Configure SSH Configuration Parameters

Note

Note

DEMO FEATURE - Two-Factor Authentication–X.509v3 Certificates for SSH is a demonstration feature on some products. Demonstration features are provided for testing purposes. Demonstration features are for lab use only and are not for use in a production environment. For more information on feature support, see VOSS Feature Support Matrix.

Configure Secure Shell version 2 (SSHv2) parameters to support public and private key encryption connections. The switch does not support SSHv1.

Before you begin

You must enable SSH globally before you can generate SSH DSA user keys.

Procedure

  1. Enter Global Configuration mode:

    enable

    configure terminal

  2. Configure the authentication type to use:

    ssh authentication-type {[aead-aes-128-gcm-ssh] [aead-aes-256-gcm-ssh] [hmac-sha1] [hmac-sha2-256]}

  3. Enable DSA authentication:

    ssh dsa-auth

  4. Generate a new DSA host key:

    ssh dsa-host-key [<1024-1024>]

  5. Generate a new SSH DSA user key:

    ssh dsa-user-key WORD<1–15> [size [<1024-1024>]]

  6. Configure the type of encryption to use:

    ssh encryption-type {[3des-cbc][aead-aes-128-gcm-ssh ][aead-aes-256-gcm-ssh] [aes128-cbc][aes128-ctr][aes192-cbc][aes192-ctr][aes256-cbc][aes256-ctr][blowfish-cbc] [rijndael128-cbc][rijndael192-cbc]}

  7. Configure the key-exchange to use:

    ssh key-exchange-method {[diffie-hellman-group1-sha1][diffie-hellman-group14-sha1]}

  8. Configure the maximum number of SSH sessions:

    ssh max-sessions <0-8>

  9. Enable password authentication:

    ssh pass-auth

  10. Configure the SSH connection port:

    ssh port <22,1024..49151>

  11. Enable RSA authentication:

    ssh rsa-auth

  12. Generate a new RSA host key:

    ssh rsa-host-key [<1024–2048>]

  13. Generate a new RSA user key.

    ssh rsa-user-key WORD<1–15>

  14. Enable X.509 V3 authentication:

    ssh x509v3-auth enable

  15. Configure X.509 V3 revocation:

    ssh x509v3-auth revocation-check-method {none | ocsp}

  16. Configure X.509 V3 username:

    ssh x509v3-auth username {overwrite | strip-domain | use-domain WORD<1-254>}

  17. Enable SSH secure mode:

    ssh secure

  18. Configure the authentication timeout:

    ssh timeout <1-120>

  19. Configure the SSH version:

    ssh version <v2only>

  20. Enabling SSH rekey:

    ssh rekey data-limit <1-6>

    ssh rekey time-interval <1-6>

    ssh rekey enable

Example

Enable DSA authentication and configure the maximum number of SSH session:

Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#ssh dsa-auth
Switch:1(config)#ssh max-sessions 5

Variable Definitions

The following table defines parameters for the ssh command.

Variable

Value

authentication-type {[aead-aes-128-gcm-ssh] [aead-aes-256-gcm-ssh] [hmac-sha1] [hmac-sha2-256]}

Specifies the authentication type. Select from one of the following:

  • aead-aes-128-gcm-ssh

  • aead-aes-256-gcm-ssh

  • hmac-sha1

  • hmac-sha2-256

Use the no operator before this parameter, no ssh authentication-type {[aead-aes-128-gcm-ssh] [aead-aes-256-gcm-ssh] [hmac-sha1] [hmac-sha2-256] }, to disable the authentication type. To disable all authentication types use the command no ssh authentication-type.

dsa-auth

Enables or disables the DSA authentication. The default is enabled. Use the no operator before this parameter, no ssh dsa-auth, to disable DSA authentication.

dsa-host-key <1024–1024>

Generates a new SSH DSA host key.

The DSA host key size is 1024.

Use the no operator before this parameter, no ssh dsa-host-key, to disable SSH DSA host key.

dsa-user-key WORD <1–15>

Generates a new SSH DSA user key. WORD<1–15> specifies the user access level.

You must enable SSH globally before you can generate SSH DSA user keys.

If enhanced secure mode is disabled, the valid user access levels for the switch are:

  • rwa — Specifies read-write-all.

  • rw — Specifies read-write.

  • ro — Specifies read-only.

  • rwl1 — Specifies read-write for Layer 1.

  • rwl2 — Specifies read-write for Layer 2.

  • rwl3 — Specifies read-write for Layer 3.

If you enable enhanced secure mode, the switch uses role-based authentication. You associate each username with a specific role and the appropriate authorization rights to commands based on that role.

If enhanced secure mode is enabled, the valid user access levels for the switch are:

  • admin—Specifies a user role with access to all of the configurations, show commands, and the ability to view the log file and security commands. The administrator role is the highest level of user roles.

  • operator—Specifies a user role with access to all of the configurations for packet forwarding on Layer 2 and Layer 3, and has access to show commands to view the configuration, but cannot view the audit logs and cannot access security and password commands.

  • auditor—Specifies a user role that can view log files and view all configurations, except password configuration.

  • security—Specifies a user role with access only to security settings and the ability to view the configurations.

  • priv—Specifies a user role with access to all of the commands that the administrator has access to, and is referred to as an emergency-admin. However, the user with the privilege role must be authenticated within the switch locally. RADIUS and TACACS+ authentication is not accessible. A user role at the privilege level must login to the switch through the console port only.

