However, some fundamental flaws exist in the SSHv1 protocol. SSH Version 2 is a rework and stronger version of SSH.
SSH coupled with the AAA authentication mechanism using TACACS+ or RADIUS provides the best solution for a secure, scalable
access mechanism. Example 3-4 shows how to configure SSH for vty lines. (AAA configuration examples are available in Part this book.)
Example 3-4. Configuring VTY Access Using SSH and Access List
Router(config)# hostname R1
R1(config)# username cisco password cisco
R1(config)# ip domain-name syd.cisco.com
R1(config)# crypto key generate rsa
R1(config)# access-list 10 permit 10.1.1.1
R1(config)# access-list 10 permit 10.1.1.2
R1(config)# access-list 10 permit 192.168.1.1
R1(config)# access-list 10 deny any log
R1(config)# line vty 0 4
R1(config-line)# access-class 10 in
R1(config-line)# exec-timeout 10 0
R1(config-line)# transport input ssh
R1(config-line)# password
R1(config-line)# login
R1(config-line)# end
R1#
The transport input ssh command stipulates that only the SSH protocol may be used for interactive logins to the router. Any
sessions using Telnet protocol will be denied.
Note
SSH requires having a Crypto IOS image.
Pages:
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132