SSH Version 2

SSH version 2 (SSHv2) protocol is a complete rewrite of the SSHv1 protocol. In SSHv2 the functions are divided among three layers:

The following figure shows the three layers of the SSHv2 protocol.

Click to expand in new window
Separate SSH version 2 protocols

The modular approach of SSHv2 improves on the security, performance, and portability of the SSHv1 protocol.

Important

Important

The SSHv1 and SSHv2 protocols are not compatible. The switch does not support SSHv1.

Security Features

The SSHv2 protocol supports the following security features:

Note

Note

SCP is supported for RWA users only. RW or R level will not work and the switch logs a message on the device.

SSHv2 Considerations using EDM

You must use CLI to initially configure SSHv2. You can use Enterprise Device Manager (EDM) to change the SSHv2 configuration parameters. CLI is the user interface for SSHv2 configuration and use the console port to configure the SSHv2 parameters.

Important

Important

Do not enable SSHv2 secure mode using Configuration and Orchestration Manager (COM). If you enable SSHv2 secure mode, then the system disables Simple Network Management Protocol (SNMP). This locks you out of a COM session. Enable SSH secure mode using CLI or EDM.

SSHv2 secure mode is different from enhanced secure mode and hsecure. SSHv2 secure mode disables unsecure management protocols on the device such as FTP, SNMP, Telnet, and TFTP. SSHv2 secure mode is enabled through the ssh secure command.

When you enable SSHv2 secure mode, the system disables FTP, SNMPv1, SNMPv2, SNMPv3, Telnet and TFTP. After SSHv2 secure mode is enabled, you can choose to enable individual non-secure protocols. However, after you save the configuration and restart the system, the non-secure protocol is again disabled, even though it is shown as enabled in the configuration file. After you enable SSHv2 secure mode, you cannot enable non-secure protocols by disabling SSHv2 secure mode.

You can disable block-snmp after you enable SSHv2 secure mode, and you can connect again using COM.