How to Configure Secure Shell (SSH) on a Cisco Router


Secure Shell (SSH)

Secure Shell (SSH) improves network security by providing a means of establishing secure connections to networking devices for management, thereby preventing hackers from gaining access.

Using Digital Certificates, in a Public/Private Key Cryptography, SSH is able to authenticate clients or servers ensuring that the device or server you are about to connect to is exactly who they claim to be.

Like SSH, Telnet can also be used to connect to your router but, the main disadvantage of using Telnet is that it does not encrypt its connections. This means that if a hacker is able to capture packets from a Telnet session, he or she would be able to view information contained within those packets, such as a client’s username and password, therefore gaining access to your router

1. Configure a hostname for the router using these commands.

yourname#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
yourname (config)#hostname techbuddies

2.Configure a domain name with the ip domain-name command followed by whatever you would like your domain name to be. I used

 techbuddies(config)#ip domain-name

3. We generate a certificate that will be used to encrypt the SSH packets using the crypto key generate rsa command.

Now that we’ve generated the key, our next step would be to configure our vty lines for SSH access and specify which database we are going to use to provide authentication to the device. The local database on the router will do just fine for this example.

techbuddies(config)#line vty 0 4

techbuddies(config-line)#login local

techbuddies(config-line)#transport input ssh

You will need to create an account on the local router’s database to be used for authenticating to the device. This can be accomplished with these commands.

techbuddies(config)#username XXXX privilege 15 secret XXXX

For one, I would highly recommend you enabling an exec time-out on your router to prevent anyone from gaining access to the device in cases you forgot to logout or got distracted because of an emergency. This way, the router will automatically log you out after the session has been idle for a set time.
You must configure this command on the line interface as depicted below.

techbuddies(config)#line vty 0 4

techbuddies(config-line)# exec-timeout 5

This means that if the session has been idle for 5 minutes, the router will automatically disconnect the session.