Enables SSH2 server to accept incoming sessions from SSH2 clients.
|access_profile||Specifies an ACL policy.|
|none||Cancels a previously configured ACL policy.|
|port||Specifies a TCP port number. The default is port 22.|
|vr_name||Specifies a virtual router
Note: User-created VRs are supported only on the platforms listed for this feature in the Switch Engine 32.2 Feature License Requirements document.
|all||Specifies that SSH is enabled on all virtual routers.|
|default||Specifies that SSH is enabled on the default virtual router.|
The SSH2 feature is disabled by default.
SSH2 enables the encryption of session data. You must be logged in as an administrator to enable SSH2.
Use the port option to specify a TCP port number other than the default port of 22. You can only specify ports 22 and 1024 through 65535.
Using ACLs to Control SSH Access
You can specify a list of predefined clients that are allowed SSH2 access to the switch. To do this, you configure an ACL policy to permit or deny a specific list of IP addresses and subnet masks for the SSH port. You must create an ACL policy file before you can use the access-profile option. If the ACL policy file does not exist on the switch, the switch returns an error message indicating that the file does not exist.
Use the none option to cancel a previously configured ACL.
In the ACL policy file for SSH2, the source-address field is the only supported match condition. Any other match conditions are ignored.
Policy files can also be configured using the following command:configure ssh2 access-profile [ access_profile | [[addrule ] [first | [[before | after]previous_rule]]] | delete rule | none ]
Creating an ACL Policy File
To create an ACL policy file, use the edit policy command. For more information about creating and implementing ACL policy files, see Policy Manager and ACLs.
If you attempt to implement a policy that does not exist on the switch, an error message similar to the following appears:
Error: Policy /config/MyAccessProfile_2.pol does not exist on file system
If this occurs, make sure the policy you want to implement exists on the switch. To confirm the policies on the switch, use the ls command. If the policy does not exist, create the ACL policy file.
Viewing SSH Information
To view the status of SSH2 sessions on the switch, use the show management command. This command displays information about the switch including the enable/disable state for SSH2 sessions and whether a valid key is present.
The following command enables the SSH2 feature:
The next example assumes you have already created an ACL to apply to SSH.
The following command applies the ACL MyAccessProfile_2 to SSH:
enable ssh2 access-profile MyAccessProfile_2
This command was first available in the ExtremeXOS 11.0
The access-profile and none options were added in ExtremeXOS 11.2.
This command is available on ExtremeSwitching 5320, 5420, 5520, and 5720 series switches.