How To: Enable SSH On A Cisco 2950

First you have to make sure you are running a version of code that has encryption. See my previous article for instructions on how to upgrade the code. Once your code is upgraded, here are the steps to enable SSH on a Cisco 2950.

Generate An SSH Key

switch-2950-1.tuxlabs.com#config t
Enter configuration commands, one per line.  End with CNTL/Z.
switch-2950-1.tuxlabs(config)#crypto key generate rsa modulus 1024
The name for the keys will be: switch-2950-1.tuxlabs.com.tuxlabs.com

% The key modulus size is 1024 bits
Generating RSA keys ...
[OK]

switch-2950-1.tuxlabs(config)#exit
switch-2950-1.tuxlabs.com#

Verify your key like so

switch-2950-1.tuxlabs.com#show crypto key mypubkey rsa 
% Key pair was generated at: 00:10:35 UTC Mar 1 1993
Key name: switch-2950-1.tuxlabs.com.tuxlabs.com
 Usage: General Purpose Key
 Key Data:
  30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00E6AA25 
  8DB58145 F882CD0B C62F5123 AB0064A6 A09BD636 FA854D82 B1510A31 3A00606E 
  00F601F1 ECF64FCC 0F516E73 E80E0961 9CCCE91B 5C3D5919 4803B805 04AC2633 
  9D0A32E8 0196F572 5CE9FFF4 A5C27FC4 698DE75B F0573804 22D0CCFE 58936F4E 
  5BE394F4 3BDED1AC DC1BF1C9 5E71ABD5 34F1C21E CDA47B7E 72D40C34 6B020301 0001
% Key pair was generated at: 00:10:41 UTC Mar 1 1993
Key name: switch-2950-1.tuxlabs.com.tuxlabs.com.server
 Usage: Encryption Key
 Key Data:
  307C300D 06092A86 4886F70D 01010105 00036B00 30680261 009F3354 2ECB6FB6 
  7A19D04D 929FEB38 05145D39 C9DB6CAB 5AC1A262 14FEFFBC DE6E5FA9 8565BEA6 
  1A888A92 C7D1ED2E DB8D3894 D972C9AE 853DFB98 8261D518 0F8A994C 9293C49C 
  0E946A95 0F89EA08 45E4DCB7 74F5A23C CDC5938C CD01C6C1 4D020301 0001
switch-2950-1.tuxlabs.com#

Wow 1993, feels good to be a time machine ๐Ÿ™‚

Configure the allowed number of retries

switch-2950-1.tuxlabs.com#config t                     
Enter configuration commands, one per line.  End with CNTL/Z.
switch-2950-1.tuxlabs(config)#ip ssh authentication-retries 5
switch-2950-1.tuxlabs(config)#exit
switch-2950-1.tuxlabs.com#

Enabling SSH on the VTYs

switch-2950-1.tuxlabs.com#config t           
Enter configuration commands, one per line.  End with CNTL/Z.
switch-2950-1.tuxlabs(config)#line vty 0 4
switch-2950-1.tu(config-line)#login local
switch-2950-1.tu(config-line)#transport input ssh
switch-2950-1.tu(config-line)#line vty 5 15
switch-2950-1.tu(config-line)#login local
switch-2950-1.tu(config-line)#transport input ssh
switch-2950-1.tu(config-line)#exit
switch-2950-1.tuxlabs(config)#exit
switch-2950-1.tuxlabs.com#wr mem
Building configuration...
[OK]
switch-2950-1.tuxlabs.com#

Configuring A Username

When you’re running telnet you don’t need a username. But when you are using SSH, you do.

switch-2950-1.tuxlabs.com#config t 
Enter configuration commands, one per line.  End with CNTL/Z.
switch-2950-1.tuxlabs(config)#username tuxninja privilege 15 password sup3rs3cr3t
switch-2950-1.tuxlabs(config)#exit
switch-2950-1.tuxlabs.com#wr mem
Building configuration...
[OK]
switch-2950-1.tuxlabs.com#

Now were golden, let’s test.

