Understanding RSA
RSA is the cryptographic backbone of SSH. It generates a Public Key (which locks the data) and a Private Key (which unlocks it). Before you can enable SSH on a Cisco router, you must generate this key pair to establish the router's identity.
Task 1: Identity & Domain
RSA keys require a domain name to generate a unique label. This identifies the device's Fully Qualified Domain Name (FQDN).
R1(config)# no ip domain-name
Task 2: Generate the RSA Keys
Generate the key pair. When prompted, choose 2048 bits for modern security compatibility with newer SSH clients.
R1(config)# crypto key generate rsa The name for the keys will be: R1.lab-net.com Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus [512]: 2048 % Generating 2048 bit RSA keys, keys will be non-exportable...[OK]
Task 3: Harden SSH Settings
Enable SSH version 2 and set typical security parameters for timeouts and retries.
Why IP ssh time-out
If a user tries to connect via SSH but doesn't successfully log in within 60 seconds, then it will disconnect them.
Why IP ssh authentication-retries
If a user tries to connect via SSH but doesn't successfully log in within 3 attempts, then it will disconnect them.
R1(config)# ip ssh version 2 R1(config)# ip ssh time-out 60 R1(config)# ip ssh authentication-retries 3
Task 4: Lock Down VTY Lines
Apply the settings to the virtual terminal lines (Telnet/SSH access) and disable insecure Telnet.
R1(config-line)# transport input ssh R1(config-line)# exit
Verification
R1# show ip ssh SSH Enabled - version 2.0 Authentication timeout: 60 secs; Authentication retries: 3 R1# show crypto key mypubkey rsa