Packetwatch.net

Enable SSH and disable Telnet



Last modified: Jun. 9, 2015

Contents
1 - Summary
2 - Cisco Catalyst 3560 switches
3 - Cisco Catalyst 3850 switches
4 - Cisco PIX 506 firewalls
5 - Cisco ASA 5512 firewalls


1 - Summary

This guide will show how to enable SSH and disable Telnet in different Cisco
devices.


2 - Cisco Catalyst 3560 switches

This has been tested on switches running IOS version 12.2(55)SE9.

switch#show ip ssh
SSH Disabled - version 1.99
%Please create RSA keys to enable SSH (of atleast 768 bits size) to enable SSH v2.
Authentication timeout: 120 secs; Authentication retries: 3
switch#config t
Enter configuration commands, one per line.  End with CNTL/Z.
switch(config)#username testuser password testpassword
switch(config)#crypto key zeroize rsa
% No Signature RSA Keys found in configuration.;

switch(config)#hostname switch
switch(config)#ip domain-name test.com
switch(config)#crypto key generate rsa
The name for the keys will be: switch.test.com
Choose the size of the key modulus in the range of 360 to 2048 for your
  General Purpose Keys. Choosing a key modulus greater than 512 may take
  a few minutes.

How many bits in the modulus [512]: 4096
% A decimal number between 360 and 2048.
How many bits in the modulus [512]: 2048
% Generating 2048 bit RSA keys, keys will be non-exportable...[OK]

switch(config)#end
switch#show crypto key mypubkey rsa
% Key pair was generated at: 08:21:46 CST Dec 11 2014
Key name: switch.test.com
 Storage Device: not specified
 Usage: General Purpose Key
 Key is not exportable.
 Key Data:
  30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101
  00C59AAC C2CEA0CB AB4F7A64 DAD5A6E6 3BF02E18 8A2F7911 F12424B6 72BA2715
  21BFE289 508CB125 9C8916E8 8B1A6C7E 61932B3C 478C63DC 594FCB64 01EAD4CA
  A87832CA 0666FF61 2E5E68E7 EB328BDE 8CC6750C AD67ED78 A2B4CA8A 9752A113
  E74D44B3 E759D8F6 F1E58855 07BE1B41 8A50A3D9 D04EB372 F190C867 DA03E8FB
  AA9540AA D24EA58D A6595D55 C942564A 31AD6299 114100DC DA674BA4 9D323D2F
  3237DE00 03CEB9A3 A5C9BC01 332C4341 67F95B72 3B52F336 A147EB45 2B877D23
  C29D253A 9FCE9D7A 0A18DC9E A2FC9EBF 6ACA7F96 060FF6FE 0F3A2052 AFD09419
  59BF1469 DAC9C338 D5DF42D2 568890BA 978CAD61 A0E6A3A2 3145C127 839A731D
  33020301 0001
% Key pair was generated at: 08:21:48 CST Dec 11 2014
Key name: switch.test.com.server
Temporary key
 Usage: Encryption Key
 Key is not exportable.
 Key Data:
  307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00C22D67 B5A6F72C
  547611B6 9892614F 3E0F444E 057498C5 1E90E4DF D39821B1 03578800 A3630CE0
  26C34AD7 72279E61 516614E0 D22ED519 343BEE83 0D57B5CB 1D16D073 26B8542C
  F694B7C8 F4056489 466849AE 2CECDE18 E0580A01 C85B8D70 0D020301 0001
switch#config t
Enter configuration commands, one per line.  End with CNTL/Z.
switch(config)#ip ssh authentication-retries ?
  <0-5>  Number of authentication retries

switch(config)#ip ssh authentication-retries 3
switch(config)#ip ssh time-out ?
  <1-120>  SSH time-out interval (secs)

switch(config)#ip ssh time-out 120
switch(config)#ip ssh version ?
  <1-2>  Protocol version

switch(config)#ip ssh version 2
switch(config)#line vty 0 4
switch(config-line)#transport input ssh
switch(config-line)#end
switch#config t
Enter configuration commands, one per line.  End with CNTL/Z.
switch(config)#line vty 5 15
switch(config-line)#transport input none
switch(config-line)#end
switch#write mem
Building configuration...
[OK]
switch#show ip ssh
SSH Enabled - version 2.0
Authentication timeout: 120 secs; Authentication retries: 3


3 - Cisco Catalyst 3850 switches

This has been tested on switches running IOS version 03.03.00SE.

switch#show ip ssh
SSH Enabled - version 1.99
Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 1024 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded):
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDI5PNCgrBsMiUnOvfA+1f+01e4MyF3bKlejCBXkfIk
hbqe23oG70PIe7iNrU9HZJvZ+jAF3vPRKQgTMOU/oE+5X6idXd7+OllQR6qG+t5x8Yx95OfwJJ53ee/n
ARmAa4JaimCn5+zCgOIeByPL/0wxArw5PIDHmLjttvFSVMux9w==
switch#config t
Enter configuration commands, one per line.  End with CNTL/Z.
switch(config)#username testuser password testpassword
switch(config)#crypto key zeroize rsa
switch(config)#hostname switch
switch(config)#ip domain-name test.com
switch(config)#crypto key generate rsa
The name for the keys will be: switch.test.com
Choose the size of the key modulus in the range of 360 to 4096 for your
  General Purpose Keys. Choosing a key modulus greater than 512 may take
  a few minutes.