โžœ  ~  ssh tuxninja@switch-2950-1.tuxlabs.com
The authenticity of host 'switch-2950-1.tuxlabs.com (192.168.1.2)' can't be established.
RSA key fingerprint is 21:6b:44:bb:24:ff:ef:14:9d:f2:00:44:64:3d:3b:f8.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'switch-2950-1.tuxlabs.com,192.168.1.2' (RSA) to the list of known hosts.
tuxninja@switch-2950-1.tuxlabs.com's password: 

switch-2950-1.tuxlabs.com#show privil
switch-2950-1.tuxlabs.com#show privilege 
Current privilege level is 15
switch-2950-1.tuxlabs.com#exit
Connection to switch-2950-1.tuxlabs.com closed.
โžœ  ~

Awesome ! That concludes this short tutorial.

How To: Upgrade IOS On A Cisco 2950

My cisco 2950 came with an older IOS version 12.1, but more importantly, one that does not support encryption, and thus I cannot use SSH. I need to upgrade the code aka IOS Image on this switch to enable SSH. So here we go, I’ll be referencing the following guide :ย http://kb.promise.com/KnowledgebaseArticle10139.aspxย throughout this how to article. Note: You should be in enable/privilege 15 mode for the duration of this article.

Existing version info

switch-2950-1.tuxlabs.com#show version
Cisco Internetwork Operating System Software 
IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(19)EA1c, RELEASE SOFTWARE (fc2)
Copyright (c) 1986-2004 by cisco Systems, Inc.
Compiled Mon 02-Feb-04 23:29 by yenanh
Image text-base: 0x80010000, data-base: 0x8058A000

ROM: Bootstrap program is C2950 boot loader

switch-2950-1.tuxlabs.com uptime is 1 hour, 38 minutes
System returned to ROM by power-on
System image file is "flash:/c2950-i6q4l2-mz.121-19.EA1c.bin"

cisco WS-C2950T-24 (RC32300) processor (revision P0) with 20808K bytes of memory.
Processor board ID FOC0812T17M
Last reset from system-reset
Running Enhanced Image
24 FastEthernet/IEEE 802.3 interface(s)
2 Gigabit Ethernet/IEEE 802.3 interface(s)

32K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: 00:0F:8F:DB:4E:00
Motherboard assembly number: 73-6114-10
Power supply part number: 34-0965-01
Motherboard serial number: FOC0812243L
Power supply serial number: DAB080842YJ
Model revision number: P0
Motherboard revision number: A0
Model number: WS-C2950T-24
System serial number: FOC0812T17M
Configuration register is 0xF

switch-2950-1.tuxlabs.com#

Cisco Image & TFTP Server

I had to register for the Cisco site to download the latest image, with support for encryption. This is the image I will be installing :ย c2950-i6k2l2q4-mz.121-22.EA14.bin

After the image is downloaded, we need to configure the TFTP server. Mac OS X comes with tftpd automatically. You are going to want to place the imagine in /private/tftpboot. ย After you have copied the image there, make absolutely sure you update the permissions. Otherwise, your tftp request will timeout from your device.

โžœ  ~  sudo chmod 766 /private/tftpboot/*
โžœ  ~  ls -l /private/tftpboot       
total 7272
-rwxrw-rw-@ 1 root  wheel  3722814 Sep  7 23:21 c2950-i6k2l2q4-mz.121-22.EA14.bin
โžœ  ~

After you update the permissions you are ready to start TFTP.

 

โžœ  ~  netstat -atp UDP | grep tftp                                     
โžœ  ~  sudo launchctl load -F /System/Library/LaunchDaemons/tftp.plist 
dyld: DYLD_ environment variables being ignored because main executable (/usr/bin/sudo) is setuid or setgid
โžœ  ~  netstat -atp UDP | grep tftp                                   
udp4       0      0  *.tftp                 *.*                               
udp6       0      0  *.tftp                 *.*                               
โžœ  ~

Great TFTP is running. Now we are ready to request it from the Cisco switch, aka the client in this scenario.

Copy TFTP Flash

switch-2950-1.tuxlabs.com#copy tftp flash
Address or name of remote host []? 192.168.1.123
Source filename []? c2950-i6k2l2q4-mz.121-22.EA14.bin
Destination filename [c2950-i6k2l2q4-mz.121-22.EA14.bin]? 
Accessing tftp://192.168.1.123/c2950-i6k2l2q4-mz.121-22.EA14.bin...
Loading c2950-i6k2l2q4-mz.121-22.EA14.bin from 192.168.1.123 (via Vlan1): !!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!O!OO!OO!OOOOO!OOOO!
%Error copying flash:/c2950-i6k2l2q4-mz.121-22.EA14.bin (No space left on device)
switch-2950-1.tuxlabs.com#

