Configure ssh
I want to configure ssh on my network. What ssh server is there for windows. I have a ssh client that seems to offer what I want. I don't want to use the windows user manager to manage accounts. I would use AAA for authentication but if I can't I will use Ganymede. My network has 80 routers and switches about 200. My goal is to be bale to access my Inc. without password in clear text is transmitted. I know it's vague, but I'm just getting started. Any advice would be appreciated.
I understand what your needs are you need not to worry about a SSH server. What I think you're asking is the ability to use SSH client that runs on a PC (s) to access the switches and Cisco routers so that the passwords will not be transmitted in the clear.
I think the answer for you is that if you have the correct code on Cisco devices, they will support SSH (indeed, they constitute the SSH server) since the client PC. You can then do the standard aaa authentication (Radius or Ganymede as you prefer) and manage users here.
I am currently only for a group of remote routers for a client and it works well.
You may need to set up the input of transport ssh on routers vty ports.
Tags: Cisco Security
Similar Questions
-
Configure SSH/Telnet on a WPA2000
Hello
I'm trying to configure SSH/Telnet on a Wireless-G WPA2000 Access Point. I have looked for documentation but am unable to find those who said how to do that via the interface user, and I don't see any obvious place where this could be. Someone managed based on setting this up? I would prefer SSH but telnet will do.
Hi Sarah, small business wireless products do not support a CLI configuration, so no document. In addition, the only management options would be via http/https and SNMP V1, 2, 3.
-Tom
Please mark replied messages useful -
Hello
I use a router in 1841. My question is that I'm not able to configure SSH into the router, problem of any IOS?
SH version
Software Cisco IOS, 1841 Software (C1841-IPBASE-M), Version 12.4 (1 c), FREEING
FTWARE (fc1)
Hi knani
You are running IP BASE set function ios on your router, you need to update the same for Advanced Security Services or feature of the Services SP logs for SSH support in your router...
http://www.Cisco.com/en/us/products/SW/iosswrel/ps5460/index.html
regds
-
Configure SSH on Cisco uBR7246VXR? Help, please
I have a file void startup-config on my ubr7. I need activate shh so that I can ssh to the uBR without being physically next to him. IM tells me I should activate RADIUS? Does anyone have an idea how I can do this?
I have never used/configured this particular type of material, but if it runs Cisco IOS, then you can follow this:
http://www.TheGeekStuff.com/2013/08/enable-SSH-Cisco/
Check it out and let me know if you have any questions
Thank you for evaluating useful messages!
-
How to configure ssh on the new network card
I added a new network adapter to use for replication of virtual machines outside the service console. I can't ssh in the new ip address. I'm tring to figure out how add IP to ssh config so it will allow me to connect.
You can have several console and you can not remove the console when you are connected.
As written in the previous post, send a screenshot of the network configuration.
André
-
Configure ssh named the credentials of the host
I'm trying to set up ssh named credentials for the host in 12 c.
One can please provide the exact document for the same thing.
Kind regards
s/nHello
Please take a look at the following ADDRESS:
http://www.YouTube.com/user/OracleLearning#p/a/u/1/l0GtM41KSDs
Gives complete information - step by step how Setup the SSH key credentials named.
Best regards
Vincent -
Hello
I have a router 2611 I want to configure SSH instead of telnet.
Can someone point me to a Cisco guide that explains how to do this, the little I'm mostly having problems with is to find how to generate the SSH key.
Info much appreciated.
Thank you
Gareth
Hello
to generate the key:
cry key generate rsa
to check:
Show cry mypubkey rsa key
See also the following document:
http://www.Cisco.com/warp/public/707/SSH.shtml
Kind regards
Mehrdad Arshad Rad
-
I try to activate SSH on a 3560G switch so I can't disable Telnet.
Some referred to a "sh-ssh' to see if I have ssh on the switch. It does not show. I also have 'transport input ssh' and ssh is not a valid input method.
I've decided to update the IOS on the switch. I am now at 12.2 (52) SE.
But I can not configure SSH. I get the same results as mentioned above.
Since it is the latest version of IOS can't I not assume that it contains SSH? Or do I need to download another version of IOS who specifically has SSH in?
Thanks for your help
There are two versions of the images switch Catalyst (K9/SSH and SSH). If you do a ' show versi
on "it displays the latest version of IOS running on the switch. If you run a non - ssh version, you must upgrade to a ssh (K9) image.Concerning
Farrukh
-
Hi, I started training for my certification and now have any posible explanation how to configure ssh to a cisco 871w router, and there is no way I can connect. I used TeraTerm Version 3.13 and 4.69 and he keeps asking me the password that I entered correct.
It's really frustrating because everywhere wherever I look for answers I noticed it should be something simple to do and it does still work for me.
