Bernhard's Homepage

SSH to Cisco and Juniper router

SSH to Cisco and Juniper router

Cisco IOS

Initially we have to generate the crypto key. For SSH v2 it needs to be at least 768 bits long, I recommend to use 1024 or 2048 bits.

hostname <host>
ip domain name <domain>
crypto key generate rsa
 How many bits in the modulus [512]: 1024/2048
ip ssh version 2

Now we add a user (optionally with it's SSH key) and enable SSH on the vty lines. The AAA configuration uses the new-model style. Instead a simple "login local" in the line vty configuration would be sufficient. But this AAA configuration is easily expandable, e.g. for RADIUS or TACACS+ authentification.

aaa new-model
aaa authentication login default local
aaa authorization exec default local
username <user> privilege 15 secret <password>
line vty 0 4
 transport input ssh
! optionally use public key authentication
ip ssh pubkey-chain
  username <user>
    ssh-rsa ...
! for testing only: no authentication on console
aaa authentication login no_auth none
line con 0
 privilege level 15
 login authentication no_auth

Earlier IOS versions don't support the "ip ssh pubkey-chain" command, therefore they can't use public key authentication.

The password authentication is always possible, even when the public key authentication fails. So choose a strong password.

Juniper JunOS

The JunOS configuration is quite simple. Just configure the user and enable SSH.

set system host-name <host>
set system login user <user> class super-user
set system login user <user> authentication plain-text-password
set system login user <user> authentication ssh-rsa "ssh-rsa ..."
set system services ssh

You don't need to configure both password and ssh-rsa key, one of them is sufficient. If both are configured, the public key authentication is tried first, then the password authentication.

SSH clients

Older Cisco IOS don't support the modern methods of key exchange and cipher. If your SSH setup fails with
Unable to negotiate with <host> port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1 or
Unable to negotiate with <host> port 22: no matching cipher found. Their offer: aes128-cbc,3des-cbc,aes192-cbc,aes256-cb,
you have to enable diffie-hellman-group1-sha1 and/or aes128-cbc on the client.

This can be done with ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -oCiphers=+aes128-cbc ... or more permanently by adding it to ~/.ssh/config:

Host r1 R1
	KexAlgorithms +diffie-hellman-group1-sha1
	Ciphers +aes256-cbc,aes192-cbc,aes128-cbc,3des-cbc