思科路由器配置SSH
思科路由器配置SSH
!注意确保网络中所有路由器都配置了唯一的主机名,并配置了域名
!注意IOS版本为12.1(1)T及以上版本,并且文件名包含K8或K9
!确保路由器配置了本地验证或用于进行用户名和密码验证的AAA服务器
Task : Configure R3 to support SSH connections.
Step 1. Configure a doma in na me.
Configure a domain name of ccnasecurity.com on R3.
Router(config)#hostname R3 //不能用router
R3(config)# ip domain-name ccnasecurity.com //配置SSH必需
Step 2. Configure us ers for login from the SSH client on R 3.
Create a user ID of SSHadmin with the highest possible privilege level and a secret password of
ciscosshpa55.
R3(config)# username SSHadmin privilege 15 secret ciscosshpa55
R1(config)#username d privilege 15 secret ?
0 Specifies an UNENCRYPTED secret will follow
5 Specifies a HIDDEN secret will follow //如果选 5 表示后面的是已用MD5 加密的值
LINE The UNENCRYPTED (cleartext) user secret
Step 3. C onfigure the incoming VTY lines on R3.
Use the local user accounts for mandatory login and validation.Accept only SSH connections.
R3(config)# line vty 0 4
R3(config-line)# login local
R3(config-line)# transport input ssh
Step 4. Erase existing key pairs on R3.
Any existing RSA key pairs should be erased on the router.
!SSH需要基于非对称加密的密钥对,思科IOS使用RSA(Rivest/Shamir/Adleman)
R3(config)#crypto ?
dynamic-map Specify a dynamic crypto map template
ipsec Configure IPSEC policy
isakmp Configure ISAKMP policy
key Long term key operations
map Enter a crypto map
R3(config)#crypto key ?
generate Generate new keys
zeroize Remove keys
R3(config)#crypto key zeroize ?
rsa remove RSA keys
R3(config)#crypto key zeroize rsa
Note: If no keys exist, you might receive this message: % No Signature RSA Keys found in
configuration.
R3(config)#crypto key zeroize rsa
% No Signature RSA Keys found in configuration.
Step 5. Generate the RSA encrption key pair for R 3.
The router uses the RSA key pair for authentication and encryption of transmitted SSH data. Configure the RSA
keys with a modulus of 1024. The default is 512, and the range is from 360 to 2048.
R3(config)# crypto key generate rsa
The name for the keys will be: R3.ccnasecurity.com //SSH的关键字名就是hostname ip domain-name domain-name
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes.
How many bits in the modulus [512]:1024 //cisco推荐的Modulus 值的长度为1024位。选择加密位数。
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
Note: The command to generate RSA encryption key pairs for R3 in Packet Tracer differs from those used in
the lab.
Step 6. Verify the SSH configuration.
Use the show ip ssh command to see the current settings. Verify that the authentication timeout and retries are at their default values of 120 and 3.
R3#show ip ssh
SSH Enabled - version 1.5 //兼容模式,对SSHv1和SSHv2都支持。
Authentication timeout: 120 secs; Authentication retries: 3 //最大的输入错误认证次数
Cisco routers support two versions of SSH: SSH version 1 (SSHv1) and the newer, more secure
SSH version 2 (SSHv2). SSHv2 provides better security using the Diffie-Hellman key exchange
and the strong integrity-checking message authentication code (MAC).
Cisco IOS Release 12.1(1)T and later supports SSHv1. Cisco IOS Release 12.3(4)T and later oper-ates in compatibility mode and supports both SSHv1 and SSHv2. To change from compatibility
mode to a specific version(特定模式), use the ip ssh version{1|2}global configuration command.(课本P24)
Step 7. Configure S S H timeouts a nd a uthentic a tion pa ra meters .
The default SSH timeouts and authentication parameters can be altered to be more restrictive. Set the timeout to 90 seconds, the number of authentication retries to 2, and the version to 2.
R3(config)# ip ssh time-out 90
//(time-out 1-120) 超时限定,默认120 S,EXEC会话开始后,为 vty 配置的exec超时时间开始计时。
R3(config)# ip ssh authentication-retries 2 //配置ssh用户连续登录重验证最大次数
R3(config)# ip ssh version 2
Issue the show ip ssh command again to confirm that the values have been changed.
Step 8. Attempt to connect to R3 via Telnet from PC-C.
Open the Desktop of PC-C. Select the Command Prompt icon. From PC-C, enter the command to connect to
R3 via Telnet.
PC> telnet 192.168.3.1
This connection should fail, since R3 has been configured to accept only SSH connections on the virtual
terminal lines.
Step 9. Connect to R3 us ing SSH on PC-C.
Open the Desktop of PC-C. Select the Command Prompt icon. From PC-C, enter the command to connect to
R3 via SSH. When prompted for the password, enter the password configured for the administrator
ciscosshpa55.
PC>ssh /?
Packet Tracer PC SSH
Usage: SSH -l username targe
PC> ssh –l SSHadmin 192.168.3.1
Step 10. Connect to R 3 us ing SSH on R2.
In order to troubleshoot and maintain the R3 router, the administrator at the ISP must use SSH to access the
router CLI. From the CLI of R2, enter the command to connect to R3 via SSH version 2 using the SSHadmin
user account.When prompted for the password, enter the password configured for the administrator:
ciscosshpa55.
R2# ssh –v 2 –l SSHadmin 10.2.2.1
R2#ssh ?
-l Log in using this user name
-v Specify SSH Protocol Version
R2#ssh -v ?
1 Protocol Version 1
2 Protocol Version 2
R2#ssh -v 2 ?
-l Log in using this user name
R2#ssh -v 2 -l ?
WORD Login name
R2#ssh -v 2 -l SSHadmin ?
WORD IP address or hostname of a remote system
验证:客户端连接后:show ssh
远程管理(列表、list、全)远程telnetlist、vtylist、consolelist、sshlist、httplist、weblist、httpslist
http://www.zh-cjh.com/wenzhangguilei/2441.html
文章归类、所有文章列表、LISTLIST
http://www.zh-cjh.com/wangzhangonggao/2195.html
2、本资源基本为原创,部分来源其他付费资源平台或互联网收集,如有侵权请联系及时处理。
3、本站大部分文章的截图来源实验测试环境,请不要在生产环境中随意模仿,以免带来灾难性后果。
转载请保留出处: www.zh-cjh.com珠海陈坚浩博客 » 思科路由器配置SSH
作者: cjh
手机扫一扫,手机上查看此文章: |
一切源于价值!
其他 模板文件不存在: ./template/plugins/comment/pc/index.htm