How to Configure SSH on Catalyst Switches Running CatOS

Similar documents
Configuring Secure Shell on Routers and Switches Running Cisco IOS

Configuring Secure Shell (SSH)

Configuring Secure Shell (SSH)

Configuring Secure Shell (SSH)

Secure Shell Version 2 Support

ACS Shell Command Authorization Sets on IOS and ASA/PIX/FWSM Configuration Example

Configuring Secure Shell (SSH)

Lock and Key: Dynamic Access Lists

Configuring Secure Shell (SSH)

Configuring Basic AAA on an Access Server

Configuring Secure Shell (SSH)

Use NAT to Hide the Real IP Address of CTC to Establish a Session with ONS 15454

Secure Shell Version 2 Support

Configuring Secure Shell (SSH)

Configure a Cisco Router with TACACS+ Authentication

Configuring Secure Shell

RADIUS Route Download

Secure Shell Configuration Guide, Cisco IOS XE Everest 16.6

Network security session 9-2 Router Security. Network II

Three interface Router without NAT Cisco IOS Firewall Configuration

co Configuring PIX to Router Dynamic to Static IPSec with

Prerequisites for Controlling Switch Access with Terminal Access Controller Access Control System Plus (TACACS+)

NAT Support for Multiple Pools Using Route Maps

Configuration Example: TACACS Administrator Access to Converged Access Wireless LAN Controllers

Implementing Secure Shell

Products & Services Understanding Digital Modem Network Modules on Cisco 3600 and 3700 Series Routers

Lab Configuring and Verifying Extended ACLs Topology

TACACS+ on an Aironet Access Point for Login Authentication Configuration Example

Examples of Cisco APE Scenarios

IOS Router : Easy VPN (EzVPN) in Network Extension Mode (NEM) with Split tunnelling Configuration Example

Lab - Examining Telnet and SSH in Wireshark

SSH Algorithms for Common Criteria Certification

Context Based Access Control (CBAC): Introduction and Configuration

Configuring Local Authentication and Authorization

Configuring Management Access

Configuring Authorization

Wired Dot1x Version 1.05 Configuration Guide

Secure Shell Configuration Guide, Cisco IOS Release 15M&T

Enabling the Catalyst Web Interface on Catalyst 4500/4000 Series Switches Running CatOS

Configuring IDS TCP Reset Using VMS IDS MC

Secure ACS for Windows v3.2 With EAP TLS Machine Authentication

Configuring EtherChannel and 802.1Q Trunking Between Catalyst L2 Fixed Configuration Switches and Catalyst Switches Running CatOS

Implementing Authentication Proxy

Troubleshooting Web Authentication on a Wireless LAN Controller (WLC)

Cisco Secure ACS for Windows v3.2 With PEAP MS CHAPv2 Machine Authentication

LAN to LAN IPsec Tunnel Between a Cisco VPN 3000 Concentrator and Router with AES Configuration Example

Configuring Security for the ML-Series Card

AAA and the Local Database

Permitting PPTP Connections Through the PIX/ASA

Configuring TACACS+ Finding Feature Information. Prerequisites for TACACS+

Lab 7 Configuring Basic Router Settings with IOS CLI

PT Activity: Configure AAA Authentication on Cisco Routers

The system is temporarily unable to complete your call. Event Type: Error Event Source: CiscoUnity_ConvMsg Event Category: Network Event ID: 10045

Getting Started with CMS

Telnet, Console and AUX Port Passwords on Cisco Routers Configuration Example

Cisco 4400 Series Wireless LAN Controllers PEAP Under Unified Wireless Networks with Microsoft Internet Authentication Service (IAS)

Managing GSS User Accounts Through a TACACS+ Server

CCNA Security 1.0 Student Packet Tracer Manual

Lab Configure Basic AP Security through IOS CLI

Lab Using the CLI to Gather Network Device Information Topology

Products & Services Cisco Airespace VSAs on Cisco Secure ACS Server Configuration Example

Firepower extensible Operating System (FXOS) 2.2: Chassis Authentication and Authorization for remote management with ACS using RADIUS

