Understanding SSH: A Simple Guide to Secure Remote Access

PitsPits
17 min read

If you’ve ever needed to access a computer or server from a distance, you’ve probably heard of SSH. It stands for Secure Shell, and it’s one of the most common tools used to connect securely over a network. Whether you’re managing servers, working on a project, or just curious about how remote access works safely, understanding SSH is a great place to start. In this blog, I’ll break down what SSH is, why it’s important, and how it works in a way that’s easy to follow even if you’re new to networking or security.

Console Port Security Login: What Is It and How to Configure?

When you manage a network device like a router or switch, one way to access it is through the console port. This is a physical connection that lets you work directly on the device, especially when network access isn’t available. Because this port provides direct access, it’s important to secure it to prevent unauthorized users from logging in.

What is Console Port Security Login?
Console port security login means setting up a username and password that anyone must enter before they can use the console port. Without these credentials, no one can get inside the device to make changes or view sensitive info.

How to Configure Console Port Security Login
Here’s a step-by-step guide on how to secure the console port on a Cisco device using the command line interface (CLI):

  1. Access global configuration mode:

     Router> enable
 Router# configure terminal
 Router(config)#

  2. Create a username and password:

     Router(config)# username admin password MyStrongPass123

    This sets a user called admin with the password MyStrongPass123. You can change these to whatever you prefer, but keep it strong.

  3. Enter console line configuration:

     Router(config)# line console 0
 Router(config-line)#

  4. Require login using the local username and password:

     Router(config-line)# login local

    This tells the device to ask for the username and password you just created when someone connects to the console port.

  5. Set an idle timeout (optional but recommended):

     Router(config-line)# exec-timeout 5

    This means the console session will automatically log out after 5 minutes of inactivity, which helps keep the device secure if someone forgets to log out.

  6. Exit configuration mode and save your settings:

     Router(config-line)# end
 Router# write memory

    The write memory command saves your changes so they remain even after a reboot.

Example Session:

Router> enable
Router# configure terminal
Router(config)# username admin password MyStrongPass123
Router(config)# line console 0
Router(config-line)# login local
Router(config-line)# exec-timeout 5
Router(config-line)# end
Router# write memory

After this, anyone trying to access the router via the console port will see:

Router con0 is now available

Press RETURN to get started!

Username: admin
Password:

Without the correct username and password, they won’t be able to log in.

What Does login local Mean?

The command login local tells the device to use the local username and password database for console or line authentication. In other words, when someone tries to log in through the console port (or other lines like VTY), the device will ask for a username and password that you have already created on the device itself.

Without login local, the device might not ask for a username and password, or it might use a different method (like no password or a simple password set only on the line).

Why Use login local?
Using login local is more secure because:

  • It requires both a username and a password.

  • You can manage multiple user accounts with different access rights.

  • It prevents unauthorized access through the console or remote lines.

Example:
If you configured a username like this:

username admin password MyStrongPass123

and then applied login local on the console line, when someone connects, they will be prompted to enter:

  • Username: admin

  • Password: MyStrongPass123

Layer 2 Switch Management IP: How to Access Your Switch Remotely

Unlike routers, Layer 2 switches don’t handle IP routing. Their main job is to forward traffic within the same network based on MAC addresses, not IP addresses. Because of this, they don’t have an IP address assigned to their physical interfaces like routers do.

So, how do you manage a Layer 2 switch remotely over the network?

The answer is to use a Switched Virtual Interface (SVI). An SVI is a virtual interface on the switch that acts like a gateway for management purposes. You assign an IP address to this SVI, which allows you to connect to the switch remotely using protocols like SSH or Telnet.

What is an SVI?
An SVI is basically a virtual Layer 3 interface tied to a VLAN on the switch. By assigning an IP address to the SVI, you give the switch a presence on the network that can be accessed remotely.

How to Set a Management IP Using an SVI
Typically, you use VLAN 1 for management (unless your network design uses a different VLAN). Here’s a simple example:

  1. Enter global configuration mode:

     configure terminal

  2. Select the VLAN interface (usually VLAN 1):

     interface vlan 1

  3. Assign an IP address and subnet mask:

     ip address 192.168.1.10 255.255.255.0

  4. Enable the interface:

     no shutdown

  5. Exit configuration mode and save:

     end
 write memory

Now, with this management IP set, you can connect remotely to the switch for configuration and monitoring.

Why Use ip default-gateway on a Layer 2 Switch?

Since Layer 2 switches don’t perform routing, they need a way to send traffic outside their local network, especially for management tasks like remote access from a different subnet.

This is where the ip default-gateway command comes in.

