SSH error on cisco router

Enabling SSH on a Cisco router is not enough to guarantee SSH is working.
Enabling ssh version 2.0 on a routers is as straight forward as;.

>ip ssh version 1-2

I surely recommend the use of version 2, because ssh v1 has a bug which allows root access.

Anyhow… ssh needs some sort of encryption to work. In other words create a crypto key.

host(config)#crypto key generate rsa modulus 2048
The name for the keys will be:
% The key modulus size is 2048 bits
% Generating 2048 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 2 seconds)
Nov  5 14:17:17.240 UTC: %SSH-5-ENABLED: SSH 2.0 has been enabled

The good thing is the crypto key is not saved in config. The bad thing is, whenever you commission a router and forget to create the crypto key it can cost you some time in troubleshooting. Worst case you have to travel on-site to create the crypro key.

By the way, make sure you enable ssh on the VTY ports and if applicable deny telnet input.

line vty 0 15 
transport input ssh
no transport input telnet

And create an access-list and apply it to the VTY ports.

FYI: SSH enables encrypted CLI access towards a host. And the crypto key validates the host communication i.e. detection of a man-in-the-middle attack.

This entry was posted in CCNP. Bookmark the permalink.