Setting Up Physical Inventory

Configuring Authentication, Authorization, and Accounting

Install Certificate on the Cisco Secure ACS Appliance for PEAP Clients

Using NAT in Overlapping Networks

ICM Logger Database Configuration Synchronization

ISE 2.3+ TACACS+ IPv6 Configuration Guide for Cisco IOS Based Network Devices with new Policy UI. Secure Access How-to User Series

Table of Contents. Cisco PIX/ASA 7.x Enhanced Spoke to Spoke VPN Configuration Example

RADIUS Tunnel Attribute Extensions

Fixing Issues with Corporate Directory Lookup from the Cisco IP Phone

Configuring a Terminal/Comm Server

Table of Contents. Cisco IPSec Tunnel through a PIX Firewall (Version 7.0) with NAT Configuration Example

How to Configure a Cisco Router Behind a Non-Cisco Cable Modem

Nexus 7000 Series Switch Problem with Remote User Authentication via SSH with a TACACS account

Password Strength and Management for Common Criteria

Lab Securing Network Devices

Data Center Network Manager (DCNM) with SFTP Switch Configuration Backup

Router Allows VPN Clients to Connect IPsec and Internet Using Split Tunneling Configuration Example

Chapter 10 Configure Clientless Remote Access SSL VPNs Using ASDM

Cisco IOS NAT Feature Matrix

Configuring EtherChannel Between Catalyst 2900XL/3500XL Switches and CatOS Switches

Security Hardening Checklist for Cisco Routers/Switches in 10 Steps

Chapter 10 Configure Clientless Remote Access SSL VPNs Using ASDM

Restrictions for Secure Copy Performance Improvement

H3C Intelligent Management Center

Index. Numerics. Index 1

User Security Configuration Guide, Cisco IOS Release 15MT

Understanding FXS Voice Interface Cards

Configuring the PIX Firewall and VPN Clients Using PPTP, MPPE and IPSec

cable modem dhcp proxy nat on Cisco Cable Modems

Cisco DSL Router Configuration and Troubleshooting Guide Cisco DSL Router Acting as a PPPoE Client with a Dynamic IP Address

Packet Tracer - Configure Cisco Routers for Syslog, NTP, and SSH Operations (Instructor Version)

VPN Between Sonicwall Products and Cisco Security Appliance Configuration Example

Cisco IOS Login Enhancements-Login Block

Console Server. Con. Cisco Aironet Port Figure 1: Aironet configuration

Configuring Redundant Routing on the VPN 3000 Concentrator

Send document comments to

Authentication of Wireless LAN Controller's Lobby Administrator via RADIUS Server

TACACS Device Access Control with Cisco Active Network Abstraction

Transcription:

How to Configure SSH on Catalyst Switches Running CatOS Contents Introduction Prerequisites Requirements Components Used Conventions Network Diagram Switch Configuration Disabling SSH debug in the Catalyst debug Command Examples of a Good Connection Solaris to Catalyst, Triple Data Encryption Standard (3DES), Telnet Password PC to Catalyst, 3DES, Telnet Password Solaris to Catalyst, 3DES, Authentication, Authorization, and Accounting (AAA) Authentication debug Command Examples of What Can Go Wrong Catalyst debug with Client Attempting [unsupported] Blowfish Cipher Catalyst debug with Bad Telnet Password Catalyst debug with Bad AAA Authentication Troubleshoot Cant Connect to Switch through SSH Cisco Support Community - Featured Conversations Related Information TAC Notice: What's Changing on TAC Web Help us help you. Please rate this document. Excellent Good Average Fair Poor This document solved my problem. Yes No Just browsing Suggestions for improvement: (256 character limit) Send Introduction This document gives step-by-step instructions to configure Secure Shell (SSH) Version 1 on Catalyst switches running Catalyst OS (CatOS). The version tested is cat6000-supk9.6-1-1c.bin. Prerequisites Requirements