In any case, this is my config runing if anyone can give me a hand I would really appreciate it
Current configuration: 1317 bytes
!
version 12.4
service configuration
no service button
horodateurs service debug datetime msec
Log service timestamps datetime msec
no password encryption service
!
hostname labrouter
!
boot-start-marker
boot-end-marker
!
enable secret 5 AnLl $1$$ H5XfrfdN5L6bogmtdGW.Y1
!
No aaa new-model
!
!
dot11 syslog
IP cef
!
!
property intellectual auth-proxy max-nodata-& 3
property intellectual admission max-nodata-& 3
House.com IP domain name
!
!
!
username tripi22 password 0 ld30dzy7
!
!
Archives
The config log
hidekeys
!
!
property intellectual ssh version 2
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
DHCP IP address
automatic duplex
automatic speed
!
interface Dot11Radio0
no ip address
Shutdown
Base speed - 1.0 2.0 basic basic-5, 5 6.0 9.0 basic-11, 0 12.0 18.0 24.0 36.0 48.0
54.0
root of station-role
!
interface Vlan1
IP 192.168.1.1 255.255.255.0
!
IP forward-Protocol ND
!
no ip address of the http server
no ip http secure server
!
!
!
!
control plan
!
Banner motd ^ C
******************************************************************************
NO JODER
******************************************************************************^C
!
Line con 0
password 123
opening of session
no activation of the modem
line to 0
line vty 0 4
password 123
opening of session
transport input telnet ssh
!
max-task-time 5000 Planner
end
Current configuration: 1317 bytes
!
version 12.4
service configuration
no service button
horodateurs service debug datetime msec
Log service timestamps datetime msec
no password encryption service
!
hostname labrouter
!
boot-start-marker
boot-end-marker
!
enable secret 5 AnLl $1$$ H5XfrfdN5L6bogmtdGW.Y1
!
No aaa new-model
!
!
dot11 syslog
IP cef
!
!
property intellectual auth-proxy max-nodata-& 3
property intellectual admission max-nodata-& 3
House.com IP domain name
!
!
!
username tripi22 password 0 ld30dzy7
!
!
Archives
The config log
hidekeys
!
!
property intellectual ssh version 2
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
DHCP IP address
automatic duplex
automatic speed
!
interface Dot11Radio0
no ip address
Shutdown
Base speed - 1.0 2.0 basic basic-5, 5 6.0 9.0 basic-11, 0 12.0 18.0 24.0 36.0 48.0
54.0
root of station-role
!
interface Vlan1
IP 192.168.1.1 255.255.255.0
!
IP forward-Protocol ND
!
no ip address of the http server
no ip http secure server
!
!
!
!
control plan
!
Banner motd ^ C
******************************************************************************
NO JODER
******************************************************************************^C
!
Line con 0
password 123
opening of session
no activation of the modem
line to 0
line vty 0 4
password 123
opening of session
transport input telnet ssh
!
max-task-time 5000 Planner
end
Hello
Can you try to change the "connect" command to "local connection" under the vty lines?
Thank you
Wen
-
Module SSL are supported SSH version 1?
Hi all
I am pleased that we have this great to discuss Cisco product forum.
We have a SSL Module installed in our Catalyst 6509. The problem is what SMLS can only support SSH version 1, I could not find how to activate SSH version 2. Is it possible to use SSh version 2 for this device, only that I have to update the IOS?
Thank you very much for the help!
Details in the following way:
SSLM_SLOT9 (config) #ip ssh?
new authentication attempts to specify number of authentication retries
Departure (or only) Port number to listen on the port
RSA RSA key pair name configure ssh
source-interface interface to specify to address SSH source
connections
timeout specify SSH timeout
SSLM_SLOT9 (config) #ip ssh version 2
^
Invalid entry % detected at ' ^' marker.
Here is the information for the device:
Cisco Internetwork Operating System software
IOS (TM) SVCSSL (SVCSSL-K9Y9-M), Version 12.2 YS VERSION SOFTWARE (15)
Copyright (c) 1986-2004 by cisco Systems, Inc.
Last updated on Saturday, 28 May 04 17:29 by integ
Image text-base: 0 x 00400078, database: 0x00AFE000
ROM: System Bootstrap, Version 12.2 YS1 SOFTWARE (11)
SSL Module WS-SVC-SSL-1HW Fw (1) Sw 2.1 7.2 3.2 (2).
