ICND1 break down -- Telnet and SSH

Back>

Some Cisco Routers and Switches support remote administration with Telnet and SSH.


Telnet is an application layer protocol used on the Internet or local area networks to provide a bidirectional interactive text-oriented communication facility using a virtual terminal connection.

Secure Shell, or SSH, is an application layer protocol use cryptographic to allow remote login and other network services to operate securely over an unsecured network.

Telnet allows you to create a "virtual terminal" over the network. By connecting to the vty ports on a Cisco Router and Switch, you are able to administer and manage the network device remotely. By default, a Cisco switch support 5 simultaneous Telnet sessions.

The following is an example Telnet configuration on a Cisco 2960-24TT switch. The PC's FastEthernet port is connected to the Fast Ethernet port FastEthenet0/1 on the switch via a straight-trough cable.

2960-24TT
2960-24TT


On the switch side, we first assign an ip address to the default management interface vlan 1, then bring the vlan 1 up with command "no shutdown". We then set a password for vty lines 0 through 4. Note that if you don't set password for vty connection, user will not be able to login. (of course, to configure the telnet showing below, we have to access the switch via console port first.)

Press RETURN to get started!
%LINK-5-CHANGED: Interface FastEthernet0/1, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up

Switch>enable
Switch#config terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Switch(config)#interface vlan 1
Switch(config-if)#ip address 192.168.0.1 255.255.255.0
Switch(config-if)#no shutdown

%LINK-5-CHANGED: Interface Vlan1, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to up
Switch(config-if)#exit
Switch(config)#line vty 0 4
Switch(config-line)#password cisco
Switch(config-line)#login
Switch(config-line)#^Z
%SYS-5-CONFIG_I: Configured from console by console
Switch#wr
Building configuration...
[OK]
Switch#

At the terminal side, you should set the PC's IP and subnet mask first, then you should types in command "telnet 192.168.0.1" at the client terminal to remotely login the switch. The following is the login process on the user's PC.

PC>ipconfig /all

Physical Address................: 0001.C7BD.238E
IP Address......................: 192.168.0.100
Subnet Mask.....................: 255.255.255.0
Default Gateway.................: 0.0.0.0
DNS Servers.....................: 0.0.0.0

PC>telnet 192.168.0.1
Trying 192.168.0.1 ...
User Access Verification

Password:
Switch>

The problem with Telnet is the data including the passwords are sent in clear text. It will only be a matter of time for anyone with a network sniffer or password grabbing program to gain access to the passwords.  Several such network sniffer or password grabbing programs are available free for download on the internet!

An alternative to Telnet is SSH (Secure Shell), which provides strong authentication and secure communications over insecure networks. In it’s most basic form, SSH is an encrypted form of telnet. Communication between the client and server is encrypted in both SSHv1 and SSHv2. SSHv2 uses a more enhanced security encryption algorithm. It is recommended that Secure Shell (SSH) is used instead of Telnet.

Here is How to enable SSH on Cisco Router and Swith.

Step 1, Since the basic cisco IOS do not have the SSH facility built-in, the first step is check out. (Both PIX firewall and Cisco IOS 12.1 and later support SSH version 1. )

Switch#show ip ssh

Step 2, Encryption keys are identified by DNS name, therefore you should set a host name and host domain on your device.

Switch(config)#hostname SwitchA
SwitchA(config)#ip domain-name domain.com

Step 3, Generate an RSA key pair, which automatically enables SSH.

SwitchA(config)#crypto key generate rsa

Step 4, Make SSH as the only way to connect to the Cisco Routers or Switches remotely (Disable Telnet).

SwitchA(config)#line vty 0 4
SwitchA(config-line)#transport input ssh

If we wanted to enable password checking on a per-user basis, we have to issue command "login local".

SwitchA(config)#line vty 0 4

SwitchA(config-line)#login local 

R1(config)#username ccent password ccent1 

Step 5, download and install an SSH client onto the workstation you use to perform remote administration, test if the SSH connection is fine. To view the status of SSH on the Cisco Router or Switch, use command

SwitchA#show ssh

Step 6, Write the config changes to the startup-config.

SwitchA#wr mem

To disable SSH and enable Telnet, issue commands:

SwitchA(config)#crypto key zeroize rsa
SwitchA(config)#line vty 0 4
SwitchA(config-line)#transport input telnet

-----------------------------------------------------------------------------------------------------------------------

The following is an example on Cisco 3560-24PS multilayer Switch. (We don't use Cisco 2960-24TT because that switch don't support ssh.) Telnet have already been configured on the switch so that we can login the switch via telnet on a remote pc. The command for telnet is "ssh 192.168.0.1". In the telnet session, we configured the ssh on the switch and logged out of the switch.

