Secure Shell and Cisco Ios Ssh

Secure Shell (SSH) is a protocol that provides a secure connection to a router. Cisco IOS supports version 1 and 2 of SSH, which enables clients to make a secure and encrypted connection to a Cisco router. Cisco refers to this SSH support as Cisco IOS SSH. Before SSH was implemented, the only form of security available when accessing devices such as routers was Telnet username/ password authentication, which is clearly visible with a network sniffer. Telnet is insecure because a protocol analyzer can view the information in clear-text form. Figure 2-8 displays a simple protocol analyzer viewing information between a source address,, and the destination address,, after a Telnet session is initiated by the address (PC) 1066.32.1/24.

SSH support has been available in Cisco IOS since 12.1(1)T and 12.0(5)S.

NOTE Secure Shell and Cisco IOS SSH are not two different protocols; rather, Cisco IOS SSH is the Cisco terminology for the fact that Cisco IOS supports SSH. Do not confuse them as different protocols.

Figure 2-8 Sniffer Capture of a Telnet Connection

Figure 2-8 Sniffer Capture of a Telnet Connection

Figure 2-8 displays a simple Telnet connection between a PC and a remote router. Figure 2-8 is a packet trace from a client PC Telnet connection to a Cisco IOS router with the IP address The packet trace clearly captures the password prompt sent by the router. Therefore, the prompt is viewable in clear text. If you scrolled down the next few frames (frames numbered 98 to 103 in Figure 2-8), the password would be clearly visible. An intruder or hacker could piece together the password and gain unauthorized access. For security reasons, these frames are not shown, but it is clear that the Telnet application protocol is not a secure protocol; all data is sent as clear text (including the password exchanged).

SSH is implemented with TCP port 22 and UDP port 22 and ensures that data is encrypted by a network sniffer. SSH can be configured on both Cisco IOS routers and Catalyst switches. Typically, however, SSH software supplied by vendors supports TCP port 22.

Figure 2-9 displays the SSH protocol layers.

NOTE Lightweight Directory Access Protocol (LDAP) is an Internet protocol that e-mail programs use to look up contact information from a server. For more details on LDAP, visit

Active Directory is a Windows-defined application that stores and manages network services, resources, and information about where computers and printers are located. Active Directory enables network administrators of Windows 2000 and 2003 servers to allocate and control how network resources are accessed by clients' PCs. LDAP can be used for much more than just email. For more information on Active Directory, visit

Figure 2-9 SSH Protocol Layers

SSH Connection Layer

SSH Authentication Layer

SSH Transport Layer

Network Interface

SSH sits on top of the TCP/IP layers, protecting the hosts from unknown devices. The SSH transport layer is responsible for securing the data, by using encryption authentication. Also, because SSH encrypts the username and password, SSH protects vulnerable devices from unknown users masquerading as trusted users. There are currently two versions of SSH: SSHv1 and SSHv2. Cisco IOS supports SSHv1 and SSHv2.

Was this article helpful?

0 0

Post a comment