Sunday, 1 January 2017

configuring SSH local and password-less SSH

This is the configuration needed to support inbound SSH sessions on a router


There are four steps required to enable SSH support on a Cisco IOS router:
  1. Configure the hostname command.
  2. Configure the DNS domain.
  3. Generate the SSH key to be used.
  4. Enable SSH transport support for the virtual type terminal (vtys).


!--- Step 1: Configure the hostname if you have not previously done so.
hostname carter
!--- The aaa new-model command causes the local username and password on the router !--- to be used in the absence of other AAA statements.
aaa new-model
username cisco password 0 cisco
!--- Step 2: Configure the DNS domain of the router.
ip domain-name rtp.cisco.com
!--- Step 3: Generate an SSH key to be used with SSH.
crypto key generate rsa
ip ssh time-out 60
ip ssh authentication-retries 2
!--- Step 4: By default the vtys' transport is Telnet. In this case, !--- Telnet is disabled and only SSH is supported.
line vty 0 4
transport input SSH
!--- Instead of aaa new-model, you can use the login local command.




Restrict SSH access to a subnet it is a good practice.
You need to limit SSH connectivity to a specific subnetwork where all other SSH attempts from IPs outside the subnetwork should be dropped.
You can use these steps to accomplish the same:
  1. Define an access-list that permits the traffic from that specific subnetwork.
  2. Restrict access to the VTY line interface with an access-class.
This is an example configuration. In this example only SSH access to the 10.10.10.0 255.255.255.0 subnet is permitted, any other is denied access.
Router(config)#access-list 23 permit 10.10.10.0 0.0.0.255
Router(config)#line vty 5 15
Router(config-line)#transport input ssh
Router(config-line)#access-class 23 in
Router(config-line)#exit




-===


Configure the SSH Version


Configure SSH v2:
carter(config)#ip ssh version 2


-==


Variations on banner Command Output , NOTE don't use telnet !!IT IS CLEAR TEXT!!
The banner command output varies between the Telnet and different versions of SSH connections. This table illustrates how different banner command options work with various types of connections.
Banner Command Option Telnet SSH v1 only SSH v1 and v2 SSH v2 only
banner login Displayed before logging into the device. Not displayed. Displayed before logging into the device. Displayed before logging into the device.
banner motd Displayed before logging into the device. Displayed after logging into the device. Displayed after logging into the device. Displayed after logging into the device.
banner exec Displayed after logging into the device. Displayed after logging into the device. Displayed after logging into the device. Displayed after logging into the device.








debug and show Commands
Before you issue the debug commands described and illustrated here, refer to Important Information on Debug Commands. Certain show commands are supported by the Output Interpreter Tool (registered customers only) , which allows you to view an analysis of show command output.
  • debug ip ssh—Displays debug messages for SSH.
  • show ssh—Displays the status of SSH server connections.
    carter#show ssh
  Connection    Version Encryption    State              Username
   0            1.5     DES           Session started    cisco
  • show ip ssh—Displays the version and configuration data for SSH.
    • Version 1 Connection and no Version 2 
      carter#show ip ssh
  SSH Enabled - version 1.5
  Authentication timeout: 60 secs; Authentication retries: 2
    • Version 2 Connection and no Version 1 
      carter#show ip ssh
  SSH Enabled - version 2.0
  Authentication timeout: 120 secs; Authentication retries: 3
hostname example
!
ip domain-name example.cisco.com!
crypto key generate rsa
!
crypto key generate rsa
ip ssh time-out 60     !!!! optional
ip ssh authentication-retries 2   !!!!optional
!
! define local usernames, use passwords or secrets
!
username a password b
username x secret y
!
ip ssh version 2
!
line vty 0 4
login local
transport input ssh


-=============password-less ssh-===========================
After configuring SSH server on IOS  you have to configure the ssh pubkey-chain, where you can enter the key string (from your SSH public key file) or the key’s hash (which is displayed by the ssh-keygen command).


It’s probably easier to copy/paste the public key from your id_rsa.pub file into the terminal window …example 
Rexample#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Rexample(config)#ip ssh pubkey-chain
Rexample(conf-ssh-pubkey)#username pipi
Rexample(conf-ssh-pubkey-user)#key-string
Rexample(conf-ssh-pubkey-data)#$AAQEA6jYlf9MBskhkWov+ZOUDKun0ExQIRj1zfWA/YciO02VS  
Rexample(conf-ssh-pubkey-data)#$XsxM7SqNkRSQOR7y7HBMoxTHV7o+R/uS6A8/mF0A3P/ScRjct  
Rexample(conf-ssh-pubkey-data)#$JrNGACGaFy1njD9PrrvrU4o4hx6XDr6xVXF4sP4OCSXIn+Cp8  
Rexample(conf-ssh-pubkey-data)#$bCnZLmv908AeDb1Ac4nPdsn1OhCPIg6fxZjB7DvAMB8Dbr+7Y  
Rexample(conf-ssh-pubkey-data)#$apEbGE94luIqnBc61HsMd6JCWbQ== pipi@fedi.nil.si     
Rexample(conf-ssh-pubkey-data)#exit
Rexample(conf-ssh-pubkey-user)#^Z
… and let the router convert it into the key hash, which is stored in the configuration:
Rexample#show run | section ssh
ip ssh rsa keypair-name SSH
ip ssh version 2
ip ssh pubkey-chain
 username pipi
  key-hash ssh-rsa C20B739F2645D6850C591C6A11780CB5 pipi@fedi.nil.si
After this simple step, you can log into your router without typing the password. Finally we have a manageable way of secure remote command execution.
Posted by at
Labels: , ,

No comments:

Post a Comment

Note: only a member of this blog may post a comment.

Subscribe to: Post Comments (Atom)