Lab 10: Securing Remote Access with SSH
Telnet sends passwords in plain text — professionals use SSH. Generate RSA keys, create a local user, restrict the VTY lines to SSH-only, then log in encrypted from a PC. Difficulty: Beginner+ · Time: ~25 min.
Lab objectives
- Set hostname and domain name (needed for keys)
- Generate RSA keys and enable SSH v2
- Create a local user and force SSH-only VTY login
- Connect via SSH from a PC
Topology & addressing
1× router/switch with management IP 192.168.1.1, 1× PC (192.168.1.10) on the same network.
Step-by-step configuration
hostname R1ip domain-name attila.local | Identity — required before key generation |
crypto key generate rsa → modulus 1024 (or 2048)ip ssh version 2 | Create the encryption keys, force SSHv2 |
username admin secret cisco123 | Local login account |
line vty 0 4login localtransport input ssh | VTY uses local users, SSH only — Telnet refused |
Verification
From the PC: ssh -l admin 192.168.1.1 → password → you're in, encrypted. Try telnet 192.168.1.1 — refused, exactly as intended. show ip ssh confirms version 2.
Next lab: labs hub · test yourself: CCNA practice test.
Frequently asked questions
Why is a domain name required for SSH?
RSA keys are generated using the device's fully qualified name (hostname + domain), so both must be set first.
What does transport input ssh do?
It restricts the VTY lines to SSH connections only, refusing insecure Telnet.
Why prefer SSH over Telnet?
Telnet transmits everything — including passwords — in plain text; SSH encrypts the entire session.
Related articles
Want hands-on training?
Learn this on real Cisco lab devices with placement support at Attila Technologies, Ahmedabad.