First you have to make sure you are running a version of code that has encryption. See my previous article for instructions on how to upgrade the code. Once your code is upgraded, here are the steps to enable SSH on a Cisco 2950.
Generate An SSH Key
switch-2950-1.tuxlabs.com#config t Enter configuration commands, one per line. End with CNTL/Z. switch-2950-1.tuxlabs(config)#crypto key generate rsa modulus 1024 The name for the keys will be: switch-2950-1.tuxlabs.com.tuxlabs.com % The key modulus size is 1024 bits Generating RSA keys ... [OK] switch-2950-1.tuxlabs(config)#exit switch-2950-1.tuxlabs.com#
Verify your key like so
switch-2950-1.tuxlabs.com#show crypto key mypubkey rsa % Key pair was generated at: 00:10:35 UTC Mar 1 1993 Key name: switch-2950-1.tuxlabs.com.tuxlabs.com Usage: General Purpose Key Key Data: 30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00E6AA25 8DB58145 F882CD0B C62F5123 AB0064A6 A09BD636 FA854D82 B1510A31 3A00606E 00F601F1 ECF64FCC 0F516E73 E80E0961 9CCCE91B 5C3D5919 4803B805 04AC2633 9D0A32E8 0196F572 5CE9FFF4 A5C27FC4 698DE75B F0573804 22D0CCFE 58936F4E 5BE394F4 3BDED1AC DC1BF1C9 5E71ABD5 34F1C21E CDA47B7E 72D40C34 6B020301 0001 % Key pair was generated at: 00:10:41 UTC Mar 1 1993 Key name: switch-2950-1.tuxlabs.com.tuxlabs.com.server Usage: Encryption Key Key Data: 307C300D 06092A86 4886F70D 01010105 00036B00 30680261 009F3354 2ECB6FB6 7A19D04D 929FEB38 05145D39 C9DB6CAB 5AC1A262 14FEFFBC DE6E5FA9 8565BEA6 1A888A92 C7D1ED2E DB8D3894 D972C9AE 853DFB98 8261D518 0F8A994C 9293C49C 0E946A95 0F89EA08 45E4DCB7 74F5A23C CDC5938C CD01C6C1 4D020301 0001 switch-2950-1.tuxlabs.com#
Wow 1993, feels good to be a time machine 🙂
Configure the allowed number of retries
switch-2950-1.tuxlabs.com#config t Enter configuration commands, one per line. End with CNTL/Z. switch-2950-1.tuxlabs(config)#ip ssh authentication-retries 5 switch-2950-1.tuxlabs(config)#exit switch-2950-1.tuxlabs.com#
Enabling SSH on the VTYs
switch-2950-1.tuxlabs.com#config t Enter configuration commands, one per line. End with CNTL/Z. switch-2950-1.tuxlabs(config)#line vty 0 4 switch-2950-1.tu(config-line)#login local switch-2950-1.tu(config-line)#transport input ssh switch-2950-1.tu(config-line)#line vty 5 15 switch-2950-1.tu(config-line)#login local switch-2950-1.tu(config-line)#transport input ssh switch-2950-1.tu(config-line)#exit switch-2950-1.tuxlabs(config)#exit switch-2950-1.tuxlabs.com#wr mem Building configuration... [OK] switch-2950-1.tuxlabs.com#
Configuring A Username
When you’re running telnet you don’t need a username. But when you are using SSH, you do.
switch-2950-1.tuxlabs.com#config t Enter configuration commands, one per line. End with CNTL/Z. switch-2950-1.tuxlabs(config)#username tuxninja privilege 15 password sup3rs3cr3t switch-2950-1.tuxlabs(config)#exit switch-2950-1.tuxlabs.com#wr mem Building configuration... [OK] switch-2950-1.tuxlabs.com#
Now were golden, let’s test.
➜ ~ ssh tuxninja@switch-2950-1.tuxlabs.com The authenticity of host 'switch-2950-1.tuxlabs.com (192.168.1.2)' can't be established. RSA key fingerprint is 21:6b:44:bb:24:ff:ef:14:9d:f2:00:44:64:3d:3b:f8. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'switch-2950-1.tuxlabs.com,192.168.1.2' (RSA) to the list of known hosts. tuxninja@switch-2950-1.tuxlabs.com's password: switch-2950-1.tuxlabs.com#show privil switch-2950-1.tuxlabs.com#show privilege Current privilege level is 15 switch-2950-1.tuxlabs.com#exit Connection to switch-2950-1.tuxlabs.com closed. ➜ ~
Awesome ! That concludes this short tutorial.