home       basis       routing       switching       advanced       security       overig       testen      

SSH switch config

 
-- we willen een console password dat onzichtbaar is in the running-config.
-- we willen een enable secret.
-- we willen ssh gebruiken.

1. howto -- om ssh te gebruiken op een switch is nodig:
    
   a. enable secret
    
   b. EEN local useraccount aanmaken
   username <ssh-gebruikersnaam> secret <sterk paswoord>
    
   c. vlan XY met ip address (voorbeeld 39)
   int vlan 39
ip addr <ip adres> <netmask>
no shut
    
   d. minstens EEN interface op de switch plaatsen in VLAN XY (39) van hierboven
   int Fa0/15
switchport mode access
switchport access vlan 39
no shut
    
   e. ssh instellen
   hostname Switch123
ip domain-name yourdomain.com
crypto key generate rsa
[ key van 2048 ]
    
   f. ssh configureren op een VTY lijn
   line vty 0 4
login local
transport input ssh
exec-timeout 5
    
   g. switch pingen op zijn IP-address vanaf een laptop of pc
   in de poort van VLAN39 (zoals hierboven in punten c en d) Fa0/15
C:\> ping <ip-adres-van-de-switch>
    
   h. inloggen op je switch vanaf je laptop (zie hierboven) met
   C:\> ssh -l <username> <ip-adres-van-de-switch>

2. voorbeeld 2:

   Cisco Internetwork Operating System Software
   IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(22)EA4, RELEASE SOFTWARE(fc1)
   Copyright (c) 1986-2005 by cisco Systems, Inc.
   Compiled Wed 18-May-05 22:31 by jharirba
    
     Press RETURN to get started!
    
     %LINK-5-CHANGED: Interface FastEthernet0/1, changed state to up
     %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
    
   Switch> enable
   Switch# configure terminal
     Enter configuration commands, one per line.  End with CNTL/Z.
    
   Switch(config)#  hostname S1
    
   S1(config)#      enable secret en12345
   S1(config)#      line console 0
   S1(config-line)# password con12345
   S1(config-line)# login
   S1(config-line)# exit
   S1(config)#      service password-encryption
    
   S1(config)#      interface vlan 1
   S1(config-if)#   ip address 192.168.1.201 255.255.255.0
   S1(config-if)#   no shutdown
   S1(config-if)#   exit
    
     %LINK-5-CHANGED: Interface Vlan1, changed state to up
     %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to up
    
   S1(config)#      ip domain-name thisdomain.net
   S1(config)#      crypto key generate rsa
    
     The name for the keys will be: S1.thisdomain.net
     Choose the size of the key modulus in the range of 360 to 2048 for your
     General Purpose Keys. Choosing a key modulus greater than 512 may take
     a few minutes.
    
   How many bits in the modulus [512]:     2048
     % Generating 2048 bit RSA keys, keys will be non-exportable...[OK]
    
   S1(config)#     user weareroot secret ssh12345
     *Mar 1 0:3:32.920:  %SSH-5-ENABLED: SSH 1.99 has been enabled 
    
   S1(config)#      line vty 0 15
   S1(config-line)# login local
   S1(config-line)# transport input ssh
   S1(config-line)# exec-timeout 5
   S1(config-line)# end
   S1#
    
     %SYS-5-CONFIG_I: Configured from console by console
    
   S1#              copy run start
   Destination filename [startup-config]? 
     Building configuration...
     [OK]
   S1#

    

3. login from packettracer CLI-tab

   Cisco Internetwork Operating System Software
   IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(22)EA4, RELEASE SOFTWARE(fc1)
   Copyright (c) 1986-2005 by cisco Systems, Inc.
   Press RETURN to get started!
     User Access Verification
   Password:  con12345     ! this is what we type but do not see
    
   S1> enable
   Password:  en12345     ! this is what we type but do not see
   S1#

    

4. running-config

   show running-config
   Building configuration...
    
   Current configuration : 1279 bytes
   !
   version 12.1
   no service timestamps log datetime msec
   no service timestamps debug datetime msec
   service password-encryption
   !
   hostname S1
   !
   enable secret 5 $1$mERr$z5rrmPNmDri/9pcNOiP4X1
   !
   ip domain-name thisdomain.net
   !
   username weareroot secret 5 $1$mERr$z3NR48hOwWrawIvgupWtn1
   !
   !
   spanning-tree mode pvst
   !
   interface FastEthernet0/1
   !
   ( snipped )
   !
   interface FastEthernet0/24
   !
   interface GigabitEthernet0/1
   !
   interface GigabitEthernet0/2
   !
   interface Vlan1
   ip address 192.168.1.201 255.255.255.0
   !
   line con 0
   password 7 08224340584B564347
   login
   !
   line vty 0 4
   login local
   transport input ssh
   line vty 5 15
   login local
   transport input ssh
   !
   !
   end

    

5. WARNINGS
   Notice that the console password uses service 7 encryption, which can be reversed immediately ...

   Decrypt Cisco Type 7 Passwords
   https://www.networkers-online.com/tools/cisco-type7-password-decrypt/
    
   Password to Decrypt: 08224340584B564347
    
   Your Password is con12345

   For enable secret 5 $1$mERr$z5rrmPNmDri/9pcNOiP4X1
   and for username weareroot secret 5 $1$mERr$z3NR48hOwWrawIvgupWtn1
   a brute force attack will yield your password sooner or later depending on the length of this password.
    
   DO NOT USE THE SAME PASSWORD for CONSOLE as for SSH
   DO NOT USE OUR CONSOLE PASSWORD FOR ANYTHING ELSE ...
   DO NOT USE YOUR SSH-PASSWORD anywhere else
    

6. login from PC-1

   PC-1> ssh -l  weareroot 192.168.1.201
   Open
   Password:  ssh12345
   S1> enable
   Password:  en12345
   S1#