Initially we have to generate the crypto key. For SSH v2 it needs to be at least 768 bits long, I recommend to use 1024 or 2048 bits.
hostname <host> ip domain name <domain> crypto key generate rsa How many bits in the modulus : 1024/2048 ip ssh version 2
Now we add a user (optionally with it's SSH key) and enable SSH on the vty lines. The AAA configuration uses the new-model style. Instead a simple "login local" in the line vty configuration would be sufficient. But this AAA configuration is easily expandable, e.g. for RADIUS or TACACS+ authentification.
aaa new-model aaa authentication login default local aaa authorization exec default local ! username <user> privilege 15 secret <password> ! line vty 0 4 transport input ssh ! ! optionally use public key authentication ip ssh pubkey-chain username <user> key-string ssh-rsa ... exit ! ! for testing only: no authentication on console aaa authentication login no_auth none line con 0 privilege level 15 login authentication no_auth
Earlier IOS versions don't support the "ip ssh pubkey-chain" command, therefore they can't use public key authentication.
The password authentication is always possible, even when the public key authentication fails. So choose a strong password.
The JunOS configuration is quite simple. Just configure the user and enable SSH.
set system host-name <host> set system login user <user> class super-user set system login user <user> authentication plain-text-password set system login user <user> authentication ssh-rsa "ssh-rsa ..." set system services ssh
You don't need to configure both password and ssh-rsa key, one of them is sufficient. If both are configured, the public key authentication is tried first, then the password authentication.
Older Cisco IOS don't support the modern methods of key exchange and cipher.
If your SSH setup fails with
Unable to negotiate with <host> port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1 or
Unable to negotiate with <host> port 22: no matching cipher found. Their offer: aes128-cbc,3des-cbc,aes192-cbc,aes256-cb,
you have to enable diffie-hellman-group1-sha1 and/or aes128-cbc on the client.
This can be done with
ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -oCiphers=+aes128-cbc ...
or more permanently by adding it to
Host r1 R1 10.1.1.1 Hostname 10.1.1.1 KexAlgorithms +diffie-hellman-group1-sha1 Ciphers +aes256-cbc,aes192-cbc,aes128-cbc,3des-cbc