Packet Tracer – Configure Secure Passwords and SSH
Securing network devices is one of the most fundamental responsibilities of any network administrator. Cisco Packet Tracer provides a powerful, risk-free environment where you can practice configuring secure passwords and enabling SSH (Secure Shell) on routers and switches. This article walks you through every step of hardening your devices using strong passwords and encrypted remote access, ensuring that your network remains protected from unauthorized entry.
Why Network Security Starts with Device Access
Every router or switch in a production environment is a potential target. If an attacker gains access to your device's CLI (Command Line Interface), they can view configurations, disrupt services, or pivot deeper into the network. Two lines of defense are critical:
- Strong, encrypted passwords on all access lines (console, auxiliary, VTY).
- SSH for remote management, replacing the insecure Telnet protocol, which transmits data — including passwords — in plain text.
By combining both measures, you create layered security that significantly reduces the attack surface of your infrastructure Which is the point..
Understanding the Key Components
Before diving into the configuration, it helps to understand the terms you will encounter:
- Console line (line console 0): The physical port used for direct, local access to the device.
- VTY lines (line vty 0 15): Virtual terminal lines that allow remote access via Telnet or SSH.
- Enable secret password: Encrypts the password stored for privileged EXEC mode (level 15). Unlike the older
enable password, which is stored in plain text,enable secretuses MD5 hashing. - Service password-encryption: A global command that encrypts all plain-text passwords in the running configuration using Type 7 encryption.
- SSH: A cryptographic network protocol that provides encrypted communication for remote login and other network services.
- RSA keys: Used by SSH to establish a secure, authenticated connection between the client and the device.
Step 1 – Configuring Secure Passwords
Open Cisco Packet Tracer and place a Router (such as the 1941 model) on the workspace. Open the CLI tab and follow these commands in order.
1.1 Console Password
The console password protects anyone who physically connects to the device.
Router> enable
Router# configure terminal
Router(config)# line console 0
Router(config-line)# password ConsolePass123
Router(config-line)# login
Router(config-line)# exit
The login command tells the router to prompt for the password when someone accesses the console port That's the part that actually makes a difference. Took long enough..
1.2 Privileged EXEC Mode Password
This password separates regular user mode from the powerful privileged mode.
Router(config)# enable secret MyEnableSec567
Always use enable secret rather than enable password. The secret version applies MD5 hashing, making it far more resistant to casual inspection That's the part that actually makes a difference. Which is the point..
1.3 VTY Password (for Remote Access)
VTY lines handle remote connections. Even before enabling SSH, you should assign a password to these lines.
Router(config)# line vty 0 4
Router(config-line)# password VtyPass8910
Router(config-line)# login
Router(config-line)# exit
In a production environment, you would restrict VTY access to SSH only (covered in the next section) Simple, but easy to overlook..
1.4 Enable Password Encryption
To check that no plain-text passwords are visible in the configuration file:
Router(config)# service password-encryption
After running this command, every password in the show running-config output will appear as an encrypted string. Which means note that Type 7 encryption used by this command is not highly secure — it can be decoded with freely available tools. That is why enable secret (MD5) and SSH are essential That alone is useful..
1.5 Banner Message
Adding a login banner is a legal and deterrent measure:
Router(config)# banner motd # Authorized Access Only! Unauthorized access is strictly prohibited. #
The # character serves as the delimiter. The Message of the Day (MOTD) banner will appear before the login prompt on every access method.
Step 2 – Configuring SSH for Secure Remote Access
Telnet sends everything in plain text. Day to day, sSH encrypts the entire session, including authentication credentials. Here is how to set it up in Packet Tracer.
2.1 Set the Hostname and Domain Name
SSH requires a unique hostname and domain name to generate the necessary cryptographic keys.
Router(config)# hostname R1
R1(config)# ip domain-name mynetwork.local
The combination of the hostname and domain name is used to generate the RSA key pair for encryption No workaround needed..
2.2 Generate RSA Keys
The RSA keys are the foundation of SSH encryption.
R1(config)# crypto key generate rsa
Packet Tracer will prompt you:
- The name for the keys will be: R1.mynetwork.local
- Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys.
Enter 1024 (the minimum recommended for SSH version 2 in most lab environments). A larger key size, such as 2048, offers stronger security but requires more processing power.
You should see a confirmation message:
% You already have RSA keys keys defined named R1.mynetwork.local.
% Do you really want to replace them? [yes/no]: yes
2.3 Set the SSH Version
Force the device to use SSH version 2, which is more secure than version 1:
R1(config)# ip ssh version 2
2.4 Create a Local User Account
SSH can be configured to use local username/password authentication:
R1(config)# username admin secret S3cur3P@ss!
The secret keyword ensures the password is stored using a stronger encryption method rather than plain text in the configuration Simple as that..
2.5 Configure VTY Lines for SSH Only
Now, restrict the VTY lines to accept only SSH connections and use local database authentication:
R1(config)# line vty 0 4
R1(config-line)# transport input ssh
R1(config-line)# login local
R1(config-line)# exit
transport input sshdisables Telnet and permits only SSH.login localtells the router to authenticate against the local username database created in the previous step.
2.6 Configure the Console and Auxiliary Lines
Do not forget to secure the remaining access methods:
R1(config
The configuration ensures a reliable framework for secure interactions. Regular audits and updates further mitigate risks. Such diligence safeguards against vulnerabilities.
Pulling it all together, meticulous setup underpins effective security practices, balancing accessibility with protection. Prioritizing such measures fosters trust and stability.
### 2.6 Configure the Console and Auxiliary Lines
Complete the console and auxiliary configurations to enforce consistent security:
R1(config)# line console 0
R1(config-line)# password ConS0l3P@ss!
R1(config-line)# login local
R1(config-line)# exit
R1(config)# line aux 0
R1(config-line)# password AuxP@ssw0rd!
R1(config-line)# login local
R1(config-line)# exit
These steps ensure physical access points also require authentication via the local user database.
### 2.7 Verify SSH Configuration
Confirm SSH functionality using extended commands:
R1# show ip ssh
SSH Enabled - version 2.0
Authentication timeout: 120 seconds; Authentication retries: 3
R1# show crypto key mypubkey rsa
Key name: R1.mynetwork.local
Key size: 1024
Verify listening ports with `show ip interface brief`—SSH operates on TCP port 22.
### 2.8 Test Connectivity
From a remote device, attempt SSH access:
```bash
ssh admin@
Password: S3cur3P@ss!
Successful login confirms encrypted communication. Attempting Telnet should fail due to the transport input ssh restriction The details matter here..
Conclusion
Implementing SSH transforms network access from vulnerable plaintext interactions to encrypted, authenticated sessions. By mandating SSHv2, solid RSA keys, and local user authentication, administrators establish a defense-in-depth strategy. This layered approach—combining cryptographic controls, strict transport protocols, and credential hardening—mitigates eavesdropping, session hijacking, and brute-force attacks. Regularly updating keys and auditing configurations ensures long-term resilience. At the end of the day, prioritizing SSH isn't just compliance; it's fundamental to maintaining trust, integrity, and operational continuity in modern network infrastructures Small thing, real impact. Which is the point..