Uh oh shaggy ! I am out of space. After doing a ‘dir flash’ I saw that really I had no choice, but to delete my existing flash image to make room for the new one. Feels dangerous and scary, but luckily this is my lab environment ๐Ÿ™‚

Deleting From Flash

switch-2950-1.tuxlabs.com#delete flash://c2950-i6q4l2-mz.121-19.EA1c.bin
Delete filename [c2950-i6q4l2-mz.121-19.EA1c.bin]? 
Delete flash:/c2950-i6q4l2-mz.121-19.EA1c.bin? [confirm]
switch-2950-1.tuxlabs.com#

Copy TFTP Flash Again (This time with our fingers crossed)

switch-2950-1.tuxlabs.com#copy tftp flash                               
Address or name of remote host [192.168.1.123]? 
Source filename [c2950-i6k2l2q4-mz.121-22.EA14.bin]? 
Destination filename [c2950-i6k2l2q4-mz.121-22.EA14.bin]? 
Accessing tftp://192.168.1.123/c2950-i6k2l2q4-mz.121-22.EA14.bin...
Loading c2950-i6k2l2q4-mz.121-22.EA14.bin from 192.168.1.123 (via Vlan1): !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
[OK - 3722814 bytes]

3722814 bytes copied in 143.080 secs (26019 bytes/sec)
switch-2950-1.tuxlabs.com#

Whew…close one ๐Ÿ™‚ To be on the safe side we can verify our image like this.

switch-2950-1.tuxlabs.com#verify /md5 c2950-i6k2l2q4-mz.121-22.EA14.bin
.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................Done!
verify /md5 (flash:c2950-i6k2l2q4-mz.121-22.EA14.bin) = 8d3250ee253b81b7fe2762e281773fbc


switch-2950-1.tuxlabs.com#

Next we make our new flash image bootable.

switch-2950-1.tuxlabs.com#config t
switch-2950-1.tuxlabs(config)#boot system flash:c2950-i6k2l2q4-mz.121-22.EA14.bin
switch-2950-1.tuxlabs(config)#exit
switch-2950-1.tuxlabs.com#show boot
BOOT path-list:       flash:c2950-i6k2l2q4-mz.121-22.EA14.bin
Config file:          flash:/config.text
Private Config file:  flash:/private-config.text
Enable Break:         no
Manual Boot:          no
HELPER path-list:     
NVRAM/Config file
      buffer size:    32768
switch-2950-1.tuxlabs.com#wr mem
Building configuration...
[OK]
switch-2950-1.tuxlabs.com#

Great, that looks good, now we are ready to reload our switch !

switch-2950-1.tuxlabs.com#reload
Proceed with reload? [confirm]
Connection closed by foreign host.
โžœ  ~

Once the switch comes back to life, validate the version info.

switch-2950-1.tuxlabs.com#show version
Cisco Internetwork Operating System Software 
IOS (tm) C2950 Software (C2950-I6K2L2Q4-M), Version 12.1(22)EA14, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2010 by cisco Systems, Inc.
Compiled Tue 26-Oct-10 10:35 by nburra
Image text-base: 0x80010000, data-base: 0x80680000

ROM: Bootstrap program is C2950 boot loader

switch-2950-1.tuxlabs.com uptime is 2 minutes
System returned to ROM by power-on
System image file is "flash:c2950-i6k2l2q4-mz.121-22.EA14.bin"


This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

cisco WS-C2950T-24 (RC32300) processor (revision P0) with 19911K bytes of memory.
Processor board ID FOC0812T17M
Last reset from system-reset
Running Enhanced Image
24 FastEthernet/IEEE 802.3 interface(s)
2 Gigabit Ethernet/IEEE 802.3 interface(s)

32K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: 00:0F:8F:DB:4E:00
Motherboard assembly number: 73-6114-10
Power supply part number: 34-0965-01
Motherboard serial number: FOC0812243L
Power supply serial number: DAB080842YJ
Model revision number: P0
Motherboard revision number: A0
Model number: WS-C2950T-24
System serial number: FOC0812T17M
Configuration register is 0xF

switch-2950-1.tuxlabs.com#

We went from 2004, to 2010…but 2010 is the latest image available for my ancient switch ! Awesome. Now we are ready to enable SSH in the next article !

Thanks for reading,
Jason Riedel