Secure Shell Configuration Guide, Cisco IOS XE Release 3S (Cisco ASR 1000)
Configuring Secure Shell
Configuring Secure Shell
Last Updated: July 24, 2012
This chapter describes the Secure Shell (SSH) feature. The SSH feature consists of an application and a protocol.
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Prerequisites for Configuring SSH
Prior to configuring SSH, perform the following tasks:
To configure a host name and host domain, enter the hostname hostname and ip domain-name domainname commands in global configuration mode:
To generate an RSA key pair, enter the crypto key generate rsa command.
Restrictions for Configuring SSH
Information About Secure Shell
Secure Shell (SSH) is an application and a protocol that provide a secure replacement to the Berkeley r-tools. The protocol secures the sessions using standard cryptographic mechanisms, and the application can be used similarly to the Berkeley rexec and rsh tools. There are currently two versions of SSH available: SSH Version 1 and SSH Version 2. This document describes SSH Version 1. For information about SSH Version 2, see the Secure Shell Version 2 Support document.
How SSH Works
The SSH Server feature enables a SSH client to make a secure, encrypted connection to a Cisco router. This connection provides functionality that is similar to that of an inbound Telnet connection. Before SSH, security was limited to Telnet security. SSH allows a strong encryption to be used with the Cisco IOS XE software authentication. The SSH server in Cisco IOS XE software will work with publicly and commercially available SSH clients.
SSH Integrated Client
The SSH Integrated Client feature is an application running over the SSH protocol to provide device authentication and encryption. The SSH client enables a Cisco router to make a secure, encrypted connection to another Cisco router or to any other device running the SSH server. This connection provides functionality that is similar to that of an outbound Telnet connection except that the connection is encrypted. With authentication and encryption, the SSH client allows for a secure communication over an insecure network.
The SSH client in the Cisco IOS XE software works with publicly and commercially available SSH servers. The SSH client supports the ciphers of Data Encryption Standard (DES), Triple DES (3DES), and password authentication. User authentication is performed like that in the Telnet session to the router. The user authentication mechanisms supported for SSH are RADIUS, TACACS+ and the use of locally stored user names and passwords.
Related Features and Technologies
For more information about SSH-related features and technologies, review the following:
How to Configure SSH
Configuring SSH Server
To enable and configure a Cisco Router for SSH, you can configure SSH parameters. If you do not configure SSH parameters, the default values will be used.
To configure SSH server, use the following command in global configuration mode:
To verify that the SSH server is enabled and view the version and configuration data for your SSH connection, use the show ip sshcommand. The following example shows that SSH is enabled:
Router# show ip ssh SSH Enabled - version 1.5 Authentication timeout: 120 secs; Authentication retries: 3
The following example shows that SSH is disabled:
Router# show ip ssh %SSH has not been enabled
To verify the status of your SSH server connections, use the show ssh command. The following example shows the SSH server connections on the router when SSH is enabled:
Router# show ssh Connection Version Encryption State Username 0 1.5 3DES Session Started guest
The following example shows that SSH is disabled:
Router# show ssh %No SSH server connections running.
You must configure a host name for the router using the hostname global configuration command. For more information, see "Prerequisites for Configuring SSH."
You must configure a host domain for the router using the ip domain-name global configuration command. For more information, see "Prerequisites for Configuring SSH."
Monitoring and Maintaining SSH
To monitor and maintain your SSH connections, use the following commands in user EXEC mode:
SSH Configuration Examples
This section provides the following configuration example showing output from the show running configuration EXEC command on a Cisco ASR1000 Series Aggregation Services Router.
SSH on a Cisco ASR1000 Series Router Example
In the following example, SSH is configured on a Cisco ASR1000 series router with a timeout that is not to exceed 60 seconds, and no more than 2 authentication retries. Also, before configuring the SSH server feature on the router, TACACS+ is specified as the method of authentication.
hostname RouterASR1K aaa new-model aaa authentication login default tacacs+ aaa authentication login aaa7200kw none enable password enableasr1kpw username username1 password 0 password1 username username2 password 0 password2 ip subnet-zero no ip domain-lookup ip domain-name cisco.com ! Enter the ssh commands. ip ssh time-out 60 ip ssh authentication-retries 2 ip route 192.168.1.0 255.255.255.0 10.1.10.1 ip route 192.168.9.0 255.255.255.0 10.1.1.1 ip route 192.168.10.0 255.255.255.0 10.1.1.1 map-list atm ip 10.1.10.1 atm-vc 7 broadcast no cdp run tacacs-server host 192.168.109.216 port 9000 tacacs-server key cisco radius-server host 192.168.109.216 auth-port 1650 acct-port 1651 radius-server key cisco line con 0 exec-timeout 0 0 login authentication aaa7200kw transport input none line aux 0 line vty 0 4 password enableasr1kpw end
Feature Information for Configuring Secure Shell
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.
© 2012 Cisco Systems, Inc. All rights reserved.