cisco SSH 配置示例及詳解
阿新 • • 發佈:2019-01-31
使用telnet進行遠端裝置維護的時候,由於密碼和通訊都是明文的,易受sniffer偵聽,所以應採用SSH替代telnet。SSH (Secure Shell)服務使用tcp 22 埠,客戶端軟體發起連線請求後從伺服器接受公鑰,協商加密方法,成功後所有的通訊都是加密的。Cisco 裝置目前支援SSH v1、v2,目前幾乎所有cisco路由交換產品均支援SSH但要求IOS版本支援安全特性。Cisco實現 SSH的目的在於提供較安全的裝置管理連線,不適用於主機到主機的通訊加密。 SSH協議要在12.1(11)以上的IOS版本才被cisco裝置支援的.1、啟用AAA的SSH配置:
ip domain-name runway.cn.net-------------------------------------------設定域名
aaa new-modle----------------------------------------------------------啟用AAA服務
crypto key generate rsa------------------------------------------------生成祕鑰
The name for the keys will be: Router1.runway.cn.net
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.How many bits in the modulus [512]: 1024-------------------------------指定1024位祕鑰
% Generating 1024 bit RSA keys ...[OK]username sshuser secret sshpassword------------------------------------指定SSH登陸使用者名稱和密碼
ip ssh time-out 30-----------------------------------------------------設定SSH超時值
no ip ssh version------------------------------------------------------啟用SSH V1 V2
aaa authentication login ssh local line none---------------------------設定SSH登陸資訊儲存地方
ip access-list standard forssh-----------------------------------------定義SSH登陸源地址
permit any
line vty 0 4
exec-timeout 30------------------------------------------------------設定線路登陸超時值
login authentication ssh---------------------------------------------指定驗證登陸使用者資訊儲存的地方
transport input ssh--------------------------------------------------設定線路登陸模式為SSH
access-class forssh in-----------------------------------------------應用訪問列表2、不啟用AAA的SSH配置
hostname Router1
ip domain-name runway.cn.net
crypto key generate rsa
The name for the keys will be: Router1.runway.cn.net
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.How many bits in the modulus [512]: 1024
% Generating 1024 bit RSA keys ...[OK]username sshuser secret sshpassword
ip ssh time-out 30
no ip ssh version
ip access-list standard forssh
permit any
line vty 0 4
exec-timeout 30
login local
transport input ssh
access-class forssh in
ip domain-name runway.cn.net-------------------------------------------設定域名
aaa new-modle----------------------------------------------------------啟用AAA服務
crypto key generate rsa------------------------------------------------生成祕鑰
The name for the keys will be: Router1.runway.cn.net
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.How many bits in the modulus [512]: 1024-------------------------------指定1024位祕鑰
% Generating 1024 bit RSA keys ...[OK]username sshuser secret sshpassword------------------------------------指定SSH登陸使用者名稱和密碼
ip ssh time-out 30-----------------------------------------------------設定SSH超時值
no ip ssh version------------------------------------------------------啟用SSH V1 V2
aaa authentication login ssh local line none---------------------------設定SSH登陸資訊儲存地方
ip access-list standard forssh-----------------------------------------定義SSH登陸源地址
permit any
line vty 0 4
exec-timeout 30------------------------------------------------------設定線路登陸超時值
login authentication ssh---------------------------------------------指定驗證登陸使用者資訊儲存的地方
transport input ssh--------------------------------------------------設定線路登陸模式為SSH
access-class forssh in-----------------------------------------------應用訪問列表2、不啟用AAA的SSH配置
hostname Router1
ip domain-name runway.cn.net
crypto key generate rsa
The name for the keys will be: Router1.runway.cn.net
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.How many bits in the modulus [512]: 1024
% Generating 1024 bit RSA keys ...[OK]username sshuser secret sshpassword
ip ssh time-out 30
no ip ssh version
ip access-list standard forssh
permit any
line vty 0 4
exec-timeout 30
login local
transport input ssh
access-class forssh in