SSH: SECURE SHELL PROTOCOL

• telnet traffic is sent in a clear text way, so it is not secure.
• It is a client/server protocol that encrypt the traffic in and out through vty ports.
• By default cisco router & switches act as SSH clients.
• To make CISCO router & switches act as SSH servers they must be configured.
• Authentications is required to connect clients.
• This authentication can be username & password or authentication with a AAA server .
• There are 2 versions in SSH
• Version 2 more secure than the Version 1.
• Cisco devices supports both versions.
• Must specify which version u want use.
• Configuring basic SSH Server requires following steps:
• Check IOS support ssh or not.
• Configure a host name (if already config leave it)
• Config a domain name. (if already  config leave  it)
• Config a client authentication method.
• Router or Switch generate RSA keys that will be used to encrypt the session.
• specify the SSH version, if u want to use version 2.
• Disable telnet on the VTY lines.
• Enable SSH on the VTY lines.
• 
  

SECUIRITY

• 3 Modes to access the user mode is:
• CONSOLE
• AUX
• TELNET
• Simple user mode CLI password protection
• line con 0
•   login
•   password cisco
• line vty 0 15
•   login
•   password cisco
• these passwords are stored as clear text in the configuration
• these passwords are encrypted by  service password-encryption command
• service password-encryption
• line console 0
•     password 7 "type pass here"
•    login
• line vty 0 4
•     password 7 "type pass here"
•     login
• after service password-encryption command is added to configuration, all clear text passwords in the running configuration are changed to an encrypted value.
• Untill copy run start , passwords in startup config are not encrypted.
• no service password-encryption command cannot automatically decrypt the encrypted passwords.
• This type encryption is weak, using some public tools can easily decrypt the passwords.