Config Lab: Enabling SSH and Disabling Telnet
Many of us start out learning about the simplest Cisco security option: One password for all users to reach user mode, with no per-user login. By today’s standards, that security method is archaic. Today’s lab lets you upgrade from that simple beginning point to allow only the more secure SSH login, disallow Telnet, and require each user to use a separate username/password.
The Lab Exercise
Requirements
You will configure a Cisco Catalyst switch to support SSH and not support Telnet. From the user perspective, an attempt when using Telnet should be rejected so that the user never sees a prompt for a password or username. SSH users should be allowed in if they supply a correct username and password. For this lab, the switch already has been configured to support IP, and it has been configured with simple passwords; your job is to update the configuration to support SSH only for remote users.
The specific rules for this lab are as follows:
- Configure SSH to use an encryption key.
- Create the SSH key so that it relies on domain name example.com as input.
- Create a username/password pair of Barney/Rubble with the best encryption possible for the password.
- Enable support for SSH, but only SSH, using the locally-created usernames/passwords.
Figure 1: Network Used in this Lab
Initial Configuration
This lab begins with a switch that has been configured to allow both Telnet and SSH into the switch, both using a simple IP address. The management IP address and the CLI access passwords for user mode and enable mode have been set. Example 1 shows that configuration.
hostname SW1
enable secret 0 certskills
!
ip default-gateway 10.1.1.1
!
interface vlan1
ip address 10.1.1.20 255.255.255.0
no shutdown
!
line vty 0 4
password certskills
login
!
line vty 5 15
password certskills
login
Example 1: SW1 Initial Config
* Note that the no shutdown command is likely unnecessary on real gear, but may be on some virtualization platforms, so we include it here in the initial configuration.
Answer Options - Click Tabs to Reveal
You can learn a lot and strengthen real learning of the topics by creating the configuration – even without a router or switch CLI. In fact, these labs were originally built to be used solely as a paper exercise!
To answer, just think about the lab. Refer to your primary learning material for CCNA, your notes, and create the configuration on paper or in a text editor. Then check your answer versus the answer post, which is linked at the bottom of the lab, just above the comments section.
You can also implement the lab using the Cisco Packet Tracer network simulator. With this option, you use Cisco’s free Packet Tracer simulator. You open a file that begins with the initial configuration already loaded. Then you implement your configuration and test to determine if it met the requirements of the lab.
(Use this link for more information about Cisco Packet Tracer.)
Use this workflow to do the labs in Cisco Packet Tracer:
- Download the .pkt file linked below.
- Open the .pkt file, creating a working lab with the same topology and interfaces as the lab exercise.
- Add your planned configuration to the lab.
- Test the configuration using some of the suggestions below.
You can also implement the lab using Cisco Modeling Labs – Personal (CML-P). CML-P (or simply CML) replaced Cisco Virtual Internet Routing Lab (VIRL) software in 2020, in effect serving as VIRL Version 2.
If you prefer to use CML, use a similar workflow as you would use if using Cisco Packet Tracer, as follows:
- Download the CML file (filetype .yaml) linked below.
- Import the lab’s CML file into CML and then start the lab.
- Compare the lab topology and interface IDs to this lab, as they may differ (more detail below).
- Add your planned configuration to the lab.
- Test the configuration using some of the suggestions below.
Download this lab’s CML file!
Network Device Info:
This table lists the interfaces listed in the lab exercise documentation versus those used in the sample CML file.
Device | Lab Port | Â CML Port |
SW1 | G0/1 | G0/1 |
SW1 | F0/1 | G0/2 |
SW1 | F0/2 | G0/3 |
Host device info:
This table lists host information pre-configured in CML, information that might not be required by the lab but may be useful to you.
Device | IP Address | Mac Address | User/password |
PC | 10.1.1.11 | 02:00:11:11:11:11 | cisco/cisco |
S | 10.1.1.22 | 02:00:22:22:22:22 | cisco/cisco |
Lab Answers Below: Spoiler Alert
Lab Answers: Configuration (Click Tab to Reveal)
Answers
ip domain-name example.com
crypto key generate rsa modulus 1024
!
username Barney secret Rubble
!
line vty 0 15
login local
transport input ssh
Switch Configuration
Commentary, Issues, and Verification Tips (Click Tabs to Reveal)
Commentary
Telnet transmits information in a non-encrypted form and the information can be intercepted while traversing a network. SSH provides a more secure communications method, encrypting all communications using an encryption key. That communication includes the initial login, which must use a username/password pair.
The initial configuration fully enabled Telnet access. At that point, the switch allowed incoming Telnet and SSH attempts because of a default VTY setting of transport input all (meaning all methods, including both Telnet and SSH). To disable incoming Telnet sessions, but allow SSH, the answer configuration in this post includes the transport input ssh command.
The combination of the initial configuration plus default settings does not fully configure SSH access. First, the switch needs to generate an encryption key, and to generate that key, the switch needs both a hostname (preconfigured) and domain name (not yet configured). So the first two commands in the solution shown in this post add the domain name and then generate the key.
The command to generate the key, crypto key generate rsa modulus 1024, uses a modulus of 1024. To use SSH version 2, the key must use a key length (modulus) of at least 768. (You can also omit the modulus parameter and IOS will prompt you for the value.)
Finally, SSH requires the use of a username/password pair rather than a shared password. So, the configuration shows the login local command under the VTY ports, enabling the user of local username/password pairs rather than a password without a username. Additionally, the global command username Barney secret Rubble – which creates a username/password with an admittedly weak but fun password – is at least an encrypted password through use of the username secret command instead of the username password command.
