SSHv1 Integrated Client feature is an application running
over the SSH protocol to provide device authentication and encryption. The SSH
client enables a Cisco router or other SSH client to make a secure, encrypted
connection to another Cisco router or to any other device running the SSHv1
server.
The SSH client in Cisco IOS software works with publicly and
commercially available SSH servers. The SSH client supports the ciphers of Data
Encryption Standard (DES), Triple DES (3DES), and password authentication. User
authentication is performed like that in the telnet session to the router. The
user authentication mechanisms supported for SSH are RADIUS, TACACS+, and the
use of locally stored user names and passwords.
SSH
Server When the SSH server function is enabled on a Cisco router or
other device, an SSH client is able to make a secure, encrypted connection to
that router or device. The SSH server in Cisco IOS will work with publicly and
commercially available SSH clients as well as other Cisco routers that have SSH
enabled.
When SSH is enabled on a Cisco Router, it acts as both a client
and a server by default. The Secure Copy Protocol (SCP) feature that is
provided with SSH also allows for the secure transfer of configuration and
image files.
In this lab, students will configure a router as
a Secure Shell (SSH) Version 1 server. Students will install and configure an
SSH client on a student PC. Students will then use show and debug commands to
troubleshoot SSH. Finally, the students will strengthen SSH by configuring SSH
Version 2.
In this lab, students will begin the process of implementing a secure
perimeter router. Students will explicitly deny common TCP/IP services, and
then verify that these services have been disabled.