3566-24PS
3566-24PS


For the next remote login from the PC, we use ssh programn instead of telnet. The command for ssh is "ssh ccent SW1.domain.com". Our first try is unsuccessful, the erro message "Could not open connection to the host, on port 22: Connect failed", indicates we have no DNS server to resolve the domain name to the ip address. Therefore, in our second try, we use command "ssh ccent 192.168.0.1". We then successfully logged into the switch with ssh. During this ssh session, we verified the status of ssh, then disabled the ssh on the switch. We then logged out of the switch and verified that ssh is really disabled.

PC>ipconfig /all

Physical Address................: 00D0.FF10.C771
IP Address......................: 192.168.0.100
Subnet Mask.....................: 255.255.255.0
Default Gateway.................: 0.0.0.0
DNS Servers.....................: 0.0.0.0

PC>telnet 192.168.0.1
Trying 192.168.0.1 ...
User Access Verification

Password:
Switch>enable
Password:
Switch#show ip ssh
SSH Disabled - version 1.5
%Please create RSA keys (of atleast 768 bits size) to enable SSH v2.
Authentication timeout: 120 secs; Authentication retries: 3
Switch#config t
Enter configuration commands, one per line.  End with CNTL/Z.
Switch(config)#hostname SW1
SW1(config)#username ccent password ccent
SW1(config)#ip domain-name domain.com
SW1(config)#crypto key generate rsa
The name for the keys will be: SW1.domain.com
Choose the size of the key modulus in the range of 360 to 2048 for your
  General Purpose Keys. Choosing a key modulus greater than 512 may take
  a few minutes.

How many bits in the modulus [512]: 1024
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]

SW1(config)#line vty 0 4
SW1(config-line)#transport input ssh
SW1(config-line)#login local
SW1(config-line)#^Z
%SYS-5-CONFIG_I: Configured from console by console
SW1#wr mem
Building configuration...
[OK]
SW1#show ssh
%No SSHv2 server connections running.
%No SSHv1 server connections running.
SW1#logout

[Connection to 192.168.0.1 closed by foreign host]
PC>ipconfig /all

Physical Address................: 00D0.FF10.C771
IP Address......................: 192.168.0.100
Subnet Mask.....................: 255.255.255.0
Default Gateway.................: 0.0.0.0
DNS Servers.....................: 0.0.0.0

PC>telnet 192.168.0.1
Trying 192.168.0.1 ...
[Connection to 192.168.0.1 closed by foreign host]

PC>ssh
Packet Tracer PC SSH

Usage: SSH -l username target

PC>ssh -l ccent SW1.domain.com
Could not open connection to the host, on port 22: Connect failed
PC>ssh -l ccent 192.168.0.1

Password:




SW1>enable
Password:
SW1#show ssh
Connection      Version Encryption      State                   Username
67              1.99    3DES            Session Started         ccent
%No SSHv1 server connections running.
%No SSHv2 server connections running.
SW1#config t
Enter configuration commands, one per line.  End with CNTL/Z.
SW1(config)#crypto key zeroize rsa
% All RSA keys will be removed.
% All router certs issued using these keys will also be removed.
Do you really want to remove these keys? [yes/no]: y
SW1(config)#line vty 0 4
*Mar 1 0:22:11.181: %SSH-5-DISABLED: SSH 1.5 has been disabled
SW1(config-line)#transport input telnet
SW1(config-line)#login
SW1(config-line)#^Z
%SYS-5-CONFIG_I: Configured from console by console
SW1#show ip ssh
SSH Disabled - version 1.5
%Please create RSA keys (of atleast 768 bits size) to enable SSH v2.
Authentication timeout: 120 secs; Authentication retries: 3
SW1#logout

[Connection to 192.168.0.1 closed by foreign host]
PC>ipconfig /all

Physical Address................: 00D0.FF10.C771
IP Address......................: 192.168.0.100
Subnet Mask.....................: 255.255.255.0
Default Gateway.................: 0.0.0.0
DNS Servers.....................: 0.0.0.0

PC>ssh -l ccent 192.168.0.1
[Connection to 192.168.0.1 closed by foreign host]
PC>telnet 192.168.0.1
Trying 192.168.0.1 ...
User Access Verification

Password:
SW1>

ICND1 and ICND2 break down

2 comments:

  1. I already have a pub/privkey pair I use. how do I move the pubkey to the ASA?

    ReplyDelete
  2. hi, mlp, please check this post:
    http://xyznetwork.blogspot.com/2009/09/configuring-cisco-asapix-7-x-for-ssh.html

    ReplyDelete