How to configure SSH

PART 1:

One of the most basic ways to protect your network is encryption. You don't want your neighbors seeing you come out of the shower, so why would you give them the ability to sniff your unencrypted network access? Obviously the former isn't as immediately intrusive as the latter, but being able to see what you are sending over your network is more important.

The first thing you want to do is save your current config so that anything that might be bound to mess up can be reset with a clear reboot. Start by getting to the privileged EXEC prompt. Then type the command:

S1#copy running-configuration startup-configuration

Remember you are able to condense the command as long as what you type is specific enough. This is what I usually type:

S1#copy run start

When the prompt asks you:

Destination filename [startup-config]?

just press enter and let the system do the rest. Now you can move on to the global config prompt, from here you can encrypt your plain-text passwords with the following command:

 

S1(config)# service password-encryption

Now that your baseline is secure, you are ready to start your tinkering.

PART 2:

Step 1: Set the IP domain name and generate RSA keys

From here, you want to configure the domain name with the following command:

S1(config)#ip domain-name netacad.pka

When you are done, you can create secure RSA keys, my keys will be 1024 bits long:

S1(config)#crypto key generate RSA

The name for the keys will be: S1.netacad.pka

Choose the size of the key modulus in the range of 360 to 2048 for your

General Purpose Keys. Choosing a key modulus greater than 512 may take

a few minutes.

Here it will ask the key length:

How many bits in the modulus [512]: 1024

Step 2: Create an SSH user and reconfigure VTY lines for SSH-only access

To create and administrator user with the password set as cisco, use the following command(remember to use a stronger password and more descriptive usernames in  live environments):

S1(config)#username administrator secret cisco

To configure the VTY lines to check the local username database for login credentials and to only allow SSH for remote access and remove the existing VTY line password:

S1(config)#line vty 0 15

S1(config-line)#transport input ssh

S1(config-line)#login local

S1(config-line)#no password

S1(config-line)#exit

Step 3: Verify SSH Implementation

You are almost done, now that you're done configuring SSH, it will probably end the connection. You can try to log back in using Telnet, but you will be greeted by this message

Trying 10.10.10.2...Open

[Connection to 10.10.10.2 closed by foreign host]

To connect to the device again, try this:

ssh -l administrator 10.10.10.2

Just a couple of noted, the -l is actually the letter "L" not the number "1" and it is proceeded by the username you are trying to open the session with and the IP address of the device itself. Now you can 

double check everything you did with this command:

S1#show running-config

and after you are done checking, you can save your running configuration to the startup one as we did above.