Hello
support for SSHv2 has been added in version 3.1 software SMLS:
HTH
Herbert
-
How to configure ssh on the external interface of the asa? I have defined an applied, external interface access list, but it did not work for some reason any
Here is a list of access
interface GigabitEthernet0/1
nameif outside
security-level 0
IP 10.254.17.9 255.255.255.248
!
interface GigabitEthernet0/2
No nameif
security-level 100
no ip address
!
interface GigabitEthernet0/3
EIGRP 2008 description
nameif eigrp
security-level 100
IP 10.40.50.65 255.255.255.252
!
interface Management0/0
nameif management
security-level 100
IP 192.168.251.1 255.255.255.0
management only
!
boot system Disk0: / asa821 - k8.bin
passive FTP mode
access-list 110 scope ip allow a whole
NAT allowed ip extended access list a whole
allow_ping list extended access permit icmp any any echo response
allow_ping list extended access permit icmp any any source-quench
allow_ping list extended access allow all unreachable icmp
allow_ping list extended access permit icmp any one time exceed
allow_ping list extended access udp allowed any any eq isakmp
allow_ping list extended access allow esp a whole
allow_ping ah allowed extended access list a whole
allow_ping list extended access will permit a full
allow_ping list extended access permit tcp any any eq ssh
access-list extended ip allowed any one sheep
icmp_inside list extended access permit icmp any one
icmp_inside of access allowed any ip an extended list
pager lines 24
asdm of logging of information
Outside 1500 MTU
EIGRP MTU 1500
management of MTU 1500
no failover
ICMP unreachable rate-limit 1 burst-size 1
ICMP allow all outside
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
Access-group allow_ping in interface outside
Can't say I've seen this before, but SSH is easy to do on the SAA.
I recommend you to take out the first interface access list to see if that would be it.
You have published only a partial section of the config, but make sure you have the SSH command with the address of the subnet that you connect from. Your config is no longer visible as I type this but try "SSH 0.0.0.0 0.0.0.0 outdoors. This allows all subnets access to the external interface. This command works as an access list to restrict connectivity to approved subnets. i.e. ' SSH 10.0.0.0 255.0.0.0 out "only allow hosts on the 10.x.x.x network to connect via SSH.
Turn 'debug ssh' to see what errors are too.
And, you can always remove your keys (related encryption rsa key) and rebuild their return (encryption key generate rsa 1024 mod gen). This will make your ssh client, I use PuTTY, think that this is a new feature and invites the OK to connect.
Good luck.
Kevin
-
Setting up SSH on a 3845 router?
Hello everyone!
Just curious, how you set up SSH on a router cisco 3845? Specifically, how to generate RSA keys?
It seems to be missing the subcommand "generate" to crypto. When I type the encryption key the only sub-commands are lock and unlock. I am familiar with this and do not want to disturb too much as it is a production company.
I'm under c3845-spservicesk9 - mz.124 - 11.T2.bin so I should have the possibility, Yes? Any guidance would be appreciated. I really prefer is not to use telnet.
you have k9 image, it should support crypto commands, are you sure you were in the configuration mode?
try again.., here is a link to configure ssh in IOS.
http://www.Cisco.com/en/us/Tech/tk583/tk617/technologies_tech_note09186a00800949e2.shtml
way to do this is to open telnet sessions to the router, in one sitting, be in the activation mode and the leash the open session. On the other telnet session works with the SSH configuration application. When you are done does not save the config, leave the session and open a new session using ssh to ensure that you can connect and the connection to the router via ssh... If for any reason fails, you still have the other open telnet session to cancel the ssh change or correct them.
also to ensure that telnet sessions do not timeout so that work with configs allow you more time by entering exec-time 60<-- one="" hour="" for="" your="" vty="">
line vty 0 4
exec-timeout 60
You can also do full ssh implementation via the console port as well.
Concerning
All helpful PLS rate messages if this can help
-
SSH using the Public & Private Key
Hi all
I have the switch set to SSH and it does not work well. I know how to configure SSH in router using the command crypto. The new requirement araised now. My organization has created a pair of key - PRIVATE KEY & KEY PULIC common to society using a mechanism. The idea is that the PUBLIC KEY will move into devices like Unix, Linux servers. so the staff which is due to the PRIVATE KEY is only allowed to access the device. I try to add / install / import the PUBLIC KEY into the switch in the same way. But I do not have idea how to move forward. Please guide me how to import the PUBLIC KEY into the switch, so that anyone who is to have the PRIVATE KEY is allowed to connect to the device.
R.B.KUMAR
This feature is NOT supported on Cisco IOS or
ASA. If you want to do something like this,
I suggest you look at other such providers
Nokia/Checkpoint, F5, or Juniper.
-
Deployment to connect on a router that is already running an ssh IPSec tunnel
I have a bunch of routers that have been made (by someone else!) with Internet IPsec tunnels to the base, but with a telnet vty access network. It must be updated so that only ssh is available for use vty.
Its pretty easy to deploy ssh, but part of the task is to generate an encryption key, "generate the rsa encryption key" etc, if I try to do the configuration without this command, I get an error message asking me to do.
