We got a new Netgear GSM7224 managed switch at work, and the procedure to learn it to use SSH is both complicated and not very well documented with Netgear, and it is not something you do every week, so I decided to take notes and document the whole procedure.
The switch I was setting up is named ics-04 so you will see a prompt
(ics-04) >or in privileged exec mode (usual)
(ics-04) #First, on another machine, generate ssh server keys, in a directory that can be read by the tftp server, and make sure the tftp server can read them all.
root@athena:/tftpboot/netgear# ssh-keygen -f netgear-ics-04-dsa.key -t dsa -N '' -C ics-04 Generating public/private dsa key pair. Your identification has been saved in netgear-ics-04-dsa.key. Your public key has been saved in netgear-ics-04-dsa.key.pub. The key fingerprint is: 72:79:43:31:3c:42:cd:3a:29:e4:54:96:50:02:af:4b ics-04 root@athena:/tftpboot/netgear# ssh-keygen -f netgear-ics-04-rsa.key -t rsa -N '' -C ics-04 Generating public/private rsa key pair. Your identification has been saved in netgear-ics-04-rsa.key. Your public key has been saved in netgear-ics-04-rsa.key.pub. The key fingerprint is: b4:e9:fa:24:40:86:57:24:8d:6a:fe:ee:0c:46:20:33 ics-04 root@athena:/tftpboot/netgear# ssh-keygen -f netgear-ics-04-rsa1.key -t rsa1 -N '' -C ics-04 Generating public/private rsa1 key pair. Your identification has been saved in netgear-ics-04-rsa1.key. Your public key has been saved in netgear-ics-04-rsa1.key.pub. The key fingerprint is: 8e:25:9e:84:cf:5d:d3:38:2a:a7:05:89:82:e9:0f:c0 ics-04 root@athena:/tftpboot/netgear# chmod a+r netgear-ics-04-*Now log in to the switch (serial console or telnet) and install the keys:
(ics-04) #copy tftp://131.211.80.9/netgear/netgear-ics-04-dsa.key nvram:sshkey-dsa Mode........................................... TFTP Set TFTP Server IP............................. 131.211.80.9 TFTP Path...................................... TFTP Filename.................................. netgear-ics-04-dsa.key Data Type...................................... SSH DSA key Management access will be blocked for the duration of the transfer Are you sure you want to start? (y/n) y TFTP SSH key receive complete... updating key file... Key file transfer operation completed succesfully (ics-04) #copy tftp://131.211.80.9/netgear/netgear-ics-04-rsa1.key nvram:sshkey-rsa1 Mode........................................... TFTP Set TFTP Server IP............................. 131.211.80.9 TFTP Path...................................... TFTP Filename.................................. netgear-ics-04-rsa1.key Data Type...................................... SSH RSA1 key Management access will be blocked for the duration of the transfer Are you sure you want to start? (y/n) y TFTP SSH key receive complete... updating key file... Key file transfer operation completed succesfully (ics-04) #copy tftp://131.211.80.9/netgear/netgear-ics-04-rsa.key nvram:sshkey-rsa2 Mode........................................... TFTP Set TFTP Server IP............................. 131.211.80.9 TFTP Path...................................... TFTP Filename.................................. netgear-ics-04-rsa.key Data Type...................................... SSH RSA2 key Management access will be blocked for the duration of the transfer Are you sure you want to start? (y/n) y TFTP SSH key receive complete... updating key file... Key file transfer operation completed succesfullyNow, enable ssh:
(ics-04) #ip sshOptional, only allow SSH 2 protocol
(ics-04) #ip ssh protocol 2Optional, set the ssh login session timeout
(ics-04) #sshcon timeout 120Review the config
(ics-04) #show ip ssh SSH Configuration Administrative Mode: .......................... Enabled Protocol Levels: .............................. Version 2 SSH Sessions Currently Active: ................ 0 Max SSH Sessions Allowed: ..................... 5 SSH Timeout: .................................. 120Test the new ssh config:
$ ssh admin@ics-04 Warning: Permanently added 'ics-04,xxx.xxx.xxxx' (RSA) to the list of known hosts. admin@ics-04's password: (ics-04) >Finally, disabling telnet after testing ssh connectivity:
(ics-04) #configure (ics-04) (Config)#lineconfig (ics-04) (Line)#session-limit 0 (ics-04) (Line)#no transport input telnet (ics-04) (Line)#exit (ics-04) (Config)#exitSaving your hard work:
(ics-04) #copy system:running-config nvram:startup-config This operation may take a few minutes. Management interfaces will not be available during this time. Are you sure you want to save? (y/n) y Configuration Saved!And now the switch uses secure logins via ssh. Yes, logins start slow, especially on the GSM7224, there is not a lot of cpu capacity available. That is why you have to generate the keys on a different machine.
