Change Secure Shell Parameters
You can use Enterprise Device Manager to change the SSHv2 configuration parameters. However, as a best practice, use the CLI to perform the initial configuration of SSHv2. The switch does not support SSHv1.
Before you begin
The user access level is read/write/all community strings.
-
You must disable the SSH service before you configure the SSH service parameters. If the SSHv2 service is enabled, the system displays all fields dimmed until the SSH service is disabled.
Procedure
- In the navigation pane, expand .
- Select SSH.
- Select the SSH tab.
- In the Enable field, select the type of SSH service you want to enable.
- In the Version field, select a version.
- In the Port field, type a port number.
- In the MaxSession field, type the maximum number of sessions allowed.
- In the Timeout field, type the timeout value in seconds.
- From the KeyAction field, choose a key action.
- In the RsaKeySize field, type the RSA key size in bytes.
- In the DSAKeySize field, type the DSA key size in bytes.
- Select the RsaAuth check box for RSA authentication.
- Select the DsaAuth check box for DSA authentication.
- Select the PassAuth check box for password authentication.
- In the AuthType section, select the authentication types you want.
- In the Encryption Type section, select the encryption types you want.
- In the KeyExchangeMethod section, select the key exchange method you want.
- Select Apply.
SSH Field Descriptions
Use the data in the following table to use the SSH tab.
Name |
Description |
---|---|
Enable |
Enables, disables, or securely enables SSHv2. The options are:
Select false to disable SSHv2 services. Select true to enable SSHv2 services. Select secure to enable SSH and disable access services (SNMP, FTP, TFTP, and Telnet). The default is false. Important:
Do not enable SSHv2 secure mode using EDM. Enabling secure mode disables SNMP, which locks you out of the EDM session. Enable SSHv2 secure mode using CLI. |
Version |
Configures the SSH version. The options are:
The default is v2only. |
Port |
Configures the SSHv2 connection port number. <22 or 1024–49151> is the port range of SSHv2. Important:
You cannot configure the TCP port 6000 as SSHv2 connection port. |
MaxSession |
Configures the maximum number of SSHv2 sessions allowed. The value can be from 0 to 8. The default is 4. |
Timeout |
Configures the SSHv2 authentication connection timeout in seconds. The default is 60 seconds. |
KeyAction |
Configures the SSHv2 key action. The options are:
|
RsaKeySize |
Configures SSHv2 RSA key size. The value can be from 1024 to 2048. The default is 2048. |
DsaKeySize |
Configures the SSHv2 DSA key size. The value can be from 512 to 1024. The default is 1024. |
RsaAuth |
Enables or disables SSHv2 RSA authentication. The default is enabled. |
DsaAuth |
Enables or disables SSHv2 DSA authentication. The default is enabled. |
PassAuth |
Enables or disables SSHv2 RSA password authentication. The default is enabled. |
RekeyEnable Note:
Exception: Not supported on XA1400 Series or VSP 8600 Series |
Enables SSH rekey globally. The default is disabled. Note:
You cannot enable SSH rekey selectively for the SSH client, SSH server, Secure Copy (SCP), or Secure File Transfer Protocol (SFTP); SSH rekey is enabled for all of these functions simultaneously. |
RekeyTimeInterval Note:
Exception: Not supported on XA1400 Series or VSP 8600 Series |
Configures a time interval, after which the key exchange takes place. The default is 1 hour. |
RekeyDataLimit Note:
Exception: Not supported on XA1400 Series or VSP 8600 Series |
Configures the limit for data transmission during the session. The default is 1 GB. |
SftpEnable |
Enables or disables SFTP. You can use this check box to disable SFTP without affecting the SSH status. The default is enabled. |
KeyboardInteractiveAuth |
Changes the SSH server authentication mode from the default of password authentication to keyboard interactive. |
ClientEnable |
Enables SSH client functionality on the switch. By default, the SSH client functionality is enabled. To enable the SSH client functionality, SSH must be enabled globally. |
X509AuthEnable |
Enables SSH x509 authentication. The default is enabled. |
X509AuthRevocationCheckMethod |
Specifies the X.509 V3 authentication revocation check method. The default is OCSP.
|
X509AuthUserNameOverwrite |
Enables the switch to send the principal name and domain name from the certificate to the RADIUS server for authorization. The default is disabled. |
X509AuthUserNameStripDomain |
Enables the switch to send the principal name from the certificate without the domain name to the RADIUS server for authorization. The default is disabled. |
X509AuthUserNameUseDomain |
Enables the switch to send the principal name from the certificate, with the domain name you entered to the RADIUS server for authorization. |
X509AuthCertSubjectName |
Specifies the digital certificate subject name used as identity certificate. |
X509AuthCertCAName |
Specifies the digital certificate CA trustpoint name to use. |
AuthType |
Specifies the authentication type. Select from one of the following:
By default, all autentication types are selected. |
EncryptionType |
Configures the encryption-type. Select an encryption-type from one of the following:
By default, all encryption types are enabled. If you configure the switch in enhanced secure mode, threeDesCbc and blowfishCbc are disabled by default. |
KeyExchangeMethod Note:
Exception: diffieHellmanGroupExchangeSha256 is not supported on VSP 8600 Series. |
Configures the key-exchange type. Select from one of the following:
|