ip ssh version 2
Enables SSH version 2 on the router for secure remote management, replacing the less secure version 1.
ip ssh version 2When to Use This Command
- Configuring SSHv2 to meet security compliance requirements (e.g., PCI DSS, HIPAA) that mandate strong encryption.
- Replacing Telnet with SSHv2 for all remote access to prevent password sniffing and man-in-the-middle attacks.
- Enabling SSHv2 on a router that will be managed from a jump host that only supports SSHv2.
- Preparing a router for automated configuration management tools (e.g., Ansible, SaltStack) that require SSHv2.
Command Examples
Enable SSH version 2 globally
ip ssh version 2Router(config)# ip ssh version 2 Router(config)#
The command is entered in global configuration mode. No output confirms success. The router now accepts only SSHv2 connections.
Verify SSH version configuration
show ip sshSSH Enabled - version 2.0 Authentication timeout: 120 secs; Authentication retries: 3 Minimum expected Diffie-Hellman key size: 1024 bits IOS Keys in SECSH format(ssh-rsa, ssh-dss) Router-1.example.com
Line 1: 'SSH Enabled - version 2.0' confirms SSHv2 is active. Line 2: Shows authentication timeout (120 seconds) and retries (3). Line 3: Minimum DH key size for key exchange. Line 4: Lists supported public key formats. Line 5: Hostname of the router.
Understanding the Output
The 'show ip ssh' command displays the current SSH configuration. The first line indicates whether SSH is enabled and the version (2.0 is desired). The authentication timeout (default 120 seconds) and retries (default 3) control how long a client has to authenticate. The Diffie-Hellman key size minimum (1024 bits) ensures strong key exchange. The 'IOS Keys in SECSH format' line shows the public key types available (rsa, dss). The hostname confirms the router's identity. A good configuration shows version 2.0; version 1.99 or 1.5 indicates SSHv1 is also enabled, which is a security risk.
CCNA Exam Tips
CCNA exam tip: SSHv2 is required for secure management; Telnet and SSHv1 are deprecated. Always configure 'ip ssh version 2'.
CCNA exam tip: Before enabling SSH, you must configure a hostname and domain name (ip domain-name) and generate RSA keys (crypto key generate rsa).
CCNA exam tip: The 'show ip ssh' command is used to verify SSH version and parameters; look for 'version 2.0'.
CCNA exam tip: SSHv2 uses stronger encryption algorithms (e.g., AES, 3DES) and supports Diffie-Hellman key exchange.
Common Mistakes
Mistake 1: Forgetting to generate RSA keys before enabling SSH — SSH will not work. Use 'crypto key generate rsa' with modulus >= 2048.
Mistake 2: Setting 'ip ssh version 2' but not removing older SSH version 1 transport — use 'ip ssh version 2' alone disables v1.
Mistake 3: Not configuring VTY lines to accept SSH — must use 'transport input ssh' under line vty 0 15.
Related Commands
crypto key generate rsa modulus [bits]
Generates an RSA key pair for SSH, encryption, or digital signatures on a Cisco IOS device, typically used to enable secure management access.
ip domain-name [domain]
Configures the default domain name appended to incomplete hostnames during DNS resolution, enabling the router to resolve unqualified names into fully qualified domain names.
show ip ssh
Displays the status and configuration of SSH server on the Cisco IOS device, used to verify SSH is enabled and check connection details.
transport input ssh
Restricts incoming Telnet or SSH connections on a VTY line to only SSH, blocking unencrypted Telnet access for secure remote management.
Practice for the CCNA 200-301
Test your knowledge with hundreds of CCNA practice questions covering all exam domains.
Practice CCNA Questions