Cisco – How to enable ssh on a router
Posted by Josh on Tue 17 Apr 2007Categories: Cisco , Cisco Routers , SSH - [25] Comments
This tutorial will show you how to enable ssh on a cisco router. In order to use ssh for terminal access, you must have an image that supports encryption. Sometimes, but not always, the encryption feature set can be recognized by the ‘k9′ in the image name. Click Image to play tutorial: 
May 27th, 2007 at 6:37 am
[...] Cisco – How to enable ssh on a router [...]
August 12th, 2007 at 2:32 am
Lr8 blinding…
really anyone will understand in a simple language..
well done mate.
Cheers
Pushkar Bhatkoti
October 15th, 2007 at 2:34 am
thank you.
December 19th, 2007 at 1:42 am
I try to do the same like that but when i try to connect, it display:
login as:
password:
I don’t know what username and password should i use? Or i need to configure username and password first? Please instruct me!
Thanks
December 19th, 2007 at 8:40 am
@hhs
I have never experienced this before. Can you post the output? Start with logging into the router through the password: prompt.
Josh
December 19th, 2007 at 9:29 pm
I am using putty.
- I put the ip address and choose connection type to ssh and then click open.
- It display one dialog “putty security alert” and i click yes.
- On putty windows it show:
Login as:
(I don’t know what to put here?)
@172.16.1.1′s password:
(I don’t know what to put)
* If i try telnet password, it show me Access denied and ask for a password again.
December 19th, 2007 at 11:23 pm
HHS,
It sounds like you have local authentication turned on. Did you configure a username and password? Did you start this configuration.
Try this…
If you can get into config mode via the console, enter this command with your own username and password.
‘username josh password Bl1ndh0g’
Josh
December 21st, 2007 at 2:02 am
Yeah, thanks. It’s working now. Thanks for ur help
February 13th, 2008 at 8:49 am
Josh,
I have a Cisco 3640 router and have followed your tutorial; however, when I try to log in using my established username and password it fails to authenticate my credentials. Again, I configured the domain name, generated the rsa key, set up a username and password but I cannot get logged in via ssh? any ideas? I am using image c3640-ik9o3sw6-mz-122-8t. Thanks.
April 25th, 2008 at 4:16 am
some new versions where can i get downloads
syed
May 14th, 2008 at 6:44 am
Good job ..i understood in just two min.
Thanks!!
June 4th, 2008 at 8:28 pm
Good tutorial, need revision, last 2 step:
router(config)#aaa new-model
router(config)#username blindhog passwword blindhog
thx
June 4th, 2008 at 9:56 pm
@Ibrahim,
Good point. Here are two different tutorials for local and radius authentication with Microsoft Internet Authentication service.
http://www.blindhog.net/cisco-aaa-local-authentication/
http://www.blindhog.net/cisco-aaa-login-authentication-with-radius-ms-ias/
Josh
August 31st, 2008 at 9:52 am
IOS = 3600 Software (C3660-JK9S2-M), Version 12.4(15)T,
after i successfully create the domain name, i then run:
ISP(config)#crypto key generate rsa usage-keys modulus 1024
The following is the result:
ISP(config)#crypto key generate rsa usage-keys modulus 1024
The name for the keys will be: ISP.TESTING
% The key modulus size is 1024 bits
% Generating 1024 bit RSA keys, keys will be non-exportable…[OK]
% Generating 1024 bit RSA keys, keys will be non-exportable…[OK]
crypto_lib_keypair_get failed to get ISP.TESTING
ISP(config)#
Any idea why the failure?
thanks,
jim
August 31st, 2008 at 10:29 pm
Jim,
This one is new to me…
You might try a different ios image. I was not able to replicate the issue in my lab with the hostname ISP and the domain TESTING.
Josh
September 5th, 2008 at 6:13 pm
Nice tutorial.
I echo Ibrahim’s comment (#12) that it’s worth including aaa new-model. While most real-world installations have this enabled, someone using this in a minimal lab environment might not, and then not understand why authentication fails.
I also recommend the following additional configuration options:
! Enable SSHv2 only (disables SSHv1)
ip ssh version 2
! Enable SSH only on virtual terminals (disables telnet)
line vty 0 4
transport input ssh
September 23rd, 2008 at 9:35 pm
Geoff,
You and Ibrahim are both correct. Thanks for sharing!
Josh
October 5th, 2009 at 9:00 am
great tutorial. had problems initially, but read all the threads and eventually got it working. thanks !
October 13th, 2009 at 10:25 am
Jim,
If you use crypto key generate rsa general-keys modulus 1024 should work just fine.
Wayne
October 19th, 2009 at 4:24 pm
Hello,
When i generate the crypto, i am getting error message,
*PLEASE DEFINE A HOSTNAME OTHER THAN A ROUTER,
i try different modulus, no luck any idea about this
March 23rd, 2010 at 1:58 pm
Has anyone found out how to save your RSA keys in your configs? Each time I shut my lab down then go back the next day I always find myself regenerating keys. I cant SSH until I do so. After such, everything works fine. Just an annoyance if anything…
Is this a GNS3 bug?
Using GNS3.07 2521 router.
April 23rd, 2010 at 1:52 pm
Great tutorial!
Just a note on aaa new-model…
The following works on router IOS v12.4:
service password-encryption
hostname Router
username admin priv 15 secret 0 edocterces
no aaa new-model
ip domain-name abc.org
crypto key gen rsa usage-keys mod 2048
ip ssh version 2
line vty 0 4
password 0 edocterces
login local
transport input ssh
end
April 24th, 2010 at 12:42 pm
Jeff,
Thanks for the tip! We always appreciate a different w ay of doing things.
Josh
August 30th, 2011 at 3:30 pm
dahir Says:
October 19th, 2009 at 4:24 pm
Hello,
When i generate the crypto, i am getting error message,
*PLEASE DEFINE A HOSTNAME OTHER THAN A ROUTER,
i try different modulus, no luck any idea about this
IT DIDNT WORK FOR YOU BECAUSE YOU MUST CHANGE THE HOSTNAME TO SOMETHING ELSE THAN ROUTER , FOR EXAMPLE
Router(config)#hostname kaka
kaka#
February 21st, 2012 at 1:10 pm
Hi,
I want to enable the ssh in my router but i have one query now i am using telnet to login in te router using aaa model.Could you please tell me f i enable ssh using this command transparent input ssh then local login & crypto key generate rsa will be use or not if not then authentication will provide by tacas or not