PLABS
softwareguideswar roomaboutgo-home

Cisco IOS SSH Terminal Server
July 13, 2010

Operating System
Platform
Cisco IOS
Cisco
3600 Series Router

I. Abstract

This document describes the process of setting up a secure terminal access server. The information here is based on the following testing environment:

  • Cisco 3640 Router (tested on 3745 as well)
  • IOS 12.4(16) - c3640-ik9s-mz.124-16 (must be a k9 image for 3DES support)
  • 128MB RAM / 32MB Flash
  • NM-16A Async Network Module
This process should work for any of the Cisco async modules. IOS 12.2(2)T is the first release to support ip ssh port, so you will need that or a newer version for this to work. You may need to customize some parts to match your specific configuration.

Keep in mind that this document does not cover hardening the router. That process is outlined in other documents from myself or others.


II. Prepare Router

First, since this router is deployed for only this service, let's start with a clean slate by wiping the NVRAM clean:

Router> enable
Router# erase startup-config
Router# reload

When asked to perform the initial configuration, type yes and enter. Next, type yes and enter when asked to enter basic management setup. Follow the prompts, this part should be easy. After this process and the configuration has been saved and started, we're ready to continue to the next step - setting the time. Your settings may vary.

mars# conf t
mars(config)# clock timezone EST -5
mars(config)# clock summer-time EST recurring
mars(config)# exit
mars# clock set 01:50:00 Jul 13 2010

III. Setup SSH

To make the rest of this process go smoothly, you should give your system a host name and a domain name if it isn't set already. You must be in enable mode to perform these functions.

mars# conf t
mars(config)# hostname mars
mars(config)# ip domain-name procyonlabs.com 

Now we want to create an RSA key pair for the router's SSH server to use for authentication and encryption of data. Normally, I use a paranoid 2048 bit key. If you don't want to wait 5 or more minutes for the cheap low-end CPU's that Cisco uses for their over priced equipment, you can use a lower number (I'd suggest at least 1024, 768 is the minimum supported):

mars(config)# crypto key gen rsa

How many bits in the modulus [512]: 1024
% Generating 1024 but RSA keys ...[OK]

Because Cisco likes to wait a few years before taking any security issues serious, SSH v2 wasn't implemented until IOS 12.3(4)T. If you are using a version older than this, you most likely are stuck with SSH v1 (technically, 1.5 - the IETF draft version, now expired). You can enter the following to verify what SSH version your system has enabled, along with the session settings (exit configure mode to access):

mars# sh ip ssh
SSH Enabled - version 1.99
Authentication timeout: 120 secs; Authentication retries: 3

This means it is configured to support both v1 and v2 of SSH. If that is the case, force it to use v2:

mars# conf t
mars(config)# ip ssh version 2


IV. Configure SSH Terminal-Line Access (reverse-ssh)

Logic would tell you that if you had an NM-16A card installed, which supports 16 lines, the lines would be detected and configured by IOS as 1-16 (or even 0-15). Not so fast now. Enter the following to discover how your system sees the lines:

mars# sh line

We will use a simple authentication and authorization system for this example. I'd encourage you to use AAA (RADIUS / TACACS+), but for this we'll just use local accounts.

mars# conf t
mars(config)# user <user_name> password 0 <password>
mars(config)# aaa new-model
mars(config)# aaa authentication login USERS_LOCAL local
mars(config)# service password-encryption   (encrypts user passwords in conf file)
mars(config)# no service password-encryption   (disable the pw encrytion service (waste cycles if left on, does the job once, might as well turn it off until needed again))

Chances are your 16 lines will be detected as 33-48. To configure the lines for access, you must use a rotary statement. This is simple if you don't care which system you get when you connect. I tend to like getting the specific system I intend to work with. This means you need to configure each line independently, each with its own rotary system. You will need to do the following to configure them for use: 

mars(config)# line 33
mars(config-line)# no exec
mars(config-line)# speed 9600   (default is 9600, so this can be optional)
mars(config-line)# login auth USERS_LOCAL
mars(config-line)# rotary 1
mars(config-line)# transport input ssh
mars(config-line)# location Cisco 3500 Switch  (description/location of system)
mars(config-line)# exit
mars(config)# ip ssh port 2033 rotary 1

mars(config)# line 34
mars(config-line)# no exec
mars(config-line)# speed 9600
mars(config-line)# login auth USERS_LOCAL
mars(config-line)# rotary 2
mars(config-line)# transport input ssh
mars(config-line)# location Sun Netra X1 R2S2
mars(config-line)# exit
mars(config)# ip ssh port 2034 rotary 2

...and so on - once for each line you wish to configure. At some point, you'll probably need to send a break to the device you will be administering. For example, I have a Sun Netra X1 - to enter OpenBoot you will need to send the equivilent of STOP-A (break signal). Configure the IOS as follows, using whatever string you would like as the break signal. Just try not to use a string you might one time actually enter for other purposes!

mars# conf t
mars(config)# ip ssh break-string ^brk^

Now, when connected to the device via your Cisco router using SSH, just enter your break string (i.e. ^brk^) and you will be right where you want to be.

Also, don't forget to write the running-config over startup-config when you're done (wr mem)!

Some versions of IOS running SSHv2 have a bug relating to the break-string function. See the note detailed here:

ip ssh break-string


V. Errata

To connect to a specific console (terminal) via the Cisco terminal server from a Linux/UNIX system OpenSSH client, enter the following:

wkstn$ ssh -p <port> <router_name_or_IP>


VI. Helpful Links

 


© 2001-2017 Procyon Labs / Randal T. Rioux