Introduction
Today, network administrators often need to access switches, routers, and other devices from far away. In the past, Telnet was used for this, but it sends usernames, passwords, and data in plain text, which is not safe.
SSH (Secure Shell) is a safer way to connect. It encrypts all communication between the administrator and the device. SSH keeps data private, safe from changes, and allows secure login, making it the best choice for remote access to Cisco devices.
This article explains why SSH is important, how to set it up on Cisco devices, and tips to keep remote management secure.
Understanding Telnet and Its Risks
Sometimes, you cannot access your switch directly and need to connect to it remotely. It is important that this remote access is secure. One way to do this is by using Secure Shell (SSH). You can try configuring SSH in Packet Tracer to practice.
Telnet is an older protocol that uses TCP port 23. It is not secure because it sends the username, password, and data in plain text. This means someone could capture the information using a tool like Wireshark. For example, a hacker could see a username like admin and a password like ccna from a Telnet session.
SSH for Secure Remote Access
Secure Shell (SSH) is a safe protocol that uses TCP port 22. It allows administrators to securely connect to and manage a remote device. SSH should be used instead of Telnet for remote management.
SSH keeps connections safe by encrypting the data and login information (username and password) between devices.
For example, if someone captures the network traffic using a tool like Wireshark, they can see the IP address of the administrator’s device. But unlike Telnet, SSH keeps the username and password secret because they are encrypted.
Configure SSH
Before setting up SSH, the switch needs a few basic settings. It should have a unique hostname and an IP address with the correct subnet mask on the management VLAN. You also need to set a domain name because it is required to create SSH keys. Finally, create local user accounts with strong passwords to log in securely using SSH.
Step 1. Check if SSH is Supported
Use the command show ip ssh to see if the switch can use SSH. If the switch does not have the right IOS version with encryption features, this command will not work.
![]()
This means SSH is not turned on yet. The switch asks you to make RSA keys (at least 768 bits) to enable SSH version 2. It also shows that you have 120 seconds to log in, and 3 login tries are allowed.
Step 2. Set the IP Domain
Set the network’s domain name using the command
Sw1(config)# ip domain-name techshifa.com
This example uses techshifa.com as the domain name. The domain name is needed to create the SSH keys later.
![]()
Step 3. Create RSA Keys
Some IOS versions do not use SSH version 2 by default, and SSH version 1 is not secure. To use SSH version 2, type:
Sw1(config)# ip ssh version 2
![]()
Next, create an RSA key pair to enable the SSH server. Use this command
Sw1(config)# crypto key generate rsa
The switch will ask you for a key size (modulus). In this example, 1024 bits is used. Bigger keys are more secure but take longer to create and use.
![]()
If you want to remove the RSA keys, use Sw1(config)# crypto key zeroize rsa. This will also turn off the SSH server.
Step 4. Set Up User Login
The SSH server can check users using a local account or an external server. To use a local account, create a username and password with this command:
S1(config)# username admin secret ccna
![]()
In this example, the username is admin and the password is ccna. This account will be used to log in through SSH.
Step 5. Set Up VTY Lines
Turn on SSH on the VTY lines so only SSH can be used to connect. This stops Telnet or other non-secure connections.
Use these commands:
Sw1(config)# line vty 0 15
Sw1(config-line)# transport input ssh
Sw1(config-line)# login local
Sw1(config-line)# exit
This sets the switch to accept SSH connections only and use the local username and password for login.
![]()
Step 6. Verify SSH is Working
To check if SSH is working, use an SSH client on a PC, like PuTTY, to connect to the switch.
For example, assume the following setup:
SSH is turned on for switch Sw1
Switch S1 has VLAN 1 with IP address 192.168.1.10
PC1 has IP address 192.168.1.21
In PuTTY, enter the IP address of the switch (192.168.1.10) and select SSH as the connection type. Then, try to log in using the local username and password you created earlier. If you can log in successfully, SSH is working.
![]()
Enter the IP address and user name and then click connect
![]()
Then enter the password for the SSH connect.
![]()
Access the switch via Putty Access
When a user connects, they are asked to enter a username and password . In this example, the username is admin and the password is ccna . If the correct details are entered, the user is connected to the switch through SSH and can use the command line interface (CLI) on the Catalyst 2960 switch.
![]()
Conclusion
SSH is a safe way to connect to Cisco switches and routers from far away. Unlike Telnet, SSH hides usernames, passwords, and data using encryption. By giving the switch a hostname, domain name, RSA keys, a user account, and VTY line settings, you can turn on SSH. Always use SSH instead of Telnet to keep your devices and network safe.