This table shows the status of SSH support in the switches. Registered users can access these software images by visiting the Software Center. Device Cat 4000/4500/2948G/2980G (CatOS) * Configuration is covered in Configuring Secure Shell on Routers and Switches Running Cisco IOS. ** There is support for SSH in 12.1E train for Catalyst 4000 running Integrated Cisco IOS Software. Refer to Encryption Software Export Distribution Authorization Form in order to apply for 3DES. This document assumes that authentication works prior to implementation of SSH (through the Telnet password, TACACS+) or RADIUS. SSH with Kerberos is t supported prior to the implementation of SSH. Components Used CatOS SSH SSH Support K9 images as of 6.1 Cat 5000/5500 (CatOS) K9 images as of 6.1 Cat 6000/6500 (CatOS) K9 images as of 6.1 Cat 2950* Cat 3550* Device IOS SSH Cat 4000/4500 (Integrated Cisco IOS Software)* Cat 6000/5500 (Integrated Cisco IOS Software)* Cat 8540/8510 Cat 1900 Cat 2800 Cat 2948G-L3 Cat 2900XL Cat 3500XL Cat 4840G-L3 Cat 4908G-L3 Device No SSH SSH Support 12.1(12c)EA1 and later 12.1(11)EA1 and later 12.1(13)EW and later ** 12.1(11b)E and later 12.1(12c)EY and later, 12.1(14)E1 and later SSH Support

This document addresses only the Catalyst 2948G, Catalyst 2980G, Catalyst 4000/4500 series, Catalyst 5000/5500 series, and Catalyst 6000/6500 series running the CatOS K9 image. For more details, refer to the Requirements section of this document. The information presented in this document was created from devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If you are working in a live network, ensure that you understand the potential impact of any command before using it. Conventions For more information on document conventions, see the Cisco Technical Tips Conventions. Network Diagram Switch Configuration!--- Generate and verify RSA key. sec-cat6000> (enable) set crypto key rsa 1024 Generating RSA keys... [OK] sec-cat6000> (enable) ssh_key_process: host/server key size: 1024/768!--- Display the RSA key. sec-cat6000> (enable) show crypto key RSA keys were generated at: Mon Jul 23 2001, 15:03:30 1024 65537 1514414695360

577332853671704785709850606634768746869716963940352440620678575338701550888525 699691478330537840066956987610207810959498648179965330018010844785863472773067 697185256418386243001881008830561241137381692820078674376058275573133448529332 1996682019301329470978268059063378215479385405498193061651!--- Restrict which host/subnets are allowed to use SSH to the switch.!--- Note: If you do t do this, the switch will display the message!--- "WARNING!! IP permit list has entries!" sec-cat6000> set ip permit 172.18.124.0 255.255.255.0 172.18.124.0 with mask 255.255.255.0 added to IP permit list.!--- Turn on SSH. sec-cat6000> (enable) set ip permit enable ssh SSH permit list enabled.!--- Verity SSH permit list. sec-cat6000> (enable) show ip permit Telnet permit list disabled. Ssh permit list enabled. Snmp permit list disabled. Permit List Mask Access-Type ---------------- ---------------- ------------- 172.18.124.0 255.255.255.0 telnet ssh snmp Denied IP Address Last Accessed Time Type ----------------- ------------------ ------ Disabling SSH In some situations it may be neccessary to disable SSH on the switch. You must verify whether SSH is configured on the switch and if so, disable it. To verify if SSH has been configured on the switch, issue the show crypto key command. If the output displays the RSA key, then SSH has been configured and enabled on the switch. An example is shown here. sec-cat6000> (enable) show crypto key RSA keys were generated at: Mon Jul 23 2001, 15:03:30 1024 65537 1514414695360 577332853671704785709850606634768746869716963940352440620678575338701550888525 699691478330537840066956987610207810959498648179965330018010844785863472773067 697185256418386243001881008830561241137381692820078674376058275573133448529332 1996682019301329470978268059063378215479385405498193061651 To remove the crypto key, issue the clear crypto key rsa command to disable SSH on the switch. An example is shown here. sec-cat6000> (enable) clear crypto key rsa Do you really want to clear RSA keys (y/n) [n]? y RSA keys has been cleared. sec-cat6000> (enable)

