ssh (configuration)

Modify Secure Shell (SSH) configuration parameters to support public and private key encryption connections.

Syntax

Command Parameters

authentication-type [aead-aes-128-gcm-ssh] [aead-aes-256-gcm-ssh] [hmac-sha1] [hmac-sha2-256]
Specifies the authentication type.
data-limit <1-6>
Specifies the rekey data limit in Gigabytes (GB).
dsa-auth
Enables or disables the DSA authentication.
dsa-host-key <1024-1024>
Generates an SSH DSA host key. The range of the host key size is 512 to 1024. The default is 1024. The range depends on your hardware.
dsa-user-key WORD<1-15> <1024-1024>]
Creates the DSA user key file. WORD<1-15> specifies the user access level. If you configured enhanced secure mode the access levels are: admin|operator|auditor|security|priv.
In enhanced secure mode access level is role based. If you do not enable enhanced secure mode, the valid user access levels are:.
  • rwa for read-write-all

  • rw for read-write

  • ro for read-only

  • rwl3 for read-write for Layer 3

  • rwl2 for read-write for Layer 2

  • rwl1 for Layer 1

The default size is 1024 bits. The range depends on your hardware.
key-exchange-method [diffie-hellman-group1-sha1][diffie-hellman-group14-sha1]
Specifies the key-exchange type.
max-sessions <0-8>
Specifies the maximum number of SSH sessions allowed. A value from 0 to 8. Default is 4.
pass-auth
Enables password authentication.
port <22, 1024..49151>
Sets the Secure Shell (SSH) connection port. <22,1024..49151> is the TCP port number. The default is 22.
rsa-auth
Enable RSA authentication.
rsa-host-key <1024-2048>
Generates the SSH RSA host key. The range of the SSH host key size is 512 to 2048. The default is 2048.
rsa-user-key [<1024–2048>]
Generates a new SSH RSA user key.
secure

Enables Secure Shell (SSH) in secure mode and immediately disables the access services SNMP, FTP, TFTP, rlogin, and Telnet.

Note

Note

rlogin is only supported on VSP 8600 Series.

After ssh secure is enabled, you can choose to enable individual non-secure protocols. However, after you save the configuration and restart the system, the non-secure protocol is again disabled, even though it is shown as enabled in the configuration file.

After you enable ssh secure, you cannot enable non-secure protocols by disabling ssh secure.

encryption-type [3des-cbc][aead-aes-128-gcm-ssh ][aead-aes-256-gcm-ssh] [aes128-cbc][aes128-ctr][aes192-cbc][aes192-ctr][aes256-cbc][aes256-ctr][blowfish-cbc] [rijndael128-cbc][rijndael192-cbc]
Specifies the encryption-type.
time-interval <1-6>
Specifies the rekey time interval in hours.
timeout <1-120>
The Secure Shell (SSH) connection authentication timeout in seconds. Default is 60 seconds.
version <v2only>
Sets the Secure Shell (SSH) version. The default is v2only.
x509v3-auth {[enable][revocation-check-method <none | ocsp>][username <overwrite | strip-domain | use-domain WORD<1-254>]}
Specifies the Secure Shell (SSH) X.509 V3 authentication configuration.

Default

The default is disabled.

Command Mode

Global Configuration

Usage Guidelines

x509v3-auth is available for demonstration purposes on some products. For more information, see VOSS User Guide.