Securing the management plane is one of the most critical aspects of device hardening. While default Telnet access is simple to set up, it sends all traffic in plaintext. To protect credentials, network engineers deploy Secure Shell (SSH), which encrypts administrative sessions using asymmetric public key cryptography generated via RSA.
Symmetric vs. Asymmetric
SSH uses Asymmetric Encryption (RSA keys) to securely exchange keys during the initial session handshake. Once a secure channel is established, it switches to faster Symmetric Encryption (like AES) for data transmission.
1. The SSH Cryptographic Handshake
To configure SSH, a device must generate an RSA key pair consisting of a public key (advertised to clients) and a private key (retained by the router). The connection negotiation occurs in four main stages:
- Version Negotiation: Client and device agree on a version protocol (SSH v2 is standard; v1 is deprecated).
- Key Exchange: The router uses its RSA keys to establish a shared session key with the client without transmitting the actual key over the wire.
- Server Authentication: The client validates the server's public key fingerprint.
- User Authentication: The client transmits username and password encrypted inside the secure tunnel.
2. Prerequisites for Generating RSA Keys
Before Cisco IOS allows you to generate RSA keys and activate SSH, three parameters must be defined:
- Hostname: The device must have a custom hostname (cannot be the default
RouterorSwitch). - Domain Name: The device must be configured with an IP domain name. The domain name acts as a suffix to build the fully qualified domain name (FQDN) used in the key hashing process.
- Enable Secret: An enable password/secret must be defined to authenticate level 15 access.
3. Hardening VTY Lines with SSH
Configure SSH remote access using the following command sequence:
Router(config)# hostname EdgeRouter EdgeRouter(config)# ip domain-name andspace.com EdgeRouter(config)# crypto key generate rsa
At the prompt, select the key size. Cisco recommends a minimum modulus size of 1024 bits for SSH version 2. Modulus sizes of 2048 bits or higher are preferred for production enterprise compliance:
How many bits in the modulus [512]: 2048 % Generating 2048 bit RSA keys, keys will be non-exportable... [OK]
Once keys are generated, enforce SSH on the virtual lines:
EdgeRouter(config)# ip ssh version 2 EdgeRouter(config)# username admin privilege 15 secret StrongAdminPass EdgeRouter(config)# line vty 0 15 EdgeRouter(config-line)# login local EdgeRouter(config-line)# transport input ssh
Transport Input Trap
If you configure transport input ssh, all Telnet connections will be immediately blocked. If you need to access the router remotely, ensure you have an SSH client (like PuTTY or Terminal) ready.
| Parameter | SSH Version 1 | SSH Version 2 |
|---|---|---|
| Security Status | Deprecated / Vulnerable | Secure / Industry Standard |
| Hashing Protocols | Weak CRC-32 integrity checks | Strong HMAC (SHA-1/SHA-256) checks |
| Modulus Requirements | Allows 512-bit keys | Requires minimum 768-bit (recommends 1024/2048) keys |
| Transport Mode | Single channel | Supports multiplexed channels over one connection |