Networking Security Cisco

SSH

Secure Shell protocol providing encrypted remote access to network devices and servers

SSH (Secure Shell)

  • Encrypted protocol that provides secure remote access to network devices and servers over insecure networks
  • Operates on TCP port 22 by default and replaces insecure protocols like Telnet (port 23) and rlogin
  • Uses public-key cryptography for authentication and symmetric encryption for data transmission
  • Essential for secure network administration - think of it as your encrypted command bunker to remote systems

SSH Versions and Security

  • SSH-1: Legacy version with known security vulnerabilities (avoid in production)
  • SSH-2: Current standard with improved security, compression, and multiple channel support
  • Always disable SSH-1 and configure devices to use SSH-2 only for security compliance
  • Uses RSA, DSA, or ECDSA key pairs for authentication (RSA 2048-bit minimum recommended)

Key Exchange and Encryption Process

  • Initial handshake: Client and server negotiate encryption algorithms and exchange public keys
  • Host verification: Client verifies server’s host key to prevent man-in-the-middle attacks
  • User authentication: Password, public key, or certificate-based authentication
  • Session encryption: All subsequent traffic encrypted using negotiated symmetric cipher (AES-256 common)
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22

SSH Connection Process

Client          Server
  |                 |
  |--TCP Handshake->|
  |                 |
  |<-Version Info---|
  |                 |
  |--Key Exchange-> |
  |                 |
  |<-Host Key-------|
  |                 |
  |  [Verify Host]  |
  |                 |
  |--Auth Request-> |
  |                 |
  |<-Auth Success---|
  |                 |
  [Encrypted Session]
  |                 |
  |<===Commands====>|
  |                 |

SSH Configuration on Cisco Devices

Basic SSH Setup Commands 

1
2
3
4
5
6
7

Router(config)# hostname R1
Router(config)# ip domain-name company.local
Router(config)# crypto key generate rsa modulus 2048
Router(config)# ip ssh version 2
Router(config)# line vty 0 15
Router(config-line)# transport input ssh
Router(config-line)# login local

Authentication Methods

Method Security Level Use Case Configuration
Password Low Basic lab environments login local with local users
Public Key High Production environments Key-based authentication
Certificate Highest Enterprise/government PKI infrastructure required

SSH Client Connection

  • Syntax: ssh -l username target-ip or ssh username@target-ip
  • Port specification: ssh -p 2222 username@target-ip (for non-standard ports)
  • Key file: ssh -i /path/to/private-key username@target-ip

Security Features and Best Practices

Access Control and Hardening

  • Change default port from 22 to reduce automated attack surface (security through obscurity)
  • Connection limits: Configure maximum SSH sessions to prevent resource exhaustion
  • Timeout values: Set idle timeout to automatically disconnect inactive sessions
  • ACLs: Restrict SSH access to specific source networks or management VLANs

Monitoring and Logging

  • Enable logging for SSH connection attempts and failures
  • Monitor for brute-force attacks (multiple failed login attempts)
  • Use show ssh to view active SSH sessions and connection details
  • Configure SNMP or syslog for centralized security monitoring

Vocabulary

Host Key: Server’s public key used to verify server identity during initial connection Key Exchange: Process where client and server negotiate encryption parameters Public Key Authentication: Authentication method using cryptographic key pairs instead of passwords Transport Layer: SSH layer responsible for encryption, compression, and integrity protection

Notes

  • SSH requires both a hostname and domain name configured before generating RSA keys (prerequisite often forgotten)
  • Default VTY lines may still allow Telnet - use transport input ssh to enforce SSH-only access
  • RSA key modulus below 1024 bits considered weak - use 2048 bits minimum for security compliance
  • SSH sessions consume more CPU and memory than Telnet due to encryption overhead
  • For high-security environments, disable password authentication entirely and use key-based auth only
  • Remember: SSH protects data in transit but doesn’t secure the endpoints - ensure device physical security
  • Critical: Always test SSH connectivity before removing Telnet access to avoid lockout situations