Cisco's products currently only support SSH-1, does not support SSH-2, IOS support SSH features Version includes K3 or K4(K3 is a 56bit SSH encryption
、
K4 is a 168bit SSH encryption),
Now is the K8 K9
1、
Configuration “hotstneme” and “ip domain-name”
Router#configure terminal
Router(config)#hostname test
test(config)#ip domain-name toerd18f
-------Configuration SSH Necessary
|
2、
Configuration“userneme” and “password”
test(config)#username test password 0 test
Note:add a user
:
test
,
password
:
test
test(config)#line vty 0 4
test(config-line)#login local
test(config-line)#transport input ssh
----- Only allowed to log on using SSH
Note
:
Prohibition telnet and Switching engine session!
|
3、
Configuration SSH Server
test(config)#crypto key generate rsa
The name for the keys will be: TEST-GSR12008.jx.cn.net
Note
:
SSH the keyword is hostname + . +ip domain-name
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minuts
How many bits in the modulus [512]: Note: Select the encryption digits, default
Generating RSA keys ...
[OK]
|
Usr command “show ip ssh”
SSH Enabled - version 1.99
Authentication timeout: 120 secs; Authentication retries:3
|
Now SSH service is started, if you need to stop SSH service, use the following command
test(config)#crypto key zeroize rsa
|
4、
Configuration SSH parameter
Usr “show run”command see the SSH default parameters
:
timeout is limited 120seconds
,
Authentication
the number of retries to 3 times
,
use following command can be modified
:
test(config)#ip ssh {[time-out seconds]} │ [authentication-retries interger]}
ensample timeout limited 180seconds
:
//ensample
:
test(config)# ip ssh time-out 180
Ensample the number of retries to 5 times
:
//ensample
:
test(config)# ip ssh authentication-retries
|
NOTE:
1、
Use SSH login must use SSH1
2、
Do not use any compression format
Enable aaa the SSH configuration
test(config)
#
ip domain-name runway.cn.net
设置域名
test(config)
#
aaa new-modle
启用
AAA
服务
test(config)
#
crypto key generate rsa
生成秘钥
The name for the keys will be: Router1.runway.cn.net
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.
How many bits in the modulus [512]: 1024
指定
1024
位秘钥
% Generating 1024 bit RSA keys ...[OK]
test(config)
#
username sshuser secret sshpassword
指定
SSH
登陆用户名和密码
test(config)
#
ip ssh time-out 30
设定
SSH
超时值
test(config)
#
no ip ssh version
启用
SSH V1 V2
test(config)
#
aaa authentication login ssh local line none
设定
SSH
登陆信息存储地方
test(config)
#
ip access-list standard forssh
定义
SSH
登陆源地址
permit any
test(config)
#
line vty 0 4
test(config-line)#exec-timeout 30 设置线路登陆超时值
test(config-line)
#
login authentication ssh
指定验证登陆用户信息存储的地方
test(config-line)
#
transport input ssh
设置线路登陆模式为
SSH
test(config)
#
access-class forssh in
应用访问列表
|
Is not enable aaa the SSH configuration
test(config)
#
hostname Router1
test(config)
#
ip domain-name runway.cn.net
test(config)
#
crypto key generate rsa
The name for the keys will be: Router1.runway.cn.net
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.
How many bits in the modulus [512]: 1024
% Generating 1024 bit RSA keys ...[OK]
test(config)
#
username sshuser secret sshpassword
test(config)
#
ip ssh time-out 30
test(config)
#
no ip ssh version
test(config)
#
ip access-list standard forssh
test(config)
#
permit any
test(config)
#
line vty 0 4
test(config-line)
#
exec-timeout 30
test(config-line)
#
login local
test(config-line)
#
transport input ssh
test(config)
#
access-class forssh in
|
转载于:https://blog.51cto.com/icedot/318737