The ip default-gateway sets the IP address of the router (usually the default gateway) that the switch should use to forward traffic destined for other networks. Without this, the switch won’t know where to send packets outside its own subnet.

How to Configure ip default-gateway:

  1. Enter global configuration mode:

     configure terminal

  2. Set the default gateway IP (replace with your router’s IP):

     ip default-gateway 192.168.1.1

  3. Exit and save:

     end
 write memory

This tells the switch, “If you need to reach an IP address outside your subnet, send it to this router.”

Note:
You only use ip default-gateway on Layer 2 switches. On Layer 3 switches or routers that do routing, you would configure routing instead.

Transitioning to Telnet: Remote Access the Old Way

Now that we’ve covered how to set up a management IP and default gateway on your switch, let’s talk about how to actually connect to it remotely.

One of the earliest and simplest ways to access network devices over the network is Telnet. It lets you open a command-line session on the device from another computer, so you can manage it without being physically there.

However, Telnet sends all data, including passwords, in plain text, which isn’t secure. Because of this, it’s mostly been replaced by SSH in modern networks, but understanding Telnet is still useful especially for troubleshooting or working with older devices.

Let’s look at what Telnet is, how it works, and how to set it up.

What Is Telnet?

The name Telnet comes from TELecommunication NETwork. It was originally developed to provide a way for users to connect to remote computers over a network and interact with them, much like using a teletype machine back in the early days of computing.

Telnet is one of the oldest protocols used to connect remotely to devices over a network. It provides a way to open a command-line session on a remote device, allowing you to manage routers, switches, servers, and other network gear as if you were sitting right in front of them.

Telnet works by establishing a connection between your computer and the device using a client-server model. Your computer runs a Telnet client, and the network device runs a Telnet server waiting for incoming connections.

Which Port Does Telnet Use?

By default, Telnet uses TCP port 23 to establish its connection. When you type telnet [IP address], your computer tries to connect to port 23 on that device. If the device is configured to accept Telnet connections on that port, the session starts.

Why Is Telnet Not Secure?

The major drawback of Telnet is that it sends all data including usernames and passwords in plain text. This means anyone who can intercept the network traffic can easily read your login details and commands. Because of this security risk, Telnet is rarely used on networks where security matters.

Instead, most networks have moved to SSH (Secure Shell), which encrypts all traffic between your computer and the device.

How to Securely Configure Telnet Access on a Cisco Device

Before enabling Telnet, it’s important to secure your device properly. Here’s a step-by-step guide covering everything from setting passwords to limiting who can connect.

1. Set the Enable Secret Password

The enable secret password protects privileged EXEC mode, where critical device commands are executed. Unlike the older enable password, the secret is encrypted.

configure terminal
enable secret YourEnableSecret

2. Create a Username and Password

Using local user accounts is more secure than just a simple line password.

username admin secret YourUserSecret

This creates a user called admin with an encrypted password.

3. Configure an Access Control List (ACL) to Limit Telnet Access

To restrict who can connect via Telnet, create an ACL that allows only specific IP addresses.

ip access-list standard TELNET-ACCESS
 permit 192.168.1.100
 permit 192.168.1.101
 deny any

Replace the IP addresses with the trusted computers allowed to connect.

4. Configure VTY Lines

VTY (Virtual Terminal) lines are the logical interfaces used for remote access like Telnet or SSH. Most Cisco devices have 16 lines by default (0 to 15), which means up to 16 simultaneous remote sessions.

Enter VTY line configuration mode:

line vty 0 15

5. Apply Security Settings on VTY Lines

  • Require login with local username and password:

      login local

  • Set an idle timeout (in minutes):

      exec-timeout 5

  • Specify allowed protocols:

      transport input telnet ssh

    Here are some options for transport input:

    • telnet — allow only Telnet

    • ssh — allow only SSH

    • all — allow all supported protocols

    • You can combine them, like telnet ssh to allow both.

  • Apply the ACL to limit who can connect:

      access-class TELNET-ACCESS in

6. Exit and Save the Configuration

end
write memory

Example Full Configuration:

bashCopyEditconfigure terminal
enable secret MyEnableSecret
username admin secret MyUserSecret
ip access-list standard TELNET-ACCESS
 permit 192.168.1.100
 permit 192.168.1.101
 deny any
line vty 0 15
 login local
 exec-timeout 5
 transport input telnet ssh
 access-class TELNET-ACCESS in
end
write memory

This way, your device is protected, and only authorized users from trusted IP addresses can remotely access it.

How to Connect Using Telnet

Once you’ve configured Telnet on your device and set up a management IP address, you can connect to it remotely from your computer.

