ssh (configuration)

Modify Secure Shell (SSH) configuration parameters to support public and private key encryption connections.

Syntax

Command Parameters

authentication-type [aead-aes-128-gcm-ssh] [aead-aes-256-gcm-ssh] [hmac-sha1] [hmac-sha2-256]
Specifies the authentication type.
data-limit <1-6>
Specifies the rekey data limit in Gigabytes (GB).
dsa-auth
Enables or disables the DSA authentication.
dsa-host-key <1024-1024>
Generates an SSH DSA host key. The range of the host key size is 512 to 1024. The default is 1024. The range depends on your hardware.
dsa-user-key WORD<1-15> <1024-1024>]
Creates the DSA user key file. WORD<1-15> specifies the user access level. If you configured enhanced secure mode the access levels are: admin|operator|auditor|security|priv.
In enhanced secure mode access level is role based. If you do not enable enhanced secure mode, the valid user access levels are:.
  • rwa for read-write-all

  • rw for read-write

  • ro for read-only

  • rwl3 for read-write for Layer 3

  • rwl2 for read-write for Layer 2

  • rwl1 for Layer 1

The default size is 1024 bits. The range depends on your hardware.
key-exchange-method [diffie-hellman-group14-sha1][diffie-hellman-group-exchange-sha256]
Specifies the key-exchange type.
max-sessions <0-8>
Specifies the maximum number of SSH sessions allowed. A value from 0 to 8. Default is 4.
pass-auth
Enables password authentication.
port <22, 1024..49151>
Sets the Secure Shell (SSH) connection port. <22,1024..49151> is the TCP port number. The default is 22.
reset
Reset (bounce) the Secure Shell (SSH) connection.
rsa-auth
Enable RSA authentication.
rsa-host-key <1024-2048>
Generates the SSH RSA host key. The range of the SSH host key size is 512 to 2048. The default is 2048.
rsa-user-key [<1024–2048>]
Generates a new SSH RSA user key.
secure

Enables Secure Shell (SSH) in secure mode and immediately disables non-secure access services.

After ssh secure is enabled, you can choose to enable individual non-secure protocols. However, after you save the configuration and restart the system, the non-secure protocol is again disabled, even though it is shown as enabled in the configuration file.

After you enable ssh secure, you cannot enable non-secure protocols by disabling ssh secure.

encryption-type [3des-cbc][aead-aes-128-gcm-ssh ][aead-aes-256-gcm-ssh] [aes128-cbc][aes128-ctr][aes192-cbc][aes192-ctr][aes256-cbc][aes256-ctr][blowfish-cbc] [rijndael128-cbc][rijndael192-cbc]
Specifies the encryption-type.
time-interval <1-6>
Specifies the rekey time interval in hours.
timeout <1-120>
The Secure Shell (SSH) connection authentication timeout in seconds. Default is 60 seconds.
version <v2only>
Sets the Secure Shell (SSH) version. The default is v2only.
x509v3-auth {[enable][revocation-check-method <none | ocsp>][username <overwrite | strip-domain | use-domain WORD<1-254>]}
Specifies the Secure Shell (SSH) X.509 V3 authentication configuration for Two-Factor Authentication.

Default

The default is disabled.

Command Mode

Global Configuration

Usage Guidelines

Switch side encryption and authentication type must be configured to the AES-GCM-128/256 methods and needs at least one hmac method in the authentication list for the connection with Open SSH to work.