I have two Cisco Catalyst 2960-S 48-port switches 'stacked' using the Cisco FlexStack module. Originally I had to set them up using 'Express Setup', which I absolutly hate from my limited use of it.
I configured hostnames, ip addresses, and made sure the stack was functioning properly. I tested by plugging in a laptop and making sure it could open an internet page and all was well. I configured each switch exactly the same with the exception (obviously) of the hostname and IP. I then powered them OFF and installed the stacking module and they auto-configured themselves..
Before:
Switch-A (192.168.10.3)
Switch-B (192.168.10.4)
After:
Switch-A (192.168.10.3) Master 1
Switch-B Member 2
What I need and want to do now is setup remote access. If I have to go connect up with a console cable to configure that's fine, but I'm not sure if I need to..
If I open PuTTY and use Telnet to connect it states 'password required, but none set' and the PuTTY window closes.
If I open PuTTY and use SSH to connect it prompts me 'login as:'
If I press enter (@192.168.10.3's password:) it proceeds to prompt me for a password, which entering the password I used to setup the switch I receive 'access denied'.
I know I didn't configure SSH or Telnet for that matter when I initially set these up. I want to fix that now.
I want SSH (v2) enabled and I want to disable Telnet.
Any suggestions?
I configured hostnames, ip addresses, and made sure the stack was functioning properly. I tested by plugging in a laptop and making sure it could open an internet page and all was well. I configured each switch exactly the same with the exception (obviously) of the hostname and IP. I then powered them OFF and installed the stacking module and they auto-configured themselves..
Before:
Switch-A (192.168.10.3)
Switch-B (192.168.10.4)
After:
Switch-A (192.168.10.3) Master 1
Switch-B Member 2
What I need and want to do now is setup remote access. If I have to go connect up with a console cable to configure that's fine, but I'm not sure if I need to..
If I open PuTTY and use Telnet to connect it states 'password required, but none set' and the PuTTY window closes.
If I open PuTTY and use SSH to connect it prompts me 'login as:'
If I press enter (@192.168.10.3's password:) it proceeds to prompt me for a password, which entering the password I used to setup the switch I receive 'access denied'.
I know I didn't configure SSH or Telnet for that matter when I initially set these up. I want to fix that now.
I want SSH (v2) enabled and I want to disable Telnet.
Any suggestions?
Telnet versus SSH
- Displaying the RSA Public Keys ASA5505# show crypto key mypubkey rsa Key pair was generated at: 19:24:29 BRT Nov 15 2009 Key name: Usage: General Purpose Key Modulus Size (bits): 1024 Key Data: 30819f30 0d06092a 864886f7 0d00381 8d08181 008e60c4 bce3e63a 47aa12c4 e78c0a76 f2faf41c 5d8d461a 4978a5f6 0a4ac11b.
- ASA(config)#domain-name cisco. With this command we define domain-name to be used when generating crypto keys. ASA(config)#crypto key generate rsa label cisco modulus 1024. With this command we create crypto keys on asa, naming it 'cisco' and also defining key size with modulus '1024'. ASA(config)#ssh 0 0 inside.
Many people continue to use Telnet for sensitive applications or access to critical systems. Telnet is CLEARTEXT, so all the data, including the login id is visible is someone intercepts that session
Oct 02, 2015 SSH Config and crypto key generate RSA command. Use this command to generate RSA key pairs for your Cisco device (such as a router). Keys are generated in pairs–one public RSA key and one private RSA key. If your router already has RSA keys when you issue this command, you will be warned and prompted to replace the existing keys with new keys. Oct 02, 2015 SSH Config and crypto key generate RSA command. Use this command to generate RSA key pairs for your Cisco device (such as a router). Keys are generated in pairs–one public RSA key and one private RSA key. If your router already has RSA keys when you issue this command, you will be warned and prompted to replace the existing keys with new keys.
Here’s what this looks like using Wireshark an Open Source Protocol Analyzer when we use the Follow TCP Stream feature in Wireshark.
The next characters are red (the character I typed) and blue (the characters echoed back)
You clearly see the User Verification Prompt.Here's the telnet trace file.
Below you can see me typing in my username;
In this screenshot below you can see me entering the commandenable and the the enable password.
How to Enable SSH Version 1 on Cisco
Before you can enable SSH you need to assign individual (or group) user IDs and passwords.
These are just login id's and are required regardless if you use Telnet or SSH.
To enable locally administered user IDs, use the following set of configuration commands. I would not suggest using the nopassword parameter.
Put your own data in the italized text.
Now when you telnet into the device you should see the Username prompt
Cisco Crypto Key Generate Rsa 1024 Price
User Access Verification Username: fortunato Password: foghorn> |
Now that you have login id's created you can turn on SSH version 1.
To enable SSH, use the following set of configuration commands. I would not suggest using the nopassword parameter.
Put your own data in the italized text.
foghorn#configure terminal Enter configuration commands, one per line. End with CNTL/Z. foghorn(config)#crypto key generate rsa % Please define a domain-name first.! common mistake when you do not the IP domain-name created foghorn(config)#ip domain-name thetechfirm.com foghorn(config)#crypto key generate rsa The name for the keys will be: foghorn.thetechfirm.com Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus [512]: 1024 % Generating 1024 bit RSA keys ..[OK] foghorn(config)#ip ssh time-out 120 foghorn(config)#ip ssh authentication-retries 5 foghorn(config)#end |
Now we'll try to capture the SSH login and as you can see the login data is no longer in clear text. Here's the SSH 1 trace file.
The moral of the story is not to use Cleartext logins if the device or application is sensitive.
To upgrade to even more secure SSH version 2, type in the following commands
foghorn(config)#ip ssh version 2 foghorn(config)#no ip ssh version 1 foghorn(config)#end |
the SSH version 2 trace files are here
Cisco Crypto Key Gen Rsa
In this write up I used;
- Wireshark Protocol Analyzer(free)
- Putty Telnet/SSH Client(free)
- Cisco Switch(not free)