Cisco Systems OL-7396-01 Configuring Secure Shell

4-19

ATM Switch Router Software Configuration Guide

OL-7396-01

Chapter4 Configuring System Management Functions

Configuring Secure Shell

For detailed information about RADIUS commands, refer to the “RADIUS Commands” chapter in the

Cisco IOS Security Command Reference publication.

Configuring Secure Shell

The preferred method of administering the switch router i s through a Telnet session. However, using

Telnet might cause security issues that include session hijacking, sniffing, and man-in-the-m iddle

attacks. These attacks can be stopped using the Secure Shell (SSH) protocol and application that the

switch router supports. SSH is an application and protocol that provides a secure replacement to the

Berkeley r-tools. The protocol secures the sessions using standard cryptographic mechanisms , and the

application is similar to the Berkeley rexec and rsh tools. Two versions of SSH are currently available,

Version 1 and Version 2. Both SSH Server Version 1 and Version 2 are implemented in the Cisco IOS

software. Also, SSH Version 1 Integrated Client and SSH Version 2 Integrated Client are implemented

in the Cisco IOS software.

The current method of remotely configuring a switch router involves initiating a Telnet connection to

the switch router to start an Exec session and then entering configuration mode. Th is connection method

only provides as much security as Telnet provides. That is, lower-layer encryption (for example, IPSEC

[Internet Protocol SECurity]) and application security (for example, username and password

authentication at the remote host).

You can configure SSH (Secure Shell) which is an application which runs on top of a reliable transport

layer, such as TCP/IP, and provides strong authentication and encryption capabilities. Secure Shell

allows you to login onto another computer over a network, execute commands remotely, and move files

from one host to another. The requirements are:

•Any host which wants to allow incoming secure connection must have the SSH daemon (or server)

running.

•The SSH client is required to initiate a connection to the remote host.

The IOS/ENA implementation of SSH server on the switch router provides the following:

•Secure incoming connections

•Remote Exec session connections to the switch router

•DES and 3DES encryption

•Username and password authentication using the existing IOS/ENA AAA a uthentication functions

For additional information about SSH, see the following:

•Secure Shell White Paper provided by SSH Communications Security

•Secure Shell Version 1 Support example configuration

•Secure Shell Version 1 Integrated Client

Step4 Switch(config)# radius-server timeout seconds Specifies the number of seconds a switch waits

for a reply to a RADIUS request before

retransmitting the request.

Step5 Switch(config)# radius-server deadtime minutes Specifies the number of minutes a RADIUS

server, which is not responding to authentication

requests, is passed over by requests for RADIUS

authentication.

Command Purpose