On Windows:

  1. Open the Command Prompt (search for cmd in the Start menu).

  2. Type the following command and press Enter:

     telnet [IP address]

    Replace [IP address] with the switch or router’s management IP. For example:

     telnet 192.168.1.10

  3. If Telnet is enabled and accessible, you’ll be prompted to enter your username and password.

Note:
Telnet is not enabled by default on some Windows versions. If you get an error like 'telnet' is not recognized, you may need to enable it:

  • Go to Control Panel > Programs > Turn Windows features on or off.

  • Find and check Telnet Client.

  • Click OK and wait for it to install.

On Linux or macOS:

  1. Open the Terminal.

  2. Type the same command as above:

     telnet [IP address]

  3. Enter your credentials when prompted.

After successful login, you can manage the device just as if you were using the console port.

Moving on to SSH: Secure Remote Access

Now that you know how Telnet works and how to set it up, it’s time to talk about a much safer way to remotely manage your devices; SSH or Secure Shell.

Unlike Telnet, SSH encrypts all the data sent between your computer and the device, including your login credentials. This makes it much harder for anyone to intercept and read your information, which is why SSH is the preferred method for remote access in most networks today.

In the next section, we’ll cover what SSH is, why it’s better than Telnet, and how to configure it on your Cisco devices.

What Is SSH?

SSH stands for Secure Shell. It’s a network protocol used to securely access and manage devices remotely over an unsecured network, like the internet.

Unlike Telnet, which sends data in plain text, SSH encrypts all communication between your computer and the remote device. This keeps your passwords, commands, and data safe from eavesdroppers.

When Was SSH Developed?

SSH was first developed in 1995 by Tatu Ylönen, a researcher from Finland. It was created as a secure replacement for Telnet and other older protocols that did not protect sensitive data during remote connections.

SSH Versions

There are two major versions of SSH in use today:

  • SSH Version 1 (SSH-1): The original version, now considered outdated and insecure. It has known vulnerabilities and is rarely used.

  • SSH Version 2 (SSH-2): Released in 2006, this version fixes many security issues and adds new features. SSH-2 is the current standard and widely used.

What Ports Does SSH Use?

By default, SSH uses TCP port 22 for establishing connections. When you connect with an SSH client, it tries to reach the remote device on port 22.

Checking SSH Versions and Support on Cisco IOS

Before setting up SSH on your Cisco device, it’s important to know which SSH version your device supports. Cisco IOS supports both SSH version 1 and version 2, but it’s best practice to use SSH version 2 because it’s more secure and reliable.

To check if SSH is supported and which version is running on your Cisco device, you can use a few simple commands.

1. Check SSH Version:

On the Cisco CLI, enter privileged EXEC mode and run:

show ip ssh

This command displays SSH configuration details, including:

  • SSH version in use (version 1 or 2)

  • Timeout settings

  • Authentication retries

Sample output:

SSH Enabled - version 2.0
Authentication timeout: 120 secs; Authentication retries: 3

2. Verify SSH Support:

If SSH isn’t enabled or supported, the show ip ssh command might not return useful information. You can also check the available features with:

show version

Look for lines mentioning SSH or cryptographic support (like “k9” images) devices need the right IOS image with cryptography features to support SSH.

SSH Configuration: Generating RSA Keys

To enable SSH on a Cisco device, one of the key steps is generating RSA key pairs. These keys are used to encrypt the data sent between your computer and the device, ensuring secure communication.

What Are RSA Keys?
RSA keys are a type of cryptographic keys used in SSH to secure connections. The device creates a pair of keys; a public key and a private key which work together to encrypt and decrypt data.

How to Generate RSA Keys on a Cisco Device

  1. Enter global configuration mode:

     configure terminal

  2. Generate the RSA key pair:

     crypto key generate rsa

  3. Choose the key size:
    When prompted, enter the size of the key modulus in bits. Cisco recommends at least 2048 bits for stronger security:

     How many bits in the modulus [512]: 2048

  4. Exit configuration mode:

     end

  5. Save your configuration:

     write memory

Why Key Size Matters:
A larger key size means stronger encryption but can take more processing power. For most networks, 2048 bits strikes a good balance between security and performance.

Once RSA keys are generated, the device can accept SSH connections securely.

What Is FQDN?

FQDN stands for Fully Qualified Domain Name. It’s the complete domain name that specifies the exact location of a device or server within the internet’s hierarchical Domain Name System (DNS).

An FQDN includes both the hostname and the domain name. For example:

server1.example.com

  • server1 is the hostname

  • example.com is the domain name

Together, they form the FQDN, which uniquely identifies a device on the internet or within a private network.

Why Is FQDN Important in Networking?

