SSH Version 2 Configuration on Cisco Router

Rashmi Bhardwaj | Blog,Config & Troubleshoot,Protocol,Security
Advertisements

The SSH protocol (Secure Shell) is a method for secure remote login from one device to other. SSH provides a secure channel over an unsecured network in a client-server architecture, connecting an SSH client application with an SSH server. As discussed in another blog, SSH has two versions, namely, SSH version 1 and SSH version 2 –

SSH Version 1

SSH v1 (Secure Shell) provides an encrypted channel to users for logging into remote device. It provides strong host-to-host and user authentication. It also provides secure encrypted communications over the Internet.

SSH Version 2

On the contrary, SSH v2 is a much more secured, an efficient version of SSH that includes SFTP, which is functionally similar to FTP with addition of SSH v2 encryption.

Advertisements

SSH works on port 22. It is a secure alternative to the non-protected login protocols (such as Telnet) and insecure file transfer methods (such as FTP).

Steps to Configure SSH

  1. Configure the router hostname using command “hostname”.
  2. Configure the domain name using command “ip domain-name”.
  3. Generate public and private keys using command “crypto key generate rsa”.
  4. Create a user in the local database using command “username…secret”.
  5. Allow only SSH access on VTY lines using command “transport input ssh”.

SSH Version 2 Configuration on a Cisco router IOS

Step 1-
Configure Hostname and DNS Domain

hostname R1
aaa new-model
username Cisco password Cisco
ip domain-name Cisco.local

Step 2 –
Generate RSA key to be used.

ip ssh rsa keypair-name sshkey

Enables the SSH server for local and remote authentication on the router
For SSH Version 2, the modulus size must be at least 768 bits.

crypto key generate rsa usage-keys label sshkey modulus 768

Configures SSH control variables on the Router.

ip ssh timeout 120

Configure SSH version 2 (This will disable SSH version 1)

ip ssh version 2

Step 3 –
Enable SSH transport support for the virtual type terminal (vty)

line vty 0 4
transport input SSH

Commands to Verify SSH Configuration

show ssh
how ip ssh
debug ip ssh

SSH Version 1 vs SSH Version 2

FeatureSSH-1SSH-2
Protocol DesignSimple, older protocolMore complex, newer protocol
SecurityKnown vulnerabilities, less secureMore secure, addresses SSH-1 vulnerabilities
Authentication MethodsRSA onlyRSA, DSA, ECDSA, and ED25519
Key Exchange AlgorithmsLimitedDiffie-Hellman Group Exchange, ECDH
Encryption Algorithms3DES, Blowfish, DESAES, 3DES, Blowfish, others
Integrity CheckingCRC-32HMAC (SHA-1, MD5, etc.)
CompressionNot standardizedStandardized, optional
Forward CompatibilityNot forward-compatibleDesigned with future compatibility in mind
Session Re-keyingNot supportedSupported
Multi-channel SupportNot supportedSupported
SFTP (File Transfer)Limited, not standardizedFully supported and standardized
Preferred UsageDeprecated, should be avoidedWidely recommended and used

SSH-2 is the preferred and recommended version due to its enhanced security features and improved functionality.

SSH Vulnerabilities

Despite being significantly more secure than SSH-1, SSH-2 is not immune to vulnerabilities. Here are some known vulnerabilities and security concerns associated with SSH-2:

  • Weak or easily guessable passwords
  • Man-in-the-Middle (MitM) Attacks
  • Usage of deprecated or weak encryption algorithms and key exchange methods
  • Poor management of SSH keys (e.g., not rotating keys, not properly securing private keys).
  • Use of weak keys (e.g., RSA keys less than 2048 bits).
  • Specific implementations of SSH-2 may contain bugs or flaws (e.g., OpenSSH, Dropbear, etc.).
  • Timing attacks on encryption algorithms.
  • Side-channel attacks targeting the SSH client or server’s computational processes.
  • Brute Force and Dictionary Attacks: SSH servers exposed to the internet can be targeted for brute force attacks attempting to guess usernames and passwords.
  • Protocol Downgrade Attacks: Attempting to downgrade the connection to a less secure version or cipher suite, though SSH-2 is generally resistant to this compared to SSH-1.

ABOUT THE AUTHOR


Leave a Comment

Your email address will not be published. Required fields are marked *

Shopping Cart