# SSH SSH (Secure Shell) was developed in 1995 ti replace less secure protocols like Telnet. SSHv2, a major revisiion of SSHv1, was released in 2006. If a device supports both version 1 and version2, it is said to run 'version 1.99'. Provides security features such as data encryption and authentication.

The SSH *server* (the device being connected to) listens for SSH traffic on **TCP port 22**. ## Configuration

IOS images that support SSH will have '**K9**' in their name. Cisco exports NPE (No Payload Encryption) IOS images to countries that have restrictions on encryption technologies. NPE IOS images do not support cryptographic features such as SSH. ### RSA keys To enable and use SSH, you must generate an RSA public and private key pair. The keys are used for daa encryption/decryption, authentication, etc. * `ip domain name jeremysitlab.com` -> the **FQDN** of the device is used to name the RSA keys. FQDN = Fully Qualified Domain Name (host name + domain name). * `crypto key generate rsa` -> generates the RSA keys. * `crypto key generate rsa modulus ` is and alternate method. Length must be 768 bits or greater for SHHv2. ### VTY Lines 1. `ip ssh version 2` -> (optional, but recommended) restrict SSH to version 2 only. 2. `line vty 0 15` -> configure all VTY lines, just like Telnet. 3. `login local` -> enable local user authentication. You cannot use `login` for SSH, only `login local`. 4. `exec-timeout 5 0` -> (optional, but recommended) configure the exec timeout. 5. `transport input ssh` -> best practice is to limit VTY line connections to SSH only. 6. `access-class 1 in` -> (optional, but recommended) apply the ACL to restrict VTY line connections.