How many bits in the modulus [512]: 4096
% Generating 4096 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 62 seconds)

switch(config)#end
switch#show crypto key mypubkey rsa
% Key pair was generated at: 14:51:15 CDT Mar 14 2014
Key name: switch.test.com
 Storage Device: private-config
 Usage: General Purpose Key
 Key is not exportable. Redundancy enabled.
 Key Data:
  30820222 300D0609 2A864886 F70D0101 01050003 82020F00 3082020A 02820201 
  00CBFA7A 1BDA5470 172B5582 33050B27 C8E15F7B AFE01E07 18A6F8A7 7053DF58 
  BE9883E5 B94DEB7B 95DADD20 ABC59B04 2A880B95 B6E2938C 16C3732F 9E2486C8 
  3A33481C 67A6C364 48B18E53 1073714A F30BED24 B9DF5337 C773115D 6D7FFCB8 
  FA55261E D905ADD2 11EFC79D DF779340 F1B30905 87322A8C CB95D63F CDB9F5F2 
  716EC3AE F89D7B56 5A9669BD 6D6DDBDD 35970274 241E1864 C7D8F231 929D4960 
  AFB1AFE1 2533F7D9 9183BEFF 36800021 AAED7567 2AB68030 EADF839C 1ABCF3DF 
  59AE9A4F D00E0BD4 CF5AC8F1 A154726F DEE00AFF B1815602 3D8AA169 20A7E024 
  1600D1EE 5E89999D EF3F500E 46393936 27B20898 A4484AB6 3022379A A1B76F0A 
  39246488 6A7FB88E CA7C0B63 A3FB0B07 D0E2B4A1 67844D04 1F099B0B 350C21B7 
  2519D5D4 7C614731 5E108DCF CC31DB0D 1F0E33EF 2F8BE67A 1D3AB2B2 85802EA5 
  ED145101 834C60E4 2E26B00A B24698C8 B420B7C5 7B0D2646 A99ECA82 FF5EF5B5 
  4A318A78 48724F83 CC68EF59 9FBE5D81 14823E24 C2F9847C 843BCFBC 5C0446AC 
  0B63EE2B A27F5BC8 AE9C4A71 EF904F84 F4EF83CE 9D41EBC6 42C04371 E9A4D443 
  2E6F1776 C9F8531B 21C82098 BAF034F3 095D9DD2 ED9B96A1 260A5E37 A6A2DE77 
  6B30D09C 23B4483E 6F34F035 3BB96ED0 CBB88E95 531D2F75 5F398FE7 FCCD4929 
  3B1FE4B0 9A5B8845 DDDA90B6 C96831E8 A1ECBAF0 F75CE36A BED2FF81 68A8397D 
  85020301 0001
switch#config t
Enter configuration commands, one per line.  End with CNTL/Z.
switch(config)#ip ssh authentication-retries ?
  <0-5>  Number of authentication retries

switch(config)#ip ssh authentication-retries 3
switch(config)#ip ssh time-out ?
  <1-120>  SSH time-out interval (secs)

switch(config)#ip ssh time-out 120
switch(config)#ip ssh version ?
  <1-2>  Protocol version

switch(config)#ip ssh version 2
switch(config)#line vty 0 4
switch(config-line)#transport input ssh
switch(config-line)#end
switch#config t
Enter configuration commands, one per line.  End with CNTL/Z.
switch(config)#line vty 5 15
switch(config-line)#transort input none
switch(config-line)#end
switch#write mem
Building configuration...
Compressed configuration from 6329 bytes to 3308 bytes[OK]
switch#show ip ssh
SSH Enabled - version 2.0
Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 1024 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded):
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDI5PNCgrBsMiUnOvfA+1f+01e4MyF3bKlejCBXkfIk
hbqe23oG70PIe7iNrU9HZJvZ+jAF3vPRKQgTMOU/oE+5X6idXd7+OllQR6qG+t5x8Yx95OfwJJ53ee/n
ARmAa4JaimCn5+zCgOIeByPL/0wxArw5PIDHmLjttvFSVMux9w==


4 - Cisco PIX 506 firewalls

This has been tested on firewalls running PIX 6.3(5).

pix# config t
pix(config)# username testuser password testpassword
pix(config)# ca zeroize rsa
pix(config)# hostname pix
pix(config)# domain-name test.com
pix(config)# ca generate rsa key 4096
 should be between 512 to 2048.
pix(config)# ca generate rsa key 2048
For  >= 1024, key generation could
  take up to several minutes. Please wait.
Keypair generation process begin.
.........Success.

