In this article we will learn how to enable access by SSH (Secure Shell) to a Cisco router.

Why enable SSH? Is not Telnet enough?


No, the telnet is an access protocol for managing routers and other devices that is famous for the lack of security it offers. The non-encrypted communication and with any packet analyzer such as Wireshark you can capture the commands that are sent to the router.

To ensure secure data access and transmission, we recommend using the SSH v2 protocol. That Encrypt communications and prevents them from being intercepted.

How do we enable SSH to a Cisco Router?

  1. We connect by console to the Cisco router. For more info follow thislink. If you already have Telnet access, you can also do so.
  2. We access the console and we will have to put the following commands:

We enter router configuration mode

Router#configure terminal

Configure the router name

Router(config)#hostname R_Movingit

We configure the domain, since without it you will not be able to generate the rsa keys.

R_Movingit(config)#ip domain-name

Next we generate the encryption key.

R_Movingit(config)#crypto key generate rsa 1028

Once generated, we will add some SSH configuration commands.

If the user does not enter any user or password within 30 seconds, the connection will be automatically closed.

R_Movingit(config)#ip ssh time-out 30

We also configure a maximum of 3 successful authentication attempts.

R_Movingit(config)#ip ssh authentication-retries 3

We enable the ssh protocol of version 2 which is more secure.

R_Movingit(config)#ip ssh version 2

We will now create a user with privilege 15 (the maximum you can access without having to enter the enable password).

R_Movingit(config)#username admin privilege 15 password  cisco

We will now configure the line we will enter, in this case by network which are the lines vty 0 4.

R_Movingit(config)#line vty 0 4

We enable that it can only be accessed by ssh.

R_Movingit(config-line)#transport input ssh

The user who will be able to access through this line are the ones defined by hand “in local”.

R_Movingit(config-line)#login local

Uala!! We already have SSH access enabled. Try it out and if you have any problems don’t hesitate to add your comments.

Cheers and see you on the nets!!