Scenario
Make: Cisco Switches
Model: Cisco 2960, 3650, etc
Mode: Command Line Interface [CLI]
Description: In this article, we will discuss how to check the SSH version on the Cisco Switches and also if needed how to change the SSH version. We can enable, disable or upgrade/downgrade the SSH version on Cisco Switches.
SSH stands for Secure Socket Shell is a network protocol that works on Transmission Control Protocol (TCP) port 22 provides the users or administrators to access the device securely over an unsecured network. Secure Shell provides strong password authentication and public key authentication, as well as encrypted data communications between two computers connecting over an open network, for example, the internet.
SSH Version Check
Use the command shown below to check the current SSH version on the switch. Also the status of SSH. Here in the below example, SSH is enabled and SSH version 2 is active.
edledge-switch#sh ip ssh
SSH Enabled - version 2.0
Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 1024 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded):
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQC4b+fs2erCMy4KKX/Vq9NwEFcKWCcFQodjTIbaLKgMjxkpMUyAkOVQ3RypQzFK1sfx
wHspap+mPAl7i9wyVPcoj0SAvlCTgMTa6oOAtZsxpGOoh8kPFYKtm5RWu/lFvbNhSPrfmxAHwPBGhCjMLbOSVut19KSGizLD138OIgjI
ew==
In some cases, the output of the sh ip ssh comes out as v 1.99. SSH v1.99 means the switch is running on both SSHv1 and SSHv2.
edledge-switch#sh ip ssh
SSH Enabled - version 1.99
Authentication timeout: 120 secs; Authentication retries: 3
Change SSH Version
In this section of the article, we will see how to change the SSH version on the switch. Let’s suppose a switch has SSH version 1.99 enabled. We will change it to SSH version 2.
edledge-switch#conf t
edledge-switch(config)##ip ssh version 2
Please create RSA keys to enables SSH (and of atleast 768 bits for SSH v2).
Now create RSA key pair for secure SSH connection as shown below.
edledge-switch#conf t
edledge-switch(config)# crypto key generate rsa modulus 2048
INFO: The name for the keys will be: edledge-switch
% The key modulus size is 1024 bits
% Generating 1024 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 2 seconds)
Using the above method we can change the SSH version of the switch. We can configure SSH on ASA as well. Follow the attached link if you are looking to configure SPAN or monitor on the switch and Radius configuration on Standalone Dell Switch and Standalone Cisco Switch. Radius can be configured as fail-over as well on Dell Switches and Cisco Switches.
Source: Cisco, Knowledge Base, Lab
EA00061