And there is the problem: when I generate a key, it screws the existing IPsec tunnel somehow. Worse still, is not do so immediately, he's waiting for an indefinite period, probably (I guess) until after the tunnel IPsec has been idle for a period and has stopped/started, while I * think * is happening is that on the re-opening of the tunnel, he picks up the wrong key, and the other end kills the link. Newspapers have nothing relevant in them, and I always try to have the failure occur on a router running the debugging.
Has anyone tried to do this before update? should we put ssh first, and then rebuild the config of IPsec tunnel?
Thanks for your ideas/comments
Jim
If the IPSec VPN using certificate authentication, RSA keys regeneration may be bad. Without knowing your IPSec configuration, I would say that the best approach would be to generate an SSH key that will not interfere with it. Try something like this:
crypto key generate rsa modulus 2048 label RSA_Key_SSH ip ssh rsa keypair-name RSA_Key_SSH
This will generate a new key, which is independent of any existing keys and configure SSH to use.
-
in PIX with SSH connection issues
Hello
I have a PIX 506 running OS 6.2 (2) which is located in a demilitarized zone known as the PIX from the outside. It's behind an another PIX506 (PIX inside). The two PIX have Ganymede + configured for authentication of the connection.
Last week the outdoor PIX crushed physically and I replaced it with a spare PIX part and he completely reconfigured.
Now I can't connect to this outside PIX using SSH, despite the list of access inside PIX is correct and can SSH and Ganymede +. However, I can telnet to it.
I use Putty to connect and when I start the session SSH from the PIX, the login window appears and disappears immediately without having the time to do anything myself.
Any help would be greatly appreciated. Thanks in advance.
A.G.
##################################################
Inside PIX config:
access-list inside allow TCP Company-Interior-Net 255.255.255.0 host outsidepix-Interior-interface eq ssh
list Company-Interior-Net 255.255.255.0 access inside permit tcp host eq telnet interface-inside-outsidepix
access-list inside allow the ICMP messages to echo DMZNet 255.255.255.192 Company-Interior-Net 255.255.255.0
access-list inside allow Company-Interior-Net icmp 255.255.255.0 DMZNet 255.255.255.192 - response to echo
dmzacl list of access allowed icmp echo host outsidepix-Interior-interface company-Interior-Net 255.255.255.0
dmzacl list of access allowed icmp host outsidepix-Interior-interface company-Interior-Net 255.255.255.0 - response to echo
access-list permits dmzacl tcp host outsidepix-Interior-interface host Ganymede-server1 eq Ganymede
access-list permits dmzacl tcp host outsidepix-Interior-interface host Ganymede-server2 eq Ganymede
The outdoor PIX config:
GANYMEDE + Protocol Ganymede + AAA-server
AAA-server GANYMEDE + (inside) host Ganymede-server1 1234 timeout 10
AAA-server GANYMEDE + (inside) host Ganymede-server2 1234 timeout 10
RADIUS Protocol RADIUS AAA server
AAA-server local LOCAL Protocol
Console telnet authentication GANYMEDE AAA +.
the AAA console ssh GANYMEDE authentication +.
AAA authentication enable console GANYMEDE +.
Telnet Company-Interior-Net 255.255.255.0 inside
Telnet timeout 5
SSH-company-Interior-Net 255.255.255.0 inside
SSH DMZNet 255.255.255.192 inside
SSH timeout 5
did you follow the steps to configure ssh? the domain name and host name is defined on it? CA has generated you any rsa... to create the encryption keys?
Maybe you are looking for
-
Printer HP Color LJ5225dn sends a blank sheet
HP color laserjet cp5225 prints a blank page before each print job. The printer is set to the correct paper size.
-
I have TimeMachine on a score of 1.5 TB of a 3 TB external drive (the remaining 1.5 to partition contains backups SuperDuper). As of today, the partition of Time Machine began to eject erratic; the SuperDuper score remains. Running "Verify Disk" (on
-
Can I adjust volume in audio file of Windows DVD Maker for the Menu?
Hi - I am using Windows DVD Maker. I selected a Menu Audio file (via the command button Customize Menu). He is much stronger that those of the audio from the video file it is essential. I can't change because it has several volumes adjusted in Window
-
I just build a new system of 64-bit Windows 7 and everything seems to work fine. Now, I'm trying to create a repair disk. With all the upper air closed, I start the repair disk function and it works a few minutes until the green progress bar is about
-
Convert 64-bit to 32-bit on the new Windows 7?
I'm about to buy a laptop, but I have been informed that because Windows 7 is 64-bit, I am not able to run some of my old programs that I will install on the laptop or with success run my printer or scanner. How easy / hard is it to change the operat