Saturday, May 11, 2013

SSH Optional Configuration And Testing



I won't write about how is SSH secure than Telnet and that is recommended practice for remote administration network devices, that all Telnet traffic is forwarded in plain text etc, etc, because you already know that.

I will point for optional configuration that is equally needed (in my opinion), but I will also point to steps that you must configure first.

Step 1: Configure the IP domain name
Step 2: Generate one-way secret keys
Step 3: Verify or create a local database entry
Step 4: Enable VTY inbound SSH sessions

Optionally you can configure SSH version, timeout period and number of authentication retries.

You can configure the time that router waits for SSH client to respond for session by configuring command ip ssh time-out seconds in global configuration mode, default value is 120 seconds.

Also you can control how many attempts user can retries for password during connection with SSH client. The command is ip ssh authentication-retries value , by default user has tree attempts before being disconnected.
During configuration and testing I notice that real numbers of attempts is configured value plus 1, if you enter ip ssh authentication-retries 2  user will have tree times to repeat the password. I tried with value from 0 to 5 and every time I tried to connect I had one plus attempt beside configured value.
As you can see on screen shots and running SSH configuration you get one plus attempt for free. :)






R1 configuration example 1:



R1(config)#do show run | section ip ssh
ip ssh time-out 60
ip ssh authentication-retries 0
ip ssh source-interface FastEthernet0/0
ip ssh version 2





R1 configuration example 2:

R1(config)#do show run | sec ip ssh      
ip ssh time-out 60
ip ssh authentication-retries 1
ip ssh source-interface FastEthernet0/0
ip ssh version 2

   


R1 configuration example 3:

R1(config)#do show run | sec ip ssh      
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh source-interface FastEthernet0/0
ip ssh version 2



It's enough, you get the point.
 

No comments:

Post a Comment