Oct 09, 2012 crypto key generate rsa (generate SSH encryption keys). Cisco Catalyst 2960-S Product ID: WS-C2960S-48LPS-L. Ip domain-name rtp.cisco.com crypto key generate rsa ip ssh time-out 60 ip ssh. Mar 30, 2020 End with CNTL/Z. R1(config)# R1(config)#ip domain-name Technig.com R1(config)#crypto key generate rsa The name for the keys will be: R1.Technig.com Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes.
I have two Cisco Catalyst 2960-S 48-port switches 'stacked' using the Cisco FlexStack module. Originally I had to set them up using 'Express Setup', which I absolutly hate from my limited use of it.
I configured hostnames, ip addresses, and made sure the stack was functioning properly. I tested by plugging in a laptop and making sure it could open an internet page and all was well. I configured each switch exactly the same with the exception (obviously) of the hostname and IP. I then powered them OFF and installed the stacking module and they auto-configured themselves...
Before:
Switch-A (192.168.10.3)
Switch-B (192.168.10.4)
After:
Switch-A (192.168.10.3) Master 1
Switch-B Member 2
What I need and want to do now is setup remote access. If I have to go connect up with a console cable to configure that's fine, but I'm not sure if I need to...
If I open PuTTY and use Telnet to connect it states 'password required, but none set' and the PuTTY window closes.
If I open PuTTY and use SSH to connect it prompts me 'login as:'
If I press enter (@192.168.10.3's password:) it proceeds to prompt me for a password, which entering the password I used to setup the switch I receive 'access denied'.
I know I didn't configure SSH or Telnet for that matter when I initially set these up. I want to fix that now.
I want SSH (v2) enabled and I want to disable Telnet.
Any suggestions?
I configured hostnames, ip addresses, and made sure the stack was functioning properly. I tested by plugging in a laptop and making sure it could open an internet page and all was well. I configured each switch exactly the same with the exception (obviously) of the hostname and IP. I then powered them OFF and installed the stacking module and they auto-configured themselves...
Before:
Switch-A (192.168.10.3)
Switch-B (192.168.10.4)
After:
Switch-A (192.168.10.3) Master 1
Switch-B Member 2
What I need and want to do now is setup remote access. If I have to go connect up with a console cable to configure that's fine, but I'm not sure if I need to...
If I open PuTTY and use Telnet to connect it states 'password required, but none set' and the PuTTY window closes.
If I open PuTTY and use SSH to connect it prompts me 'login as:'
If I press enter (@192.168.10.3's password:) it proceeds to prompt me for a password, which entering the password I used to setup the switch I receive 'access denied'.
I know I didn't configure SSH or Telnet for that matter when I initially set these up. I want to fix that now.
I want SSH (v2) enabled and I want to disable Telnet.
Any suggestions?
Telnet versus SSH
Many people continue to use Telnet for sensitive applications or access to critical systems. Telnet is CLEARTEXT, so all the data, including the login id is visible is someone intercepts that session
Here’s what this looks like using Wireshark an Open Source Protocol Analyzer when we use the Follow TCP Stream feature in Wireshark.
The next characters are red (the character I typed) and blue (the characters echoed back)
You clearly see the User Verification Prompt.Here's the telnet trace file.
Below you can see me typing in my username;
In this screenshot below you can see me entering the commandenable and the the enable password.
How to Enable SSH Version 1 on Cisco
Before you can enable SSH you need to assign individual (or group) user IDs and passwords.
These are just login id's and are required regardless if you use Telnet or SSH.
To enable locally administered user IDs, use the following set of configuration commands. I would not suggest using the nopassword parameter.
Put your own data in the italized text.
Now when you telnet into the device you should see the Username prompt
User Access Verification Username: fortunato Password: foghorn> |
Now that you have login id's created you can turn on SSH version 1.
To enable SSH, use the following set of configuration commands. I would not suggest using the nopassword parameter.
Crypto Key Generate Rsa Cisco 2960 Software
Put your own data in the italized text.
foghorn#configure terminal Enter configuration commands, one per line. End with CNTL/Z. foghorn(config)#crypto key generate rsa % Please define a domain-name first.! common mistake when you do not the IP domain-name created foghorn(config)#ip domain-name thetechfirm.com foghorn(config)#crypto key generate rsa The name for the keys will be: foghorn.thetechfirm.com Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus [512]: 1024 % Generating 1024 bit RSA keys ...[OK] foghorn(config)#ip ssh time-out 120 foghorn(config)#ip ssh authentication-retries 5 foghorn(config)#end |
Now we'll try to capture the SSH login and as you can see the login data is no longer in clear text. Here's the SSH 1 trace file.
The moral of the story is not to use Cleartext logins if the device or application is sensitive.
To upgrade to even more secure SSH version 2, type in the following commands
foghorn(config)#ip ssh version 2 foghorn(config)#no ip ssh version 1 foghorn(config)#end |
Cisco Switch 2960 Crypto Key Generate Rsa
the SSH version 2 trace files are here
In this write up I used;
Crypto Key Generate Rsa Ssh
- Wireshark Protocol Analyzer(free)
- Putty Telnet/SSH Client(free)
- Cisco Switch(not free)