debug in the Catalyst To turn on debugs, issue the set trace ssh 4 command. To turn off debugs, issue the set trace ssh 0 command. debug Command Examples of a Good Connection Solaris to Catalyst, Triple Data Encryption Standard (3DES), Telnet Password Solaris Catalyst rtp-evergreen# ssh -c 3des -v 10.31.1.6 SSH Version 1.2.26 [sparc-sun-solaris2.5.1], protocol version 1.5. Compiled with RSAREF. rtp-evergreen: Reading configuration data /opt/cisssh/etc/ssh_config rtp-evergreen: ssh_connect: getuid 0 geteuid 0 an 0 rtp-evergreen: Allocated local port 1023. rtp-evergreen: Connecting to 10.31.1.6 port 22. rtp-evergreen: Connection established. rtp-evergreen: Remote protocol version 1.5, remote software version 1.2.26 rtp-evergreen: Waiting for server public key. rtp-evergreen: Received server public key (768 bits) and host key (1024 bits). Host key t found from the list of kwn hosts. Are you sure you want to continue connecting (yes/)? yes Host '10.31.1.6' added to the list of kwn hosts. rtp-evergreen: Initializing random; seed file //.ssh/random_seed rtp-evergreen: Encryption type: 3des rtp-evergreen: Sent encrypted session key. rtp-evergreen: Installing crc compensation attack detector. rtp-evergreen: Received encrypted confirmation. rtp-evergreen: Doing password authentication. root@10.31.1.6's password: rtp-evergreen: Requesting pty. rtp-evergreen: Failed to get local xauth data. rtp-evergreen: Requesting X11 forwarding with authentication spoofing. Warning: Remote host denied X11 forwarding, perhaps xauth program could t be run on the server side. rtp-evergreen: Requesting shell. rtp-evergreen: Entering interactive session. Cisco Systems Console sec-cat6000> sec-cat6000> (enable) debug: _proc->tty = 0x8298a494, socket_index = 3 debug: version: SSH-1.5-1.2.26 debug: Client protocol version 1.5; client software version 1.2.26 debug: Encryption type: 3des debug: Received session key; encryption turned on. debug: ssh login by user: root

debug: Trying Local Login Password authentication for root accepted. debug: ssh received packet type: 10 debug: ssh received packet type: 34 Unkwn packet type received after authentication: 34 debug: ssh received packet type: 12 debug: ssh88: starting exec shell debug: Entering interactive session. PC to Catalyst, 3DES, Telnet Password Catalyst debug: Client protocol version 1.5; client software version W1.0 debug: Encryption type: des debug: Received session key; encryption turned on. debug: ssh login by user: debug: Trying Local Login Password authentication for accepted. debug: ssh received packet type: 10 debug: ssh received packet type: 37 Unkwn packet type received after authentication: 37 debug: ssh received packet type: 12 debug: ssh89: starting exec shell debug: Entering interactive session. Solaris to Catalyst, 3DES, Authentication, Authorization, and Accounting (AAA) Authentication Solaris Solaris with aaa on: rtp-evergreen# ssh -c 3des -l abcde123 -v 10.31.1.6 SSH Version 1.2.26 [sparc-sun-solaris2.5.1], protocol version 1.5. Compiled with RSAREF. rtp-evergreen: Reading configuration data /opt/cisssh/etc/ssh_config rtp-evergreen: ssh_connect: getuid 0 geteuid 0 an 0 rtp-evergreen: Allocated local port 1023. rtp-evergreen: Connecting to 10.31.1.6 port 22. rtp-evergreen: Connection established. rtp-evergreen: Remote protocol version 1.5, remote software version 1.2.26 rtp-evergreen: Waiting for server public key. rtp-evergreen: Received server public key (768 bits) and host key (1024 bits). rtp-evergreen: Host '10.31.1.6' is kwn and matches the host key. rtp-evergreen: Initializing random; seed file //.ssh/random_seed rtp-evergreen: Encryption type: 3des rtp-evergreen: Sent encrypted session key. rtp-evergreen: Installing crc compensation attack detector. rtp-evergreen: Received encrypted confirmation. rtp-evergreen: Doing password authentication. abcde123@10.31.1.6's password: rtp-evergreen: Requesting pty. rtp-evergreen: Failed to get local xauth data. rtp-evergreen: Requesting X11 forwarding with authentication spoofing. Warning: Remote host denied X11 forwarding, perhaps xauth program could t be run on the server side.

