Configure SSH Configuration Parameters
Note
DEMO FEATURE - Two-Factor Authentication–X.509v3 Certificates for SSH is a demonstration feature on some products. Demonstration features are provided for testing purposes. Demonstration features are for lab use only and are not for use in a production environment. For more information on feature support, see VOSS Feature Support Matrix.
Configure Secure Shell version 2 (SSHv2) parameters to support public and private key encryption connections. The switch does not support SSHv1.
Before you begin
You must enable SSH globally before you can generate SSH DSA user keys.
Procedure
Example
Enable DSA authentication and configure the maximum number of SSH session:
Switch:1>enable Switch:1#configure terminal Switch:1(config)#ssh dsa-auth Switch:1(config)#ssh max-sessions 5
Variable Definitions
The following table defines parameters for the ssh command.
Variable |
Value |
---|---|
authentication-type {[aead-aes-128-gcm-ssh] [aead-aes-256-gcm-ssh] [hmac-sha1] [hmac-sha2-256]} |
Specifies the authentication type. Select from one of the following:
Use the no operator before this parameter, no ssh authentication-type {[aead-aes-128-gcm-ssh] [aead-aes-256-gcm-ssh] [hmac-sha1] [hmac-sha2-256] }, to disable the authentication type. To disable all authentication types use the command no ssh authentication-type. |
dsa-auth |
Enables or disables the DSA authentication. The default is enabled. Use the no operator before this parameter, no ssh dsa-auth, to disable DSA authentication. |
dsa-host-key <1024–1024> |
Generates a new SSH DSA host key. The DSA host key size is 1024. Use the no operator before this parameter, no ssh dsa-host-key, to disable SSH DSA host key. |
dsa-user-key WORD <1–15> |
Generates a new SSH DSA user key. WORD<1–15> specifies the user access level. You must enable SSH globally before you can generate SSH DSA user keys. If enhanced secure mode is disabled, the valid user access levels for the switch are:
If you enable enhanced secure mode, the switch uses role-based authentication. You associate each username with a specific role and the appropriate authorization rights to commands based on that role. If enhanced secure mode is enabled, the valid user access levels for the switch are:
Use the no operator before this parameter, no ssh dsa-user-key WORD<1–15>, to disable SSH DSA user key. |
encryption-type {[3des-cbc][aead-aes-128-gcm-ssh ][aead-aes-256-gcm-ssh] [aes128-cbc][aes128-ctr][aes192-cbc][aes192-ctr][aes256-cbc][aes256-ctr][blowfish-cbc] [rijndael128-cbc][rijndael192-cbc]} |
Configures the encryption-type. Select an encryption-type from one of the following:
Use the no operator before this parameter no ssh encryption-type {[3des-cbc][aead-aes-128-gcm-ssh ][aead-aes-256-gcm-ssh] [aes128-cbc][aes128-ctr][aes192-cbc][aes192-ctr][aes256-cbc][aes256-ctr][blowfish-cbc] [rijndael128-cbc][rijndael192-cbc]} to disable the encryption type. To disable all authentication types use the command no ssh encryption-type. |
max-sessions <0-8> |
Specifies the maximum number of SSH sessions allowed. A value from 0 to 8. Default is 4. |
pass-auth |
Enables password authentication. The default is enabled. |
port <22,1024–49151> |
Configures the Secure Shell (SSH) connection port. <22,1024 to 49151> is the TCP port number. The default is 22. Important:
You cannot configure TCP port 6000 as the SSH connection port. |
rsa-auth |
Enables RSA authentication. The default is enabled. Use the no operator before this parameter, no ssh rsa-auth, to disable RSA authentication. |
rsa-host-key WORD<1–15> |
Generates a new SSH RSA host key. Specify an optional key size from 1024 to 2048. The default is 2048. Use the no operator before this parameter, no ssh rsa-host-key, to disable SSH RSA host key. |
rsa-user-key [<1024–2048>] |
Generates a new SSH RSA user key. WORD<1–15> specifies the user access level. You must enable SSH globally before you can generate SSH DSA user keys. If enhanced secure mode is disabled, the valid user access levels for the switch are:
If you enable enhanced secure mode, the switch uses role-based authentication. You associate each username with a specific role and the appropriate authorization rights to commands based on that role. If enhanced secure mode is enabled, the value user access levels for the switch are:
Use the no operator before this parameter, no ssh rsa-user-key WORD<1–15>, to disable SSH RSA user key. |
secure Note:
Exception: rlogin only supported on VSP 8600 Series. |
Enables SSH in secure mode and immediately disables the access services SNMP, FTP, TFTP, remote login (rlogin), and Telnet. The default is disabled. Use the no operator before this parameter, no ssh secure, to disable SSH in secure mode. |
timeout <1-120> |
Specifies the SSH connection authentication timeout in seconds. Default is 60 seconds. |
version <v2only> |
Configures the SSH version. The default is v2only. The switch only supports SSHv2. |
x509v3-auth enable |
Configures X.509 V3 authentication. The default is enabled. Use the no operator before the parameter, no ssh x509v3-auth enable, to disable X.509 V3 authentication. Use the no operator before the parameter, no ssh x509v3-auth username, to disable X.509 V3 username. x509v3-auth is available for demonstration purposes on some products. For more information, see VOSS Feature Support Matrix. |
x509v3-auth [revocation-check-method <none|oscp>] |
Configures X.509 V3 authentication revocation check method. The default is OCSP.
x509v3-auth is available for demonstration purposes on some products. For more information, see VOSS Feature Support Matrix. |
x509v3-auth [username <overwrite|strip-domain|use-domain WORD<1-254>] |
Configures X.509 V3 username configuration. The default is disabled.
Use the no operator before the parameter, no ssh x509v3-auth username, to disable X.509 V3 username. x509v3-auth is available for demonstration purposes on some products. For more information, see VOSS Feature Support Matrix. |