pix(config)# show ca mypubkey rsa
% Key pair was generated at: 09:01:55 CST Dec 10 2014
Key name: pix.test.com
 Usage: General Purpose Key
 Key Data:
  30820122 300d0609 2a864886 f70d0101 01050003 82010f00 3082010a 02820101
  009d5d0a 882cd5e4 6d240241 241dd5bd 969920f1 ce593736 3025d582 b5681127
  80ec0a36 4c8bd385 47a1b4d9 90a8cd80 4651309d 898e80e0 96ca1528 2ec306b3
  327a800d 060ff326 de0881bf 774c9ecc ac89c56b 31676ea0 c01db3e0 131d6fef
  d6b6fbbc 994a4c18 dd0e0acc a3841c62 30190e4f f5a860a7 c431980d a422aac3
  6183c6dc 45ed0477 1b395997 20fe6d3a 3495613c a37b9005 3fc054ce 31580f80
  3d125b0f 785c9afb 57c876dd bb3d65e0 33897e67 329c96fe f228c760 eb86c609
  28763bc1 2a8ad426 c025ae2b f58b71f5 a1c25a3f e5d55f9b f8f32408 76afbbe2
  7eacc890 123ec0cb fa33ee41 b502a72f a3d02731 be6d6fd4 1fe90d18 ab261e6f
  33020301 0001
pix(config)# ca save all
pix(config)# ssh timeout ?
SSH timeout value must be in the range of 1 to 60 minutes.
Usage:  [no] ssh  [] []
        ssh timeout 
        show ssh sessions []
        ssh disconnect 
pix(config)# ssh timeout 60
pix(config)# ssh 192.168.1.0 255.255.255.0 inside
pix(config)# no telnet
pix(config)# exit
pix# write memory
Building configuration...
Cryptochecksum: db0561ed 1487e94e 625758e3 960d58f1
[OK]
# show ssh
192.168.1.0 255.255.255.0 inside


5 - Cisco ASA 5512 firewalls

This has been test on firewalls running ASA 8.6(1)2.

asa# config t
asa(config)# username testuser password testpassword
asa(config)# crypto key zeroize rsa
asa(config)# hostname asa
asa(config)# domain-name test.com
asa(config)# crypto key generate rsa modulus ?

configure mode commands/options:
  1024  1024 bits
  2048  2048 bits
  512   512 bits
  768   768 bits
asa(config)# crypto key generate rsa modulus 2048
INFO: The name for the keys will be: 
Keypair generation process begin. Please wait...
asa(config)# show crypto key mypubkey rsa
Key pair was generated at: 11:10:16 CDT Jun 9 2015
Key name: 
 Usage: General Purpose Key
 Modulus Size (bits): 2048
 Key Data:

  30820122 300d0609 2a864886 f70d0101 01050003 82010f00 3082010a 02820101
  00c2bf93 91c51efd 7b2bc799 ea29e96f c5d005a6 5babd661 2361bd5e cd81227c
  76b7c596 166f77a8 e7ab1897 57eb2386 9a3f3519 dc991cd7 5aef7f26 e10a242f
  49f0bbad 274e502e 1ab5c3bb e1aa433a 17e50be7 52d3eccf 56a38279 b0cac8ee
  e4494e04 cfc6cc5e fdb77078 0b40fc22 e24bac0a bba8183d 4a57b028 0109ebcd
  0d6e6b2b 292475dc ccd7b0ff 58edf944 bba11351 2856e1ce f11d2f26 504d32d4
  a1409fe9 977e640e d17a2d49 4420d4ff 5f452b00 8d0fa545 5d810c9b 0ecc25d6
  16083d3d 647b7d94 0f84191d 902fbf0d b86d4995 14392f8b e64b137d 1147d92a
  40d36d36 a3e5fc82 c5eb6dd1 b09be5d0 9c2e7f0d 31625a93 1bfc4cb9 7c87195e
  3f020301 0001
asa(config)# ca save all
WARNING: the 'ca' command syntax has been deprecated
CA root certificates, device certificates, and RSA key pairs are now saved by issuing a 'write mem'
asa(config)# write mem
Building configuration...
Cryptochecksum: d0fbb365 e36a174d bfc262bf 959dd229

2811 bytes copied in 0.670 secs
[OK]
asa(config)# ssh timeout ?

configure mode commands/options:
  <1-60>  Idle time in minutes after which a ssh session will be closed
asa(config)# ssh timeout 60
asa(config)# ssh version ?

configure mode commands/options:
  <1-2>  Protocol version
asa(config)# ssh version 2
asa(config)# ssh 192.168.1.0 255.255.255.0 inside
asa(config)# aaa authentication ssh console LOCAL
asa(config)# no telnet
asa(config)# end
asa# write mem
Building configuration...
Cryptochecksum: e5f69af8 b58c915b 5a761517 58956f95

2901 bytes copied in 0.670 secs
[OK]
asa# show ssh
Timeout: 60 minutes
Version allowed: 2
192.168.1.0 255.255.255.0 inside


Last modified: Thu Jan 1 00:00:00 1970 UTC
Packetwatch Research 2002-2017.