Use the no operator before this parameter, no ssh dsa-user-key WORD<1–15>, to disable SSH DSA user key.

encryption-type {[3des-cbc][aead-aes-128-gcm-ssh ][aead-aes-256-gcm-ssh] [aes128-cbc][aes128-ctr][aes192-cbc][aes192-ctr][aes256-cbc][aes256-ctr][blowfish-cbc] [rijndael128-cbc][rijndael192-cbc]}

Configures the encryption-type. Select an encryption-type from one of the following:

  • 3des-cbc

  • aead-aes-128-gcm-ssh

  • aead-aes-256-gcm-ssh

  • aes128-cbc

  • aes128-ctr

  • aes192-cbc

  • aes192-ctr

  • aes256-cbc

  • aes256-ctr

  • blowfish-cbc

  • rijndael128-cbc

  • rijndael192-cbc

Use the no operator before this parameter no ssh encryption-type {[3des-cbc][aead-aes-128-gcm-ssh ][aead-aes-256-gcm-ssh] [aes128-cbc][aes128-ctr][aes192-cbc][aes192-ctr][aes256-cbc][aes256-ctr][blowfish-cbc] [rijndael128-cbc][rijndael192-cbc]} to disable the encryption type. To disable all authentication types use the command no ssh encryption-type.

max-sessions <0-8>

Specifies the maximum number of SSH sessions allowed. A value from 0 to 8. Default is 4.

pass-auth

Enables password authentication. The default is enabled.

port <22,1024–49151>

Configures the Secure Shell (SSH) connection port. <22,1024 to 49151> is the TCP port number. The default is 22.

Important:

You cannot configure TCP port 6000 as the SSH connection port.

rsa-auth

Enables RSA authentication. The default is enabled.

Use the no operator before this parameter, no ssh rsa-auth, to disable RSA authentication.

rsa-host-key WORD<1–15>

Generates a new SSH RSA host key. Specify an optional key size from 1024 to 2048. The default is 2048.

Use the no operator before this parameter, no ssh rsa-host-key, to disable SSH RSA host key.

rsa-user-key [<1024–2048>]

Generates a new SSH RSA user key. WORD<1–15> specifies the user access level.

You must enable SSH globally before you can generate SSH DSA user keys.

If enhanced secure mode is disabled, the valid user access levels for the switch are:

  • rwa — Specifies read-write-all

  • rw — Specifies read-write

  • ro — Specifies read-only

  • rwl1 — Specifies read-write for Layer 1

  • rwl2 — Specifies read-write for Layer 2

  • rwl3 — Specifies read-write for Layer 3

If you enable enhanced secure mode, the switch uses role-based authentication. You associate each username with a specific role and the appropriate authorization rights to commands based on that role.

If enhanced secure mode is enabled, the value user access levels for the switch are:

  • admin—Specifies a user role with access to all of the configurations, show commands, and the ability to view the log file and security commands. The administrator role is the highest level of user roles.

  • operator—Specifies a user role with access to all of the configurations for packet forwarding on Layer 2 and Layer 3, and has access to show commands to view the configuration, but cannot view the audit logs and cannot access security and password commands.

  • auditor—Specifies a user role that can view log files and view all configurations, except password configuration.

  • security—Specifies a user role with access only to security settings and the ability to view the configurations

  • priv—Specifies a user role with access to all of the commands that the administrator has access to, and is referred to as an emergency-admin. However, the user with the privilege role must be authenticated within the switch locally. RADIUS and TACACS+ authentication is not accessible. A user role at the privilege level must login to the switch through the console port only.

Use the no operator before this parameter, no ssh rsa-user-key WORD<1–15>, to disable SSH RSA user key.

secure

Note:

Exception: rlogin only supported on VSP 8600 Series.

Enables SSH in secure mode and immediately disables the access services SNMP, FTP, TFTP, remote login (rlogin), and Telnet. The default is disabled.

Use the no operator before this parameter, no ssh secure, to disable SSH in secure mode.

timeout <1-120>

Specifies the SSH connection authentication timeout in seconds. Default is 60 seconds.

version <v2only>

Configures the SSH version. The default is v2only.

The switch only supports SSHv2.

x509v3-auth enable

Configures X.509 V3 authentication. The default is enabled.

Use the no operator before the parameter, no ssh x509v3-auth enable, to disable X.509 V3 authentication.

Use the no operator before the parameter, no ssh x509v3-auth username, to disable X.509 V3 username.

x509v3-auth is available for demonstration purposes on some products. For more information, see VOSS Feature Support Matrix.

x509v3-auth [revocation-check-method <none|oscp>]

Configures X.509 V3 authentication revocation check method. The default is OCSP.

  • none - Specifies no revocation check method.

    oscp - Specifies Online Certificate Status Protocol (OSCP) as revocation check method.

x509v3-auth is available for demonstration purposes on some products. For more information, see VOSS Feature Support Matrix.

x509v3-auth [username <overwrite|strip-domain|use-domain WORD<1-254>]

Configures X.509 V3 username configuration. The default is disabled.

  • overwrite - Specifies the switch to send the principal name and domain name from the certificate to the RADIUS server for authorization.

    strip-domain - Specifies the switch to send the princial name from the certificate without the domain name to the RADIUS server for authorization.

    use-domain WORD<1-254> - Specifies the switch to send the principal name from the certificate, with the domain name you entered to the RADIUS server for authorization.

Use the no operator before the parameter, no ssh x509v3-auth username, to disable X.509 V3 username.

x509v3-auth is available for demonstration purposes on some products. For more information, see VOSS Feature Support Matrix.