Known Issues in this Lab
This section of each Config Lab Answers post hopes to help with those issues by listing any known issues with Packet Tracer related to this lab. In this case, the issues are:
# | Summary | Detail |
1 | Cannot paste crypto key command | Packet tracer rejects the command crypto key generate rsa modulus 1024 when either typed or pasted into config mode. Instead, use the command crypto key generate rsa , press enter, and PT will prompt for the modulus setting. |
Why Would Cisco Packet Tracer Have Issues?
(Note: The below text is the same in every Config Lab.)
Cisco Packet Tracer (CPT) simulates Cisco routers and switches. However, CPT does not run the same software that runs in real Cisco routers and switches. Instead, developers wrote CPT to predict the output a real router or switch would display given the same topology and configuration – but without performing all the same tasks, an actual device has to do. On a positive note, CPT requires far less CPU and RAM than a lab full of devices so that you can run CPT on your computer as an app. In addition, simulators like CPT help you learn about the Cisco router/switch user interface – the Command Line Interface (CLI) – without having to own real devices.
CPT can have issues compared to real devices because CPT does not run the same software as Cisco devices. CPT does not support all commands or parameters of a command. CPT may supply output from a command that differs in some ways from what an actual device would give. Those differences can be a problem for anyone learning networking technology because you may not have experience with that technology on real gear – so you may not notice the differences. So this section lists differences and issues that we have seen when using CPT to do this lab.
Beyond comparing your answers to this lab’s Answers post, you can test in Cisco Packet Tracer (CPT) or Cisco Modeling Labs (CML). In fact, you can and should explore the lab once configured. For this lab, once you have completed the configuration, try these verification steps.Â
- Connect to the console, and try to login with the configured password.
- Using the PC connected to a LAN interface, attempt to Telnet into the switch, to confirm the Telnet fails (as intended.)
- Again from the PC connected to a LAN interface, attempt to SSH into the switch to confirm that SSH works.
- Once in user mode after logging in with SSH, use the enable command to then test the enable password.
hi,
First, thank you so much for this blog.
I’d like to mention that the labs in CPT are no longer compatible with the last version of the software. I can’t open any in CPT because version differences.
regards.
Hi,
In the version you’re running in which you have trouble opening the .pkt files you download here, can you check the specific version and post it here? That would be a help in figuring out what’s happening. Normally, older .pkt files can be opened in the newer versions of Packet Tracer. Thanks.
Wendell
Hi,
The CLI wouldn’t accept the command:
crypto key generate rsa modulus 1024
Had to use:
crypto key generate rsa general-keys modulus 1024
Did anyone else encounter this?
Hi,
Yes. Packet Tracer doesn’t support the command listed in the answer. Check out the “Known Packet Tracer Issues” tab for more detail.
I am trying to import the CML file into CML 2.4 and am getting the following error: Failed: Bad request: None is not of type ‘string’ – ‘nodes.4.configuration’. I don’t know yaml so not sure where to start to solve this problem.
I am having difficulty importing the CML yaml files. I am running the latest version of CML, version 2.4 and I am getting the error: Failed: Bad request: None is not of type ‘string’ – ‘nodes.4.configuration’. What do I need to do to fix this?
Hi Matthew,
I will take a look and see if I can figure it out. We’ve had a few times now for which an update to CML to a new version breaks the CML files. All things considered, I’m thinking seriously about pulling the CML option from the labs. So, I’ll need to do a migration to V2.4 myself first, and then see if I can figure out what works. Sorry, but it may be some weeks.
In the mean time, if you want to try in CML:
Open the .yaml file with an editor. If you look inside, you’ll see the CLI commands for each device. You could, if you cared to take the time, create the same topology from the GUI in CML, start the devices, get into config mode for each, and then copy/paste the config for each device from the CML file. That should get you to the starting point for the lab.
That’s basically what I’ll do to troubleshoot – do that, compare the new CML file saved in V2.4 to the old, see what’s different, see if it’s a pattern I can just change, change a few old files and see if I can open them in CML 2.4.
Wendell
Thanks, Wendell. I hope you keep the CML option. I like working with images that are true to the actual equipment. Packet Tracer leaves out commands I think are important to my studies. I’ll try your suggestion for troubleshooting although I don’t really know yaml. I suppose I should learn! I appreciate you taken the time to try to figure out what is wrong. I suspect it is something simple to those more well versed in CML and yaml.
I figured out what the issue was in this case. One cannot have a parameter of null for a configuration statement. I simply replaced the “configuration null” for n4 (the unmanaged switch) with “configuration Rest-of-Internet” and it loaded right up.
There were a couple of other strange behaviors but I found work arounds for them. The vlan had to be manually shut / no shut for it to come up from its down/down state and I needed to include “-oKexAlgorithms=+diffie-hellman-group1-sha1” in the ssh command from the PC.
Wow.
For someone who didn’t know YAML and CML so much, sounds like you learned a lot! When you try other labs here, feel free to leave me a note if they don’t open, even if you get them fixed. It’s on my list to try. Last time it was literally a change to one yaml variable to make the old files work in CML 2.2, so maybe it’ll be an easy fix for all like what you tried.
Thanks, Wendell
Thanks, Wendell! Yes, I did learn a lot. I am going through your book and following the labs for each section using my version of CML. So far the only issue has been those first few labs that had the null key word. The rest have been working find. I will drop a not in the labs that I have problems with to let you know of any additional issues that may come up per your recommendation.
For those who are attempting to verify that ssh works, this is the syntax I used in command prompt.
ssh -l Barney 10.1.1.20
Hello, is the console password something different from cisco?
Hi,
For this lab, yes. The passwords are those shown in the initial config in the lab (certskills).