📘 CCNA 200-301 v1.1
4.8 Configure network devices for remote access using SSH
SSH (Secure Shell) is a protocol that allows you to securely connect to a network device (like a router or switch) over the network. Unlike Telnet, SSH encrypts the data, so usernames, passwords, and commands are safe from attackers.
In CCNA, you should know how to configure SSH on Cisco devices and verify that it works.
Step 1: Requirements for SSH
Before you configure SSH, the device needs some things:
- Hostname – The device must have a name.
- Domain Name – The device must have a domain name configured (used to generate encryption keys).
- User Accounts – At least one username and password to log in.
- Crypto Keys – SSH uses encryption, so the device needs a key pair.
- VTY Lines – These are virtual lines used for remote access (SSH or Telnet).
Step 2: Assign Hostname and Domain Name
SSH depends on a hostname and domain name to generate encryption keys.
Example:
Router> enable
Router# configure terminal
Router(config)# hostname R1
R1(config)# ip domain-name example.com
hostname R1→ sets the router name to R1.ip domain-name example.com→ sets the domain name needed for SSH keys.
Step 3: Create a Local User Account
SSH needs a local username and password.
Example:
R1(config)# username admin privilege 15 secret MyPass123
admin→ usernameprivilege 15→ full admin rightssecret MyPass123→ encrypted password
Note:
secretis preferred overpasswordbecause it encrypts the password.
Step 4: Generate RSA Keys
SSH requires an RSA key pair for encryption.
Example:
R1(config)# crypto key generate rsa
How many bits in the modulus [512]: 1024
- 1024 bits is a common minimum for CCNA.
- This creates the key pair used for encrypting SSH traffic.
Step 5: Configure VTY Lines for SSH
VTY lines are the virtual lines that allow remote connections. You need to:
- Enable login using the local user database.
- Specify SSH as the allowed protocol.
Example:
R1(config)# line vty 0 4
R1(config-line)# login local
R1(config-line)# transport input ssh
R1(config-line)# exit
Explanation:
line vty 0 4→ configures lines 0 to 4 (5 simultaneous remote sessions).login local→ uses local usernames for authentication.transport input ssh→ only allows SSH (blocks Telnet).
Step 6: Verify SSH Configuration
After configuration, check if SSH works:
R1# show ip ssh
This shows SSH status, version, and key length.
Also, test with a remote client (like PuTTY or another router):
ssh -l admin 192.168.1.1
-l admin→ username192.168.1.1→ IP of the router or switch
If it asks for a password and lets you in, SSH is working.
Step 7: Optional Security Settings
- Set SSH Version 2 (more secure):
R1(config)# ip ssh version 2
- Set SSH timeout and retries:
R1(config)# ip ssh time-out 60
R1(config)# ip ssh authentication-retries 2
time-out→ how long SSH waits for loginauthentication-retries→ how many wrong attempts before disconnect
These improve security.
Step 8: Key Exam Commands to Know
- Basic SSH configuration commands:
hostname R1
ip domain-name example.com
username admin privilege 15 secret MyPass123
crypto key generate rsa
line vty 0 4
login local
transport input ssh
- Verification commands:
show ip ssh # verify SSH status
show running-config # verify user and VTY config
ping <ip-address> # test network connectivity
✅ Summary
To configure SSH on Cisco devices for remote access:
- Set a hostname and domain name.
- Create a local user account with a secret password.
- Generate RSA keys for encryption.
- Configure VTY lines to allow SSH and local login.
- Optionally, enforce SSH version 2 and set timeout/retries.
- Verify with
show ip sshand by logging in from a client.
SSH is important because it secures remote access to network devices, replacing Telnet.
