How to Configure SSH on a Cisco Router or Switch
To configure SSH: set a hostname and domain name, generate RSA keys, create a local user, then restrict the VTY lines to SSH only. This replaces insecure Telnet with encrypted access.
SSH encrypts management sessions — Telnet sends passwords in plaintext. Every production device should use SSH. Practise in the SSH lab.
Step 1: Set hostname and domain name
hostname R1ip domain-name attila.local | Required — RSA keys are generated from these |
Step 2: Generate RSA keys and enable SSHv2
crypto key generate rsa (choose 1024+ modulus)ip ssh version 2 | Creates the encryption keys and forces the stronger SSHv2 |
Step 3: Create a user and restrict VTY to SSH
username admin secret StrongPass1line vty 0 4login localtransport input ssh | Local login, SSH only — Telnet refused |
Verification
Test from a PC: ssh -l admin [device-ip] should prompt for the password and connect. telnet [device-ip] should be refused. show ip ssh confirms SSHv2 is enabled.
Frequently asked questions
What do I need before configuring SSH on a Cisco device?
A hostname and a domain name — RSA keys are generated using the device's fully-qualified name, so both must be set first.
How do I force SSH only and disable Telnet?
On the VTY lines: transport input ssh — this accepts only encrypted SSH and refuses plaintext Telnet.
What command generates the SSH keys?
crypto key generate rsa — choose a modulus of at least 1024 bits (2048 recommended).
How do I verify SSH is configured correctly?
show ip ssh confirms the version and status; test by connecting via SSH (should work) and Telnet (should be refused).
Related articles
Want hands-on training?
Learn this on real Cisco lab devices with placement support at Attila Technologies, Ahmedabad.