ssh (configuration)

Modify Secure Shell (SSH) configuration parameters to support public and private key encryption connections.

Syntax

default ssh [dsa-auth] [max-sessions] [pass-auth] [port] [rekey data-limit] [rekey enable] [rekey time-interval] [rsa-auth] [secure] [timeout] [version] [x509v3-auth enable] [x509v3-auth revocation-check-method] [x509v3-auth username overwrite] [x509v3-auth username strip-domain] [x509v3-auth username use-domain]
no ssh [authentication-type] [authentication-type aead-aes-128-gcm-ssh] [authentication-type aead-aes-256-gcm-ssh] [authentication-type hmac-sha1] [authentication-type hmac-sha2-256] [dsa-auth] [dsa-host-key] [dsa-user-key WORD<1-15>] [encryption-type] [encryption-type 3des-cbc] [encryption-type aead-aes-128-gcm-ssh] [encryption-type aead-aes-256-gcm-ssh] [encryption-type aes128-cbc] [encryption-type aes128-ctr] [encryption-type aes192-cbc] [encryption-type aes192-ctr] [encryption-type aes256-cbc] [encryption-type aes256-ctr] [encryption-type blowfish-cbc] [encryption-type rijndael128-cbc] [encryption-type rijndael192-cbc] [key-exchange-method] [key-exchange-method diffie-hellman-group14-sha1] [key-exchange-method diffie-hellman-group-exchange-sha256] [pass-auth] [rekey enable] [rsa-auth] [rsa-host-key] [rsa-user-key WORD<1–15>] [secure] [x509v3-auth enable] [x509v3-auth username overwrite] [x509v3-auth username strip-domain] [x509v3-auth username use-domain]
ssh [authentication-type aead-aes-128-gcm-ssh] [authentication-type aead-aes-256-gcm-ssh] [authentication-type hmac-sha1] [authentication-type hmac-sha2-256] [dsa-auth] [dsa-host-key] [dsa-host-key <1024-1024>] [dsa-user-key WORD<1-15>] [dsa-user-key WORD<1-15> size <1024-1024>] [encryption-type 3des-cbc] [encryption-type aead-aes-128-gcm-ssh] [encryption-type aead-aes-256-gcm-ssh] [encryption-type aes128-cbc] [encryption-type aes128-ctr] [encryption-type aes192-cbc] [encryption-type aes192-ctr] [encryption-type aes256-cbc] [encryption-type aes256-ctr] [encryption-type blowfish-cbc] [encryption-type rijndael128-cbc] [encryption-type rijndael192-cbc] [key-exchange-method diffie-hellman-group14-sha1] [key-exchange-method diffie-hellman-group-exchange-sha256] [max-sessions <0-8>] [pass-auth] [port <22, 1024..49151>] [reset] [rekey data-limit <1-6>] [rekey enable] [rekey time-interval <1-6>] [rsa-auth] [rsa-host-key] [rsa-host-key <1024-2048>] [rsa-user-key WORD<1–15>] [secure] [timeout <1-120>] [version v2only] [x509v3-auth enable] [x509v3-auth revocation-check-method none] [x509v3-auth revocation-check-method ocsp] [x509v3-auth username overwrite] [x509v3-auth username strip-domain] [x509v3-auth username use-domain WORD<1-254>]

Command Parameters

authentication-type [aead-aes-128-gcm-ssh] [aead-aes-256-gcm-ssh] [hmac-sha1] [hmac-sha2-256]

Specifies the authentication type.

data-limit <1-6>

Specifies the rekey data limit in Gigabytes (GB).

dsa-auth

Enables or disables the DSA authentication.

dsa-host-key <1024-1024>

Generates an SSH DSA host key. The range of the host key size is 512 to 1024. The default is 1024. The range depends on your hardware.

dsa-user-key WORD<1-15> <1024-1024>]

Creates the DSA user key file. WORD<1-15> specifies the user access level. If you configured enhanced secure mode the access levels are: admin|operator|auditor|security|priv.

In enhanced secure mode access level is role based. If you do not enable enhanced secure mode, the valid user access levels are:.

rwa for read-write-all
rw for read-write
ro for read-only
rwl3 for read-write for Layer 3
rwl2 for read-write for Layer 2
rwl1 for Layer 1

The default size is 1024 bits. The range depends on your hardware.

key-exchange-method [diffie-hellman-group14-sha1][diffie-hellman-group-exchange-sha256]

Specifies the key-exchange type.

max-sessions <0-8>

Specifies the maximum number of SSH sessions allowed. A value from 0 to 8. Default is 4.

pass-auth

Enables password authentication.

port <22, 1024..49151>

Sets the Secure Shell (SSH) connection port. <22,1024..49151> is the TCP port number. The default is 22.

reset

Reset (bounce) the Secure Shell (SSH) connection.

rsa-auth

Enable RSA authentication.

rsa-host-key <1024-2048>

Generates the SSH RSA host key. The range of the SSH host key size is 512 to 2048. The default is 2048.

rsa-user-key [<1024–2048>]

Generates a new SSH RSA user key.

secure

Enables Secure Shell (SSH) in secure mode and immediately disables non-secure access services.

After ssh secure is enabled, you can choose to enable individual non-secure protocols. However, after you save the configuration and restart the system, the non-secure protocol is again disabled, even though it is shown as enabled in the configuration file.

After you enable ssh secure, you cannot enable non-secure protocols by disabling ssh secure.

encryption-type [3des-cbc][aead-aes-128-gcm-ssh ][aead-aes-256-gcm-ssh] [aes128-cbc][aes128-ctr][aes192-cbc][aes192-ctr][aes256-cbc][aes256-ctr][blowfish-cbc] [rijndael128-cbc][rijndael192-cbc]

Specifies the encryption-type.

time-interval <1-6>

Specifies the rekey time interval in hours.

timeout <1-120>

The Secure Shell (SSH) connection authentication timeout in seconds. Default is 60 seconds.

version <v2only>

Sets the Secure Shell (SSH) version. The default is v2only.

x509v3-auth {[enable][revocation-check-method <none | ocsp>][username <overwrite | strip-domain | use-domain WORD<1-254>]}

Specifies the Secure Shell (SSH) X.509 V3 authentication configuration for Two-Factor Authentication.

Default

The default is disabled.

Command Mode

Global Configuration