思科路由器配置SSH

思科路由器配置SSH

!注意确保网络中所有路由器都配置了唯一的主机名，并配置了域名

!注意IOS版本为12.1(1)T及以上版本，并且文件名包含K8或K9

!确保路由器配置了本地验证或用于进行用户名和密码验证的AAA服务器

Task :  Configure R3 to support SSH connections.

Step 1.  Configure a doma in na me.

Configure a domain name of ccnasecurity.com on R3.

Router(config)#hostname R3   //不能用router

R3(config)# ip domain-name ccnasecurity.com     //配置SSH必需

Step 2.  Configure us ers for login from the SSH client on R 3.

Create a user ID of SSHadmin with the highest possible privilege level and a secret password of

ciscosshpa55.

R3(config)# username SSHadmin privilege 15 secret ciscosshpa55

R1(config)#username d privilege 15 secret ? 

0     Specifies an UNENCRYPTED secret will follow

5     Specifies a HIDDEN secret will follow       //如果选 5 表示后面的是已用MD5 加密的值

LINE  The UNENCRYPTED (cleartext) user secret

Step 3.  C onfigure the incoming VTY lines on R3.

Use the local user accounts for mandatory login and validation.Accept only SSH connections.

R3(config)# line vty 0 4

R3(config-line)# login local

R3(config-line)# transport input ssh

Step 4.  Erase  existing  key pairs on R3.

Any existing RSA key pairs should be erased on the router.

!SSH需要基于非对称加密的密钥对，思科IOS使用RSA（Rivest/Shamir/Adleman）

R3(config)#crypto ?

  dynamic-map  Specify a dynamic crypto map template

  ipsec        Configure IPSEC policy

  isakmp       Configure ISAKMP policy

  key          Long term key operations

  map          Enter a crypto map

R3(config)#crypto key ?

  generate  Generate new keys

  zeroize   Remove keys

R3(config)#crypto key zeroize ?

  rsa  remove RSA keys

R3(config)#crypto key zeroize rsa

Note:  If no keys exist, you might receive this message: % No Signature RSA Keys found in

configuration.

R3(config)#crypto key zeroize rsa

% No Signature RSA Keys found in configuration.

Step 5.  Generate the RSA encrption key pair for R 3.

The router uses the RSA key pair for authentication and encryption of transmitted SSH data. Configure the RSA

keys with a modulus of 1024. The default is 512, and the range is from 360 to 2048.

R3(config)# crypto key generate rsa

The name for the keys will be: R3.ccnasecurity.com     //SSH的关键字名就是hostname ip domain-name domain-name

Choose the size of the key modulus in the range of 360 to 2048 for your

General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes.

How many bits in the modulus [512]:1024     //cisco推荐的Modulus 值的长度为1024位。选择加密位数。

% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]

Note: The command to generate RSA encryption key pairs for R3 in Packet Tracer differs from those used in

the lab.

Step 6.  Verify the SSH configuration.

Use the show ip ssh command to see the current settings. Verify that the authentication timeout and retries are at their default values of 120 and 3.

R3#show ip ssh

SSH Enabled - version 1.5   //兼容模式，对SSHv1和SSHv2都支持。

Authentication timeout: 120 secs; Authentication retries: 3   //最大的输入错误认证次数

Cisco routers support two versions of SSH: SSH version 1 (SSHv1) and the newer, more secure

SSH version 2 (SSHv2). SSHv2 provides better security using the Diffie-Hellman key exchange

and the strong integrity-checking message authentication code (MAC).

Cisco IOS Release 12.1(1)T and later supports SSHv1. Cisco IOS Release 12.3(4)T and later oper-ates in compatibility mode and supports both SSHv1 and SSHv2. To change from compatibility

mode to a specific version（特定模式）, use the ip ssh version{1|2}global configuration command.（课本P24）

Step 7.  Configure S S H timeouts a nd a uthentic a tion pa ra meters .

The default SSH timeouts and authentication parameters can be altered to be more restrictive. Set the timeout to 90 seconds, the number of authentication retries to 2, and the version to 2.

R3(config)# ip ssh time-out 90

//（time-out 1-120）   超时限定，默认120 S,EXEC会话开始后，为 vty 配置的exec超时时间开始计时。

R3(config)# ip ssh authentication-retries 2   //配置ssh用户连续登录重验证最大次数

R3(config)# ip ssh version 2   

Issue the show ip ssh command again to confirm that the values have been changed.

Step 8.  Attempt to connect to R3 via Telnet from PC-C.

Open the Desktop of PC-C. Select the Command Prompt icon. From PC-C, enter the command to connect to

R3 via Telnet.

PC> telnet 192.168.3.1

This connection should fail, since R3 has been configured to accept only SSH connections on the virtual

terminal lines.

Step 9.  Connect to R3 us ing SSH on PC-C.

Open the Desktop of PC-C. Select the Command Prompt icon. From PC-C, enter the command to connect to

R3 via SSH. When prompted for the password, enter the password configured for the administrator

ciscosshpa55.

PC>ssh /?

Packet Tracer PC SSH

Usage: SSH -l username targe

PC> ssh –l SSHadmin 192.168.3.1

Step 10.  Connect to R 3 us ing SSH on R2.

In order to troubleshoot and maintain the R3 router, the administrator at the ISP must use SSH to access the

router CLI. From the CLI of R2, enter the command to connect to R3 via SSH version 2 using the SSHadmin

user account.When prompted for the password, enter the password configured for the administrator:

ciscosshpa55.

R2# ssh –v 2 –l SSHadmin 10.2.2.1

R2#ssh ?

  -l  Log in using this user name

  -v  Specify SSH Protocol Version

R2#ssh -v ?

  1  Protocol Version 1

  2  Protocol Version 2

R2#ssh -v 2 ?

  -l  Log in using this user name

R2#ssh -v 2 -l ?

  WORD  Login name

R2#ssh -v 2 -l SSHadmin ?

  WORD  IP address or hostname of a remote system

验证：客户端连接后：show ssh

远程管理（列表、list、全）远程telnetlist、vtylist、consolelist、sshlist、httplist、weblist、httpslist
http://www.zh-cjh.com/wenzhangguilei/2441.html
文章归类、所有文章列表、LISTLIST
http://www.zh-cjh.com/wangzhangonggao/2195.html