Catalyst rtp-evergreen: Requesting shell. rtp-evergreen: Entering interactive session. Cisco Systems Console sec-cat6000> sec-cat6000> (enable) debug: _proc->tty = 0x82a07714, socket_index = 3 debug: version: SSH-1.5-1.2.26 debug: Client protocol version 1.5; client software version 1.2.26 debug: Encryption type: 3des debug: Received session key; encryption turned on. debug: ssh login by user: abcde123 debug: Trying TACACS+ Login Password authentication for abcde123 accepted. debug: ssh received packet type: 10 debug: ssh received packet type: 34 Unkwn packet type received after authentication: 34 debug: ssh received packet type: 12 debug: ssh88: starting exec shell debug: Entering interactive session. debug Command Examples of What Can Go Wrong Catalyst debug with Client Attempting [unsupported] Blowfish Cipher debug: Client protocol version 1.5; client software version W1.0 debug: Encryption type: blowfish cipher_set_key: unkwn cipher: 6 debug: Calling cleanup Catalyst debug with Bad Telnet Password debug: _proc->tty = 0x82897414, socket_index = 4 debug: version: SSH-1.5-1.2.26 debug: Client protocol version 1.5; client software version W1.0 debug: Encryption type: 3des debug: Received session key; encryption turned on. debug: ssh login by user: debug: Trying Local Login debug: Password authentication for failed. Catalyst debug with Bad AAA Authentication cat6000> (enable) debug: _proc->tty = 0x829abd94, socket_index = 3 debug: version: SSH-1.5-1.2.26 debug: Client protocol version 1.5; client software version 1.2.26 debug: Encryption type: 3des

debug: Received session key; encryption turned on. debug: ssh login by user: junkuser debug: Trying TACACS+ Login debug: Password authentication for junkuser failed. SSH connection closed by remote host. debug: Calling cleanup Troubleshoot This section deals with different troubleshooting scenarios related to SSH configuration on Cisco switches. Cant Connect to Switch through SSH Problem: Cant connect to the switch using SSH. The debug ip ssh command shows this output: Solution: Jun 15 20:29:26.207: SSH2 1: RSA_sign: private key t found Jun 15 20:29:26.207: SSH2 1: signature creation failed, status -1 This problem occurs because of either of these reasons: New SSH connections fail after changing the hostname. SSH configured with n-labeled keys (having the router FQDN). The workarounds for this problem are: If the hostname was changed and SSH is longer working, then zeroize the new key and create ather new key with the proper label. crypto key zeroize rsa crypto key generate rsa general-keys label (label) mod (modulus) [exportab Do t use anymous RSA keys (named after the FQDN of the switch). Use labeled keys instead. crypto key generate rsa general-keys label (label) mod (modulus) [exportab In order to resolve this problem forever, upgrade the IOS software to any of the versions in which this problem is fixed. A bug has been filed about this issue. For more information, refer to Cisco bug ID CSCtc41114 ( registered customers only).

Cisco Support Community - Featured Conversations Cisco Support Community is a forum for you to ask and answer questions, share suggestions, and collaborate with your peers. Below are just some of the most recent and relevant conversations happening right w. Want to see more? Join us by clicking here Enabling SSH on 6509 running CatOS dbwilliams 1 Reply 7 years, 11 months ago Logging levels on Catalyst switches... getwithrob 1 Reply 4 years, 4 months ago SSH on IOS/CAT OS switches!! lavanya_cisco 3 Replies 5 years, 3 months ago CatOS vs IOS on switches rolandshum 2 Replies 6 years, 1 month ago How to configure console dialin for a... gwhuang5398 3 Replies 4 years, 5 months ago SSH connection to Catalyst 6509 londint 3 Replies 3 years, 9 months ago how to make ssh login mitang.prajapati 1 Reply 5 months, 2 weeks ago How to show services running in IOS and... admin 1 Reply 8 years, 1 month ago ssh v2 and CAT OS version on Cisco 6500... masoodabooali 9 Replies 1 year, 2 months ago ssh version on CatOs eliaspaulos 2 Replies 1 year, 10 months ago Start A New Discussion Subscribe Related Information SSH Support Page Configuring Secure Shell on Routers and Switches Running Cisco IOS Bug Toolkit - Find bugs related to SSH on Catalyst switches running CatOS Technical Support - Cisco Systems Contacts & Feedback Help Site Map 2009-2010 Cisco Systems, Inc. All rights reserved. Terms & Conditions Privacy Statement Cookie Policy Trademarks of Cisco Systems, Inc.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback