Secure Shell (SSH)
Secure Shell (SSH) is a protocol which provides a secure remote access connection to network devices. Communication between the client and server is encrypted in both SSH version 1 and SSH version 2. Implement SSH version 2 when possible because it uses a more enhanced security encryption algorithm.
This document discusses how to configure and debug SSH on Cisco routers or switches that run a version of Cisco IOS Software that supports SSH. This document contains more information on specific versions and software images.
Requirements
The Cisco IOS image used must be a k9(crypto) image in order to support SSH. For example c3750e-universalk9-tar.122-35.SE5.tar is a k9 (crypto) image.
The information in this document is based on Cisco IOS 3600 Software (C3640-IK9S-M), Release 12.2(2)T1.
SSH was introduced into these Cisco IOS platforms and images:
SSH Version 1.0 (SSH v1) server was introduced in some Cisco IOS platforms and images that start in Cisco IOS Software Release 12.0.5.S.
SSH client was introduced in some Cisco IOS platforms and images starting in Cisco IOS Software Release 12.1.3.T.
SSH terminal-line access (also known as reverse-Telnet) was introduced in some Cisco IOS platforms and images starting in Cisco IOS Software Release 12.2.2.T.
SSH Version 2.0 (SSH v2) support was introduced in some Cisco IOS platforms and images starting in Cisco IOS Software Release 12.1(19)E.
The information presented in this document was created from devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If you are in a live network, make sure that you understand the potential impact of any command before you use it.
SSH v1 vs. SSH v2
Use the Cisco Software Advisor in order to help you find the version of code with appropriate support for either SSH v1 or SSH v2.
Network Diagram
Test Authentication
Authentication Test without SSH
First test the authentication without SSH to make sure that authentication works with the router Carter before you add SSH. Authentication can be with a local username and password or with an authentication, authorization, and accounting (AAA) server that runs TACACS+ or RADIUS. (Authentication through the line password is not possible with SSH.) This example shows local authentication, which lets you Telnet into the router with username "cisco" and password "cisco."
!--- The aaa new-model command causes the local username and password on the router !--- to be used in the absence of other AAA statements.
aaa new-model
username cisco password 0 cisco
line vty 0 4
transport input telnet
!--- Instead of aaa new-model, you can use the login local command.
Authentication Test with SSH
In order to test authentication with SSH, you have to add to the previous statements in order to enable SSH on Carter and test SSH from the PC and UNIX stations.
ip domain-name rtp.cisco.com
!--- Generate an SSH key to be used with SSH.
crypto key generate rsa
ip ssh time-out 60
ip ssh authentication-retries 2At this point, the show crypto key mypubkey rsa command must show the generated key. After you add the SSH configuration, test your ability to access the router from the PC and UNIX station.
Optional Configuration Settings
Prevent Non-SSH Connections
If you want to prevent non-SSH connections, add the transport input ssh command under the lines to limit the router to SSH connections only. Straight (non-SSH) Telnets are refused.
line vty 0 4
!--- Prevent non-SSH Telnets.
transport input ssh
Test to make sure that non-SSH users cannot Telnet to the router Carter.
Set Up an IOS Router or Switch as SSH Client
There are four steps required to enable SSH support on a Cisco IOS router:
Configure the hostname command.
Configure the DNS domain.
Generate the SSH key to be used.
Enable SSH transport support for the virtual type terminal (vtys).
If you want to have one device act as an SSH client to the other, you can add SSH to a second device called Reed. These devices are then in a client-server arrangement, where Carter acts as the server, and Reed acts as the client. The Cisco IOS SSH client configuration on Reed is the same as required for the SSH server configuration on Carter.
!--- Step 1: Configure the hostname if you have not previously done so.
hostname carter
!--- The aaa new-model command causes the local username and password on the router !--- to be used in the absence of other AAA statements.
aaa new-model
username cisco password 0 cisco
!--- Step 2: Configure the DNS domain of the router.
ip domain-name rtp.cisco.com
!--- Step 3: Generate an SSH key to be used with SSH.
crypto key generate rsa
ip ssh time-out 60
ip ssh authentication-retries 2
!--- Step 4: By default the vtys' transport is Telnet. In this case, !--- Telnet is disabled and only SSH is supported.
line vty 0 4
transport input SSH
!--- Instead of aaa new-model, you can use the login local command.
Issue this command to SSH from the Cisco IOS SSH client (Reed) to the Cisco IOS SSH server (Carter) in order to test this:
SSH v1:
ssh -l cisco -c 3des 10.13.1.99SSH v2:
ssh -v 2 -c aes256-cbc -m hmac-sha1-160 -l cisco 10.31.1.99
Setup an IOS Router as an SSH server that performs RSA based User Authentication
Complete these steps in order to configure the SSH server to perform RSA based authentication.
Specify the Host name.
Router(config)#hostname <host name>Define a default domain name.
Router(config)#ip domain-name <Domain Name>Generate RSA key pairs.
Router(config)#crypto key generate rsaConfigure SSH-RSA keys for user and server authentication.
Router(config)#ip ssh pubkey-chainConfigure the SSH username.
Router(conf-ssh-pubkey)#username <user name>Specify the RSA public key of the remote peer.
Router(conf-ssh-pubkey-user)#key-stringSpecify the SSH key type and version. (optional)
Router(conf-ssh-pubkey-data)#key-hash ssh-rsa <key ID>Exit the current mode and return to privileged EXEC mode.
Router(conf-ssh-pubkey-data)#endNote: Refer to Secure Shell Version 2 Support for more information.
Add SSH Terminal-Line Access
If you need outbound SSH terminal-line authentication, you can configure and test SSH for outbound reverse Telnets through Carter, which acts as a comm server to Philly.
ip ssh port 2001 rotary 1
line 1 16
no exec
rotary 1
transport input ssh
exec-timeout 0 0
modem In Out
Stopbits 1If Philly is attached to Carter's port 2, then you can configure SSH to Philly through Carter from Reed with the help of this command:
SSH v1:
ssh -c 3des -p 2002 10.13.1.99SSH v2:
ssh -v 2 -c aes256-cbc -m hmac-sha1-160 -p 2002 10.31.1.99
You can use this command from Solaris:
ssh -c 3des -p 2002 -x -v 10.13.1.99
Restrict SSH access to a subnet
You need to limit SSH connectivity to a specific subnetwork where all other SSH attempts from IPs outside the subnetwork should be dropped.
You can use these steps to accomplish the same:
Define an access-list that permits the traffic from that specific subnetwork.
Restrict access to the VTY line interface with an access-class.
This is an example configuration. In this example only SSH access to the 10.10.10.0 255.255.255.0 subnet is permitted, any other is denied access.
Router(config)#access-list 23 permit 10.10.10.0 0.0.0.255
Router(config)#line vty 5 15
Router(config-line)#transport input ssh
Router(config-line)#access-class 23 in
Router(config-line)#exit
Note: The same procedure to lock down the SSH access is also applicable on switch platforms.
Configure the SSH Version
Configure SSH v1:
carter(config)#ip ssh version 1
Configure SSH v2:
carter(config)#ip ssh version 2
Configure SSH v1 and v2:
carter(config)#no ip ssh version
Note: You receive this error message when you use SSHv1:
%SCHED-3-THRASHING: Process thrashing on watched message event.Variations on banner Command Output
The banner command output varies between the Telnet and different versions of SSH connections. This table illustrates how different banner command options work with various types of connections.
| Banner Command Option | Telnet | SSH v1 only | SSH v1 and v2 | SSH v2 only |
|---|---|---|---|---|
| banner login | Displayed before logging into the device. | Not displayed. | Displayed before logging into the device. | Displayed before logging into the device. |
| banner motd | Displayed before logging into the device. | Displayed after logging into the device. | Displayed after logging into the device. | Displayed after logging into the device. |
| banner exec | Displayed after logging into the device. | Displayed after logging into the device. | Displayed after logging into the device. | Displayed after logging into the device. |
debug and show Commands
Before you issue the debug commands described and illustrated here, refer to Important Information on Debug Commands. Certain show commands are supported by the Output Interpreter Tool , which allows you to view an analysis of show command output.
debug ip ssh—Displays debug messages for SSH.
show ssh—Displays the status of SSH server connections.
carter#show ssh Connection Version Encryption State Username 0 1.5 DES Session started ciscoshow ip ssh—Displays the version and configuration data for SSH.
Version 1 Connection and no Version 2
carter#show ip ssh SSH Enabled - version 1.5 Authentication timeout: 60 secs; Authentication retries: 2Version 2 Connection and no Version 1
carter#show ip ssh SSH Enabled - version 2.0 Authentication timeout: 120 secs; Authentication retries: 3Version 1 and Version 2 Connections
carter#show ip ssh SSH Enabled - version 1.99 Authentication timeout: 120 secs; Authentication retries: 3
Sample Debug Output
Router Debug
Note: Some of this good debug output is wrapped to multiple lines because of spatial considerations.
00:23:20: SSH0: starting SSH control process
00:23:20: SSH0: sent protocol version id SSH-1.5-Cisco-1.25
00:23:20: SSH0: protocol version id is - SSH-1.5-1.2.26
00:23:20: SSH0: SSH_SMSG_PUBLIC_KEY msg
00:23:21: SSH0: SSH_CMSG_SESSION_KEY msg - length 112, type 0x03
00:23:21: SSH: RSA decrypt started
00:23:21: SSH: RSA decrypt finished
00:23:21: SSH: RSA decrypt started
00:23:21: SSH: RSA decrypt finished
00:23:21: SSH0: sending encryption confirmation
00:23:21: SSH0: keys exchanged and encryption on
00:23:21: SSH0: SSH_CMSG_USER message received
00:23:21: SSH0: authentication request for userid cisco
00:23:21: SSH0: SSH_SMSG_FAILURE message sent
00:23:23: SSH0: SSH_CMSG_AUTH_PASSWORD message received
00:23:23: SSH0: authentication successful for cisco
00:23:23: SSH0: requesting TTY
00:23:23: SSH0: setting TTY - requested: length 24, width 80; set:
length 24, width 80
00:23:23: SSH0: invalid request - 0x22
00:23:23: SSH0: SSH_CMSG_EXEC_SHELL message received
00:23:23: SSH0: starting shell for vtyServer Debug
Note: This output was captured on a Solaris machine.
rtp-evergreen.rtp.cisco.com#ssh -c 3des -l cisco -v 10.31.1.99
rtp-evergreen#/opt/CISssh/bin/ssh -c 3des -l cisco -v 10.13.1.99
SSH Version 1.2.26 [sparc-sun-solaris2.5.1], protocol version 1.5.
Compiled with RSAREF.
rtp-evergreen: Reading configuration data /opt/CISssh/etc/ssh_config
rtp-evergreen: ssh_connect: getuid 0 geteuid 0 anon 0
rtp-evergreen: Allocated local port 1023.
rtp-evergreen: Connecting to 10.13.1.99 port 22.
rtp-evergreen: Connection established.
rtp-evergreen: Remote protocol version 1.5,
remote software version Cisco-1.25
rtp-evergreen: Waiting for server public key.
rtp-evergreen: Received server public key (768 bits)
and host key (512 bits).
rtp-evergreen: Host '10.13.1.99' is known and matches the host key.
rtp-evergreen: Initializing random; seed file //.ssh/random_seed
rtp-evergreen: Encryption type: 3des
rtp-evergreen: Sent encrypted session key.
rtp-evergreen: Installing crc compensation attack detector.
rtp-evergreen: Received encrypted confirmation.
rtp-evergreen: Doing password authentication.
cisco@10.13.1.99's password:
rtp-evergreen: Requesting pty.
rtp-evergreen: Failed to get local xauth data.
rtp-evergreen: Requesting X11 forwarding with authentication spoofing.
Warning: Remote host denied X11 forwarding, perhaps xauth program
could not be run on the server side.
rtp-evergreen: Requesting shell.
rtp-evergreen: Entering interactive session.What can go Wrong
These sections have sample debug output from several incorrect configurations.
SSH From an SSH Client Not Compiled with Data Encryption Standard (DES)
Solaris Debug
rtp-evergreen#/opt/CISssh/bin/ssh -c des -l cisco -v 10.13.1.99
SSH Version 1.2.26 [sparc-sun-solaris2.5.1], protocol version 1.5.
Compiled with RSAREF.
rtp-evergreen: Reading configuration data /opt/CISssh/etc/ssh_config
rtp-evergreen: ssh_connect: getuid 0 geteuid 0 anon 0
rtp-evergreen: Allocated local port 1023.
rtp-evergreen: Connecting to 10.13.1.99 port 22.
rtp-evergreen: Connection established.
rtp-evergreen: Remote protocol version 1.5,
remote software version Cisco-1.25
rtp-evergreen: Waiting for server public key.
rtp-evergreen: Received server public key (768 bits)
and host key (512 bits).
rtp-evergreen: Host '10.13.1.99' is known and matches the host key.
rtp-evergreen: Initializing random; seed file //.ssh/random_seed
rtp-evergreen: Encryption type: des
rtp-evergreen: Sent encrypted session key.
cipher_set_key: unknown cipher: 2Router Debug
00:24:41: SSH0: Session terminated normally
00:24:55: SSH0: starting SSH control process
00:24:55: SSH0: sent protocol version id SSH-1.5-Cisco-1.25
00:24:55: SSH0: protocol version id is - SSH-1.5-1.2.26
00:24:55: SSH0: SSH_SMSG_PUBLIC_KEY msg
00:24:55: SSH0: SSH_CMSG_SESSION_KEY msg - length 112, type 0x03
00:24:55: SSH: RSA decrypt started
00:24:56: SSH: RSA decrypt finished
00:24:56: SSH: RSA decrypt started
00:24:56: SSH: RSA decrypt finished
00:24:56: SSH0: sending encryption confirmation
00:24:56: SSH0: Session disconnected - error 0x07Bad Password
Router Debug
00:26:51: SSH0: starting SSH control process
00:26:51: SSH0: sent protocol version id SSH-1.5-Cisco-1.25
00:26:52: SSH0: protocol version id is - SSH-1.5-1.2.26
00:26:52: SSH0: SSH_SMSG_PUBLIC_KEY msg
00:26:52: SSH0: SSH_CMSG_SESSION_KEY msg - length 112, type 0x03
00:26:52: SSH: RSA decrypt started
00:26:52: SSH: RSA decrypt finished
00:26:52: SSH: RSA decrypt started
00:26:52: SSH: RSA decrypt finished
00:26:52: SSH0: sending encryption confirmation
00:26:52: SSH0: keys exchanged and encryption on
00:26:52: SSH0: SSH_CMSG_USER message received
00:26:52: SSH0: authentication request for userid cisco
00:26:52: SSH0: SSH_SMSG_FAILURE message sent
00:26:54: SSH0: SSH_CMSG_AUTH_PASSWORD message received
00:26:54: SSH0: password authentication failed for cisco
00:26:54: SSH0: SSH_SMSG_FAILURE message sent
00:26:54: SSH0: authentication failed for cisco (code=7)
00:26:54: SSH0: Session disconnected - error 0x07SSH Client Sends Unsupported (Blowfish) Cipher
Router Debug
00:39:26: SSH0: starting SSH control process
00:39:26: SSH0: sent protocol version id SSH-1.5-Cisco-1.25
00:39:26: SSH0: protocol version id is - SSH-1.5-W1.0
00:39:26: SSH0: SSH_SMSG_PUBLIC_KEY msg
00:39:26: SSH0: SSH_CMSG_SESSION_KEY msg - length 112, type 0x03
00:39:26: SSH0: Session disconnected - error 0x20Geting the "%SSH-3-PRIVATEKEY: Unable to retrieve RSA private key for" Error
If you receive this error message, it may be caused due to any change in the domain name or host name. In order to resolve this, try these workarounds.
Zeroize the RSA keys and re-generate the keys.
crypto key zeroize rsa label key_name crypto key generate rsa label key_name modulus key_sizeIf the previous workaround does not work, try these steps:
Zeroize all RSA keys.
Reload the device.
Create new labeled keys for SSH.
No comments:
Post a Comment