How to Configure Secure Shell (SSH) on a Cisco Router

- select the contributor at the end of the page -
Security continues to dominate the IT industry and is one of the most important factors to consider when designing and deploying networks.

It is, therefore, imperative that we are able to ascertain and prevent most, if not all, vulnerabilities that may exist. One such weakness is Telnet to which SSH is the alternative.

Today we'll take a deeper look at how you can enable and configure your Cisco Router to use SSH and why we should always use SSH where possible as opposed to using Telnet.

We all know that when it comes to security within the networking universe, Cisco is one of the biggest players. However, just having a Cisco device doesn't mean that you are secured. The onus is on you to ensure that you've configured that device properly to prevent most, if not all, loopholes.


Why Use Secure Shell (SSH)?

Secure Shell (SSH) improves network security by providing a means of establishing secure connections to networking devices for management, thereby preventing hackers from gaining access.

Using Digital Certificates, in a Public/Private Key Cryptography, SSH is able to authenticate clients or servers ensuring that the device or server you are about to connect to is exactly who they claim to be.

Ok, so now that we have a very brief idea of how SSH secures network traffic, the next step is figuring out where to get this thing we call a digital certificate. Do we have to go into a store to purchase it?

Digital Certificates can be acquired in generally three different ways. The most secure (and expensive) is requesting it from a trusted company called a CA - Certificate Authorities. An example of one such company is VeriSign, which is highly popular within the CA Industry for their role in providing worldwide trusted certificates; these certificates can however cost quite a bit.

There are two other ways of requesting a certificate. One is by using an internally trusted CA (trusted within a company) also called an enterprise CA or by generating a self sign certificate on the device itself. The last one is the least secure form, but provides more than enough security to lock down your average network device. This self signed certificate can be generated using the built in commands on your Cisco router.


What About Telnet?

Like SSH, Telnet can also be used to connect to your router but, the main disadvantage of using Telnet is that it does not encrypt its connections. This means that if a hacker is able to capture packets from a Telnet session, he or she would be able to view information contained within those packets, such as a client's username and password, therefore gaining access to your router.

The diagram below will give you an idea of how this works.

How to configure Secure Shell (SSH) on a Cisco Router


SSH Router Configuration

Now that we have an understanding of how SSH works and why we should use it instead of Telnet, the next step is actually getting down to configuring the device, which is always my favorite part.

For this exercise I will be using a Cisco 871 series SOHO router with IOS ver. 12.4 software. Depending on whether your router is brand new or currently in a production environment, you're going to have to either connect via a Console session or through a Telnet session.

Take a look at my article on configuring a Cisco router to use RADIUS for authentication for the steps needed to connect via a Console session or you can check this article on Cisco's website.

Here are the steps:

1. Configure a hostname for the router using these commands.

yourname#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

yourname (config)#hostname LabRouter


2. Configure a domain name with the ip domain-name command followed by whatever you would like your domain name to be. I used

LabRouter(config)#ip domain-name

3. We generate a certificate that will be used to encrypt the SSH packets using the crypto key generate rsa command.

Take note of the message that is displayed right after we enter this command: "The name for the keys will be:" -- it combines the hostname of the router along with the domain name we configured to get the name of the encryption key generated; this is why it was important for us to, first of all, configure a hostname then a domain name before we generated the keys.

Notice also that it asks us to choose a size of modulus for the key we're about to generate. The higher the modulus, the stronger the encryption of the key. For our example, we'll use a modulus of 1024.

How to configure Secure Shell (SSH) on a Cisco Router

4. Now that we've generated the key, our next step would be to configure our vty lines for SSH access and specify which database we are going to use to provide authentication to the device. The local database on the router will do just fine for this example.

LabRouter(config)#line vty 0 4

LabRouter(config-line)#login local

LabRouter(config-line)#transport input ssh

5. You will need to create an account on the local router's database to be used for authenticating to the device. This can be accomplished with these commands.

LabRouter(config)#username XXXX privilege 15 secret XXXX


Fine Tuning Your SSH Configuration

We've pretty much completed all the steps needed to configure and use SSH on your router; however, there are some other configurations that can be made to further secure your device.

For one, I would highly recommend you enabling an exec time-out on your router to prevent anyone from gaining access to the device in cases you forgot to logout or got distracted because of an emergency. This way, the router will automatically log you out after the session has been idle for a set time.

You must configure this command on the line interface as depicted below.

LabRouter(config)#line vty 0 4

LabRouter(config-line)# exec-timeout 5

This means that if the session has been idle for 5 minutes, the router will automatically disconnect the session.

Use Access Control Lists (ACL) as an added layer of security; this will ensure that only devices with certain IP address are able to connect to the router.

So let's say the IP Subnet for your LAN is, you would create an acl to permit only traffic from that subnet and apply this acl to the vty lines.

LabRouter(config)#access-list 1 permit

LabRouter(config)#line vty 0 4

LabRouter(config-line)#access-class 1 in


Final Tip: Enable SSH2

Another crucial point to note is the use of SSH2 as opposed to using SSH1. SSH2 improves on a lot of the weaknesses that existed within SSH1 and for this reason I recommend always using SSH2 where possible.

Enable SSH version 2 with this command:

LabRouter(config)#line vty 0 4

LabRouter(config)#ip ssh versopn 2

Detailed reading on SSH can be done at RFC 4251

Get our content first. In your inbox.

Loading form...

If this message remains, it may be due to cookies being disabled or to an ad blocker.


Jason Harry

Jason Harry is a technology enthusiast and a Systems Engineer with over 3 years of experience in the IT field. He spends most of his time playing video games, reading and researching the latest technological advancements as well as studying for his next IT certification. At the moment he is preparing for his MCTS on MOSS 2007 and MCITP Server Administrator. His long term goals include obtaining CCDA, CCDP and MCITP Enterprise Administrator certifications. Jason is very passionate about becoming one of the best IT Professionals amongst his peers and he dreams of one day being able to be a successful IT consultant. (CCNA, CCNP, CCNA Voice, MCSA, MCP, Net+, A+)