Copyright (c) 2026 MindMesh Academy. All rights reserved. This content is proprietary and may not be reproduced or distributed without permission.

5.8. SSH Configuration

💡 First Principle: SSH encrypts management traffic; Telnet sends everything—including passwords—in cleartext. Think of it like whispering versus shouting in a crowded room: Telnet shouts your credentials for anyone listening, while SSH whispers them through an encrypted tunnel only your device can hear.

What happens with Telnet: Imagine you're in a coffee shop, managing a router over the public WiFi. With Telnet, anyone running Wireshark sees your username, password, and every command you type. With SSH, they see encrypted gibberish. This isn't theoretical—it's why every security audit flags Telnet as a critical finding. Would you type your bank password into a website that showed "Not Secure" in the browser? Then why send your network admin credentials in cleartext?

Unlike HTTPS which protects web traffic, SSH protects CLI management sessions. Both use asymmetric keys for initial exchange and symmetric encryption for the session—but SSH is purpose-built for remote terminal access with features like key-based authentication that eliminate passwords entirely.

Why SSH requires a hostname and domain: SSH generates encryption keys tied to the device's identity (hostname.domain). Without these, the crypto key generate rsa command fails. Think of it like needing a name before you can get an ID card.

Complete SSH Setup:
Switch(config)# hostname Switch1                        ! Required for key generation
Switch(config)# ip domain-name company.com              ! Required for key generation
Switch(config)# crypto key generate rsa modulus 2048    ! Creates encryption keys
Switch(config)# ip ssh version 2                        ! Use SSH v2 (v1 is insecure)
Switch(config)# username admin privilege 15 secret SecurePass123!
Switch(config)# line vty 0 15
Switch(config-line)# transport input ssh                ! Disable Telnet entirely
Switch(config-line)# login local                        ! Use local username database
Switch(config-line)# exec-timeout 5 0                   ! Auto-logout after 5 min idle

⚠️ Exam Trap: If transport input ssh is set but you try to Telnet, the connection is refused. The exam tests whether you know this blocks Telnet access—it's not "prefer SSH," it's "SSH only."

Verification:
Switch# show ip ssh                ! Shows SSH version, timeout settings
Switch# show ssh                   ! Shows active SSH sessions