Change Secure Shell Parameters

You can use Enterprise Device Manager to change the SSHv2 configuration parameters. However, as a best practice, use the CLI to perform the initial configuration of SSHv2. The switch does not support SSHv1.

Before you begin

  • The user access level is read/write/all community strings.

  • You must disable the SSH service before you configure the SSH service parameters. If the SSHv2 service is enabled, the system displays all fields dimmed until the SSH service is disabled.

Procedure

  1. In the navigation pane, expand Configuration > Security > Control Path.
  2. Select SSH.
  3. Select the SSH tab.
  4. In the Enable field, select the type of SSH service you want to enable.
  5. In the Version field, select a version.
  6. In the Port field, type a port number.
  7. In the MaxSession field, type the maximum number of sessions allowed.
  8. In the Timeout field, type the timeout value in seconds.
  9. From the KeyAction field, choose a key action.
  10. In the RsaKeySize field, type the RSA key size in bytes.
  11. In the DSAKeySize field, type the DSA key size in bytes.
  12. Select the RsaAuth check box for RSA authentication.
  13. Select the DsaAuth check box for DSA authentication.
  14. Select the PassAuth check box for password authentication.
  15. In the AuthType section, select the authentication types you want.
  16. In the Encryption Type section, select the encryption types you want.
  17. In the KeyExchangeMethod section, select the key exchange method you want.
  18. Select Apply.

SSH Field Descriptions

Use the data in the following table to use the SSH tab.

Name

Description

Enable

Enables, disables, or securely enables SSHv2. The options are:

  • false

  • true

  • secure

Select false to disable SSHv2 services. Select true to enable SSHv2 services. Select secure to enable SSH and disable access services (SNMP, FTP, TFTP, and Telnet). The default is false.

Important:

Do not enable SSHv2 secure mode using EDM. Enabling secure mode disables SNMP, which locks you out of the EDM session. Enable SSHv2 secure mode using CLI.

Version

Configures the SSH version. The options are:

  • v2only

The default is v2only.

Port

Configures the SSHv2 connection port number. <22 or 1024–49151> is the port range of SSHv2.

Important:

You cannot configure the TCP port 6000 as SSHv2 connection port.

MaxSession

Configures the maximum number of SSHv2 sessions allowed.

The value can be from 0 to 8. The default is 4.

Timeout

Configures the SSHv2 authentication connection timeout in seconds. The default is 60 seconds.

KeyAction

Configures the SSHv2 key action. The options are:

  • none

  • generateDsa

  • generateRsa

  • deleteDsa

  • deleteRsa

RsaKeySize

Configures SSHv2 RSA key size. The value can be from 1024 to 2048. The default is 2048.

DsaKeySize

Configures the SSHv2 DSA key size. The value can be from 512 to 1024. The default is 1024.

RsaAuth

Enables or disables SSHv2 RSA authentication. The default is enabled.

DsaAuth

Enables or disables SSHv2 DSA authentication. The default is enabled.

PassAuth

Enables or disables SSHv2 RSA password authentication. The default is enabled.

RekeyEnable

Note:

Exception: Not supported on XA1400 Series or VSP 8600 Series

Enables SSH rekey globally. The default is disabled.

Note:

You cannot enable SSH rekey selectively for the SSH client, SSH server, Secure Copy (SCP), or Secure File Transfer Protocol (SFTP); SSH rekey is enabled for all of these functions simultaneously.

RekeyTimeInterval

Note:

Exception: Not supported on XA1400 Series or VSP 8600 Series

Configures a time interval, after which the key exchange takes place. The default is 1 hour.

RekeyDataLimit

Note:

Exception: Not supported on XA1400 Series or VSP 8600 Series

Configures the limit for data transmission during the session. The default is 1 GB.

SftpEnable

Enables or disables SFTP. You can use this check box to disable SFTP without affecting the SSH status. The default is enabled.

KeyboardInteractiveAuth

Changes the SSH server authentication mode from the default of password authentication to keyboard interactive.

ClientEnable

Enables SSH client functionality on the switch. By default, the SSH client functionality is enabled. To enable the SSH client functionality, SSH must be enabled globally.

X509AuthEnable

Enables SSH x509 authentication. The default is enabled.

X509AuthRevocationCheckMethod

Specifies the X.509 V3 authentication revocation check method. The default is OCSP.

  • none - Specifies no revocation check method.

  • oscp - Specifies Online Certificate Status Protocol (OSCP) as revocation check method.

X509AuthUserNameOverwrite

Enables the switch to send the principal name and domain name from the certificate to the RADIUS server for authorization. The default is disabled.

X509AuthUserNameStripDomain

Enables the switch to send the principal name from the certificate without the domain name to the RADIUS server for authorization. The default is disabled.

X509AuthUserNameUseDomain

Enables the switch to send the principal name from the certificate, with the domain name you entered to the RADIUS server for authorization.

X509AuthCertSubjectName

Specifies the digital certificate subject name used as identity certificate.

X509AuthCertCAName

Specifies the digital certificate CA trustpoint name to use.

AuthType

Specifies the authentication type. Select from one of the following:

  • hmacSha1

  • hmacSha2256

  • aeadAes128GcmSsh

  • aeadAes256GcmSsh

By default, all autentication types are selected.

EncryptionType

Configures the encryption-type. Select an encryption-type from one of the following:

  • aes128Cbc

  • aes256Cbc

  • threeDesCbc

  • aeadAes128GcmSsh

  • aeadAes256GcmSsh

  • aes128Ctr

  • rijndael128Cbc

  • aes256Ctr

  • aes192Ctr

  • aes192Cbc

  • rijndael192Cbc

  • blowfishCbc

By default, all encryption types are enabled.

If you configure the switch in enhanced secure mode, threeDesCbc and blowfishCbc are disabled by default.

KeyExchangeMethod

Note:

Exception: diffieHellmanGroupExchangeSha256 is not supported on VSP 8600 Series.

Configures the key-exchange type. Select from one of the following:

  • diffieHellmanGroupExchangeSha256

  • diffieHellmanGroup14Sha1