ssh (configuration)

Modify Secure Shell (SSH) configuration parameters to support public and private key encryption connections.

Syntax

default ssh [dsa-auth] [max-sessions] [pass-auth] [port] [rekey data-limit] [rekey enable] [rekey time-interval] [rsa-auth] [secure] [timeout] [version] [x509v3-auth enable] [x509v3-auth revocation-check-method] [x509v3-auth username overwrite] [x509v3-auth username strip-domain] [x509v3-auth username use-domain]
no ssh [authentication-type] [authentication-type aead-aes-128-gcm-ssh] [authentication-type aead-aes-256-gcm-ssh] [authentication-type hmac-sha1] [authentication-type hmac-sha2-256] [dsa-auth] [dsa-host-key] [dsa-user-key WORD<1-15>] [encryption-type] [encryption-type 3des-cbc] [encryption-type aead-aes-128-gcm-ssh] [encryption-type aead-aes-256-gcm-ssh] [encryption-type aes128-cbc] [encryption-type aes128-ctr] [encryption-type aes192-cbc] [encryption-type aes192-ctr] [encryption-type aes256-cbc] [encryption-type aes256-ctr] [encryption-type blowfish-cbc] [encryption-type rijndael128-cbc] [encryption-type rijndael192-cbc] [key-exchange-method] [key-exchange-method diffie-hellman-group14-sha1] [key-exchange-method diffie-hellman-group-exchange-sha256] [pass-auth] [rekey enable] [rsa-auth] [rsa-host-key] [rsa-user-key WORD<1–15>] [secure] [x509v3-auth enable] [x509v3-auth username overwrite] [x509v3-auth username strip-domain] [x509v3-auth username use-domain]
ssh [authentication-type aead-aes-128-gcm-ssh] [authentication-type aead-aes-256-gcm-ssh] [authentication-type hmac-sha1] [authentication-type hmac-sha2-256] [dsa-auth] [dsa-host-key] [dsa-host-key <1024-1024>] [dsa-user-key WORD<1-15>] [dsa-user-key WORD<1-15> size <1024-1024>] [encryption-type 3des-cbc] [encryption-type aead-aes-128-gcm-ssh] [encryption-type aead-aes-256-gcm-ssh] [encryption-type aes128-cbc] [encryption-type aes128-ctr] [encryption-type aes192-cbc] [encryption-type aes192-ctr] [encryption-type aes256-cbc] [encryption-type aes256-ctr] [encryption-type blowfish-cbc] [encryption-type rijndael128-cbc] [encryption-type rijndael192-cbc] [key-exchange-method diffie-hellman-group14-sha1] [key-exchange-method diffie-hellman-group-exchange-sha256] [max-sessions <0-8>] [pass-auth] [port <22, 1024..49151>] [reset] [rekey data-limit <1-6>] [rekey enable] [rekey time-interval <1-6>] [rsa-auth] [rsa-host-key] [rsa-host-key <1024-2048>] [rsa-user-key WORD<1–15>] [secure] [timeout <1-120>] [version v2only] [x509v3-auth enable] [x509v3-auth revocation-check-method none] [x509v3-auth revocation-check-method ocsp] [x509v3-auth username overwrite] [x509v3-auth username strip-domain] [x509v3-auth username use-domain WORD<1-254>]

Command Parameters

authentication-type [aead-aes-128-gcm-ssh] [aead-aes-256-gcm-ssh] [hmac-sha1] [hmac-sha2-256]

Specifies the authentication type.

data-limit <1-6>

Specifies the rekey data limit in Gigabytes (GB).

dsa-auth

Enables or disables the DSA authentication.

dsa-host-key <1024-1024>

Generates an SSH DSA host key. The range of the host key size is 512 to 1024. The default is 1024. The range depends on your hardware.

dsa-user-key WORD<1-15> <1024-1024>]

Creates the DSA user key file. WORD<1-15> specifies the user access level. If you configured enhanced secure mode the access levels are: admin|operator|auditor|security|priv.

In enhanced secure mode access level is role based. If you do not enable enhanced secure mode, the valid user access levels are:.

rwa for read-write-all
rw for read-write
ro for read-only
rwl3 for read-write for Layer 3
rwl2 for read-write for Layer 2
rwl1 for Layer 1

The default size is 1024 bits. The range depends on your hardware.

key-exchange-method [diffie-hellman-group14-sha1][diffie-hellman-group-exchange-sha256]

Specifies the key-exchange type.

max-sessions <0-8>

Specifies the maximum number of SSH sessions allowed. A value from 0 to 8. Default is 4.

pass-auth

Enables password authentication.

port <22, 1024..49151>

Sets the Secure Shell (SSH) connection port. <22,1024..49151> is the TCP port number. The default is 22.

reset

Reset (bounce) the Secure Shell (SSH) connection.

rsa-auth

Enable RSA authentication.

rsa-host-key <1024-2048>

Generates the SSH RSA host key. The range of the SSH host key size is 512 to 2048. The default is 2048.

rsa-user-key [<1024–2048>]

Generates a new SSH RSA user key.

secure

Enables Secure Shell (SSH) in secure mode and immediately disables the access services SNMP, FTP, TFTP, rlogin, and Telnet.

Note

rlogin is only supported on VSP 8600 Series.

After ssh secure is enabled, you can choose to enable individual non-secure protocols. However, after you save the configuration and restart the system, the non-secure protocol is again disabled, even though it is shown as enabled in the configuration file.

After you enable ssh secure, you cannot enable non-secure protocols by disabling ssh secure.

encryption-type [3des-cbc][aead-aes-128-gcm-ssh ][aead-aes-256-gcm-ssh] [aes128-cbc][aes128-ctr][aes192-cbc][aes192-ctr][aes256-cbc][aes256-ctr][blowfish-cbc] [rijndael128-cbc][rijndael192-cbc]

Specifies the encryption-type.

time-interval <1-6>

Specifies the rekey time interval in hours.

timeout <1-120>

The Secure Shell (SSH) connection authentication timeout in seconds. Default is 60 seconds.

version <v2only>

Sets the Secure Shell (SSH) version. The default is v2only.

x509v3-auth {[enable][revocation-check-method <none | ocsp>][username <overwrite | strip-domain | use-domain WORD<1-254>]}

Specifies the Secure Shell (SSH) X.509 V3 authentication configuration for Two-Factor Authentication.

Default

The default is disabled.

Command Mode

Global Configuration

Usage Guidelines

x509v3-auth is available for demonstration purposes on some products. For more information, see VOSS User Guide.

The key exchange method diffie-hellman-group-exchange-sha256 is not supported on VSP 8600 Series