SSH switch config
-- we willen een console password
dat onzichtbaar is in the running-config
.
-- we willen een enable secret
.
-- we willen ssh
gebruiken.
-
howto -- om ssh te gebruiken op een switch is nodig:
a. hostname
Switch(config)# hostname S1
b. enable secret
Switch(config)# enable secret xyz12345
c. sterkere paswoord encryptie, met service password encryption
Switch(config)# service password-encryption
d. EEN local useraccount aanmaken
username
<ssh-gebruikersnaam>
secret
<sterk paswoord>
e. vlan XY met ip address (voorbeeld 39)
int vlan 39
ip addr <ip adres> <netmask>
no shut
f. minstens EEN interface op de switch plaatsen in VLAN XY (39) van hierboven
int Fa0/15
switchport mode access
switchport access vlan 39
no shut
g. ssh instellen
hostname Switch123
ip domain-name yourdomain.com
crypto key generate rsa
[ key van 2048 ]
h. ssh configureren op een VTY lijn
line vty 0 4
login local
transport input ssh
exec-timeout 5
i. switch pingen op zijn IP-address vanaf een laptop of pc
in de poort vanVLAN39
(zoals hierboven in punten c en d)Fa0/15
C:\> ping <ip-adres-van-de-switch>
j. inloggen op je switch vanaf je laptop (zie hierboven) met
C:\> ssh -l <username> <ip-adres-van-de-switch>
- voorbeeld 2:
Cisco Internetwork Operating System Software IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(22)EA4, RELEASE SOFTWARE(fc1) Copyright (c) 1986-2005 by cisco Systems, Inc. Compiled Wed 18-May-05 22:31 by jharirba Press RETURN to get started! %LINK-5-CHANGED: Interface FastEthernet0/1, changed state to up %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up Switch> enable Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)# hostname S1 S1(config)# enable secret en12345 S1(config)# line console 0 S1(config-line)# password con12345 S1(config-line)# login S1(config-line)# exit S1(config)# service password-encryption S1(config)# interface vlan 1 S1(config-if)# ip address 192.168.1.201 255.255.255.0 S1(config-if)# no shutdown S1(config-if)# exit %LINK-5-CHANGED: Interface Vlan1, changed state to up %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to up S1(config)# ip domain-name thisdomain.net S1(config)# crypto key generate rsa The name for the keys will be: S1.thisdomain.net Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus [512]: 2048 % Generating 2048 bit RSA keys, keys will be non-exportable...[OK] S1(config)# user weareroot secret ssh12345 *Mar 1 0:3:32.920: %SSH-5-ENABLED: SSH 1.99 has been enabled S1(config)# line vty 0 15 S1(config-line)# login local S1(config-line)# transport input ssh S1(config-line)# exec-timeout 5 S1(config-line)# end S1# %SYS-5-CONFIG_I: Configured from console by console S1# copy run start Destination filename [startup-config]? Building configuration... [OK] S1#
- login from packettracer CLI-tab
Cisco Internetwork Operating System Software IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(22)EA4, RELEASE SOFTWARE(fc1) Copyright (c) 1986-2005 by cisco Systems, Inc. Press RETURN to get started! User Access Verification Password: con12345 ! this is what we type but do not see S1> enable Password: en12345 ! this is what we type but do not see S1#
- running-config
show running-config Building configuration... Current configuration : 1279 bytes ! version 12.1 no service timestamps log datetime msec no service timestamps debug datetime msec service password-encryption ! hostname S1 ! enable secret 5 $1$mERr$z5rrmPNmDri/9pcNOiP4X1 ! ip domain-name thisdomain.net ! username weareroot secret 5 $1$mERr$z3NR48hOwWrawIvgupWtn1 ! ! spanning-tree mode pvst ! interface FastEthernet0/1 ! ( snipped ) ! interface FastEthernet0/24 ! interface GigabitEthernet0/1 ! interface GigabitEthernet0/2 ! interface Vlan1 ip address 192.168.1.201 255.255.255.0 ! line con 0 password 7 08224340584B564347 login ! line vty 0 4 login local transport input ssh line vty 5 15 login local transport input ssh ! ! end
- WARNINGS
Notice that the console password uses service 7 encryption, which can be reversed immediately ...Decrypt Cisco Type 7 Passwords https://www.networkers-online.com/tools/cisco-type7-password-decrypt/ Password to Decrypt: 08224340584B564347 Your Password is con12345
For
enable secret 5 $1$mERr$z5rrmPNmDri/9pcNOiP4X1
and forusername weareroot secret 5 $1$mERr$z3NR48hOwWrawIvgupWtn1
a brute force attack will yield your password sooner or later depending on the length of this password.
DO NOT USE THE SAME PASSWORD for CONSOLE as for SSH
DO NOT USE OUR CONSOLE PASSWORD FOR ANYTHING ELSE ...
DO NOT USE YOUR SSH-PASSWORD anywhere else
- login from PC-1
PC-1> ssh -l weareroot 192.168.1.201 Open Password: ssh12345 S1> enable Password: en12345 S1#