In device configurations like SSH or TLS certificates, using an FQDN ensures that the device can be precisely identified and accessed through DNS. It also helps avoid confusion if multiple devices share similar hostnames.

For example, when setting up SSH on a Cisco device, you might configure the hostname and domain name so the device can generate proper RSA keys tied to its FQDN.

SSH Configuration for VTY Lines on Cisco Devices

To securely manage your device remotely using SSH, follow these steps:

1. Set the Enable Secret Password

Protect privileged EXEC mode with an encrypted password:

configure terminal
enable secret YourEnableSecret

2. Create a Local Username and Password

Set up a user account with a secret password for authentication:

username admin secret YourUserSecret

3. Create an Access Control List (ACL) to Restrict SSH Access

Allow only trusted IP addresses to connect:

ip access-list standard SSH-ACCESS
 permit 192.168.1.100
 permit 192.168.1.101
 deny any

Replace the IP addresses with your trusted clients.

4. Set SSH Version to 2

Ensure the device uses the secure, modern SSH version:

ip ssh version 2

5. Configure VTY Lines (0 to 15)

line vty 0 15
 login local
 exec-timeout 5
 transport input ssh
 access-class SSH-ACCESS in

  • login local enforces username/password authentication.

  • exec-timeout 5 logs out inactive sessions after 5 minutes.

  • transport input ssh allows only SSH connections.

  • access-class SSH-ACCESS in applies the ACL to restrict incoming SSH connections.

6. Exit and Save Configuration

end
write memory

Full Example Configuration:

configure terminal
enable secret MyEnableSecret
username admin secret MyUserSecret
ip access-list standard SSH-ACCESS
 permit 192.168.1.100
 permit 192.168.1.101
 deny any
ip ssh version 2
line vty 0 15
 login local
 exec-timeout 5
 transport input ssh
 access-class SSH-ACCESS in
end
write memory

This setup ensures secure SSH access, limits access to trusted IPs, and protects privileged modes with strong passwords.

SSH Configuration with RSA Keys on Cisco Devices

Now that we’ve covered the basics of SSH access, let’s walk through the full configuration using RSA keys. RSA keys are essential because they secure the connection by encrypting all data exchanged between your computer and the device.

Here’s the process step-by-step:

1. Configure the Hostname

SSH needs the device’s hostname set before generating RSA keys.

configure terminal
hostname MyRouter

2. Configure the Domain Name

The device also requires a domain name for the RSA key generation.

ip domain-name example.com

3. Generate the RSA Key Pair

Create the key pair for SSH encryption. Use at least 2048 bits for stronger security.

crypto key generate rsa

When prompted, enter the modulus size:

How many bits in the modulus [512]: 2048

4. Configure Enable Secret and Local Username

Set the privileged mode password and create a local user account:

enable secret YourEnableSecret
username admin secret YourUserSecret

5. Enable SSH Version 2 Only

Force the device to use the secure SSH version 2:

ip ssh version 2

6. Configure VTY Lines for SSH Access

line vty 0 15
 login local
 exec-timeout 5
 transport input ssh

How to Connect Using SSH

From your computer, open a terminal or command prompt and connect with:

ssh -l admin 192.168.1.10

Or simply:

ssh admin@192.168.1.10

Replace admin with your username and 192.168.1.10 with your device’s IP address.

SSH Configuration Command Summary

StepCommandDescription
Set hostnamehostname MyRouterAssign a hostname for the device
Set domain nameip domain-name example.comConfigure domain name for RSA keys
Generate RSA keyscrypto key generate rsaCreate RSA key pair for SSH
Set enable secretenable secret YourEnableSecretSecure privileged EXEC mode
Create local userusername admin secret YourUserSecretDefine user for SSH login
Set SSH versionip ssh version 2Use SSH version 2 only
Configure VTY linesline vty 0 15Enter VTY line config
Require local loginlogin localUse local username/password
Set idle timeoutexec-timeout 5Disconnect inactive sessions
Allow SSH onlytransport input sshAccept only SSH connections

Wrap Up

SSH is the secure way to remotely manage your Cisco devices. By configuring RSA keys and enforcing SSH version 2, you protect your data and login credentials from being intercepted. Using local user accounts, strong passwords, and access controls further strengthens your device’s security.

With the steps and commands shared here, you can set up a solid SSH environment that’s both safe and efficient. Once configured, connect easily from your computer using the SSH client and manage your network devices remotely with confidence.

0
Subscribe to my newsletter

Read articles from Pits directly inside your inbox. Subscribe to the newsletter, and don't miss out.

networkingnetworking for beginnersssh

Written by

Pits
Pits