ssh on cisco

content/snippets/0260-administring-a-cisco-switch.md

@@ -41,9 +41,9 @@ exit
 exit
 ```
 
-The first `exit` leaves the interface, the second `exit` leaves the config session.
+The first `exit` leaves the VLAN, the second `exit` leaves the config session.
 
-If the VLAN should be used for management purposes it needs an IP address:
+If the VLAN should be used for management purposes additionally an interface for this VLAN is required with an IP address:
 
 ```
 configure terminal
@@ -122,3 +122,56 @@ exit
 `native` makes the VLAN untagged on that port.
 
 
+### SSH access and hardening measures
+
+First of all, the switch needs to know about time and requires a name:
+
+About time:
+```
+configure terminal
+ntp server de.pool.ntp.org
+clock timezone Etc/Utc
+exit
+```
+
+About names:
+```
+configure terminal
+hostname switch01
+ip domain-name mynetwork.intern
+exit
+```
+
+An user is required:
+```
+configure terminal
+username admin password geheim123
+exit
+```
+
+A host key must be generated:
+```
+crypto key generate rsa
+```
+This command will ask for the key length. Select 2048 bits.
+
+Set the SSH version:
+```
+ip ssh version 2
+```
+
+Configure the virtual terminals accordingly:
+```
+configure terminal
+line vty 0 15
+transport input ssh
+login local
+exit
+```
+
+As mentioned about, the switches support only quite old SSH protocols, so to access it use on the client side:
+```
+ssh -oKexAlgorithms=+diffie-hellman-group14-sha1 -oHostKeyAlgorithms=+ssh-rsa admin@192.168.2.1
+```
+
+