Cisco IOS Security Command Reference: Commands D to L, Cisco IOS XE Release 3SE (Cisco WLC 5700 Series)
ip source-track through ivrf
Downloads: This chapterpdf (PDF - 368.0KB) The complete bookPDF (PDF - 1.6MB) | Feedback

ip source-track through ivrf

ip source-track through ivrf

ip ssh

To configure Secure Shell (SSH) control parameters on your router, use the ip ssh command in global configuration mode. To restore the default value, use the no form of this command.

ip ssh [ timeout seconds | authentication-retries integer ]

no ip ssh [ timeout seconds | authentication-retries integer ]

Syntax Description

timeout

(Optional) The time interval that the router waits for the SSH client to respond.

This setting applies to the SSH negotiation phase. Once the EXEC session starts, the standard timeouts configured for the vty apply. By default, there are 5 vtys defined (0-4), therefore 5 terminal sessions are possible. After the SSH executes a shell, the vty timeout starts. The vty timeout defaults to 10 minutes.

seconds

(Optional) The number of seconds until timeout disconnects, with a maximum of 120 seconds. The default is 120 seconds.

authentication- retries

(Optional) The number of attempts after which the interface is reset.

integer

(Optional) The number of retries, with a maximum of 5 authentication retries. The default is 3.

Command Default

SSH control parameters are set to default router values.

Command Modes


Global configuration (config)

Command History

Release

Modification

12.0(5)S

This command was introduced.

12.1(1)T

This command was integrated into Cisco IOS Release 12.1(1) T.

12.2(17a)SX

This command was integrated into Cisco IOS Release 12.2(17a)SX.

12.2(33)SRA

This command was integrated into Cisco IOS release 12.(33)SRA.

Cisco IOS XE Release 2.4

This command was implemented on the Cisco ASR 1000 series routers.

Usage Guidelines

Before you configure SSH on your router, you must enable the SSH server using the crypto key generate rsacommand.

Examples

The following examples configure SSH control parameters on your router:

ip ssh timeout 120
ip ssh authentication-retries 3

ip ssh dh min size

To configure the modulus size on the Secure Shell (SSH) server, use the ip ssh dh min size command in privileged EXEC mode. To disable the configuration, use the no form of this command.

ip ssh dh min size [number]

no ip ssh dh min size

Syntax Description

number

(Optional) Minimum number of bits in the key size. The default is 1024.

Command Default

Bit key support is disabled.

Command Modes


Privileged EXEC (#)

Command History

Release

Modification

12.4(20)T

This command was introduced.

15.1(2)S

This command was integrated into Cisco IOS Release 15.1(2)S.

Usage Guidelines

Use the ip ssh dh min sizecommand to ensure that the CLI is successfully parsed from either the client side or the server side.

Examples

The following example shows how to set the minimum modulus size to 2048 bits:

Router> enable
Router# ip ssh dh min size 2048

Related Commands

Command

Description

show ip ssh

Displays the status of SSH server connections.

ip ssh dscp

To specify the IP differentiated services code point (DSCP) value that can be set for a Secure Shell (SSH) configuration, use the ip ssh dscpcommand in global configuration mode. To restore the default value, use the no form of this command.

ip ssh dscp number

no ip ssh dscp number

Syntax Description

number

Value that can be set. The default value is 0 (zero).

  • number --0 through 63.

Command Default

The IP DSCP value is not specified.

Command Modes


Global configuration (config)

Command History

Release

Modification

12.4(20)S

This command was introduced.

12.2SR

This command is supported in the Cisco IOS Release 12.2SR train. Support in a specific 12.2SR train depends on your feature set, platform, and platform hardware.

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX train depends on your feature set, platform, and platform hardware.

12.4(22)T

This command was integrated into Cisco IOS Release 12.4(22)T.

Usage Guidelines

IP DSCP values can be configured on both the SSH client and the SSH server for SSH traffic that is generated on either end.

Examples

The following example shows that the DSCP value is set to 35:

Router(config)# ip ssh dscp 35

Related Commands

Command

Description

ip ssh precedence

Specifies the IP precedence value that may be set.

ip ssh pubkey-chain

To configure Secure Shell RSA (SSH-RSA) keys for user and server authentication on the SSH server, use the ip ssh pubkey-chain command in global configuration mode. To remove SSH-RSA keys for user and server authentication on the SSH server, use the no form of this command.

ip ssh pubkey-chain

no ip ssh pubkey-chain

Syntax Description

This command has no arguments or keywords.

Command Default

SSH-RSA keys are not configured.

Command Modes


Global configuration (config)

Command History

Release

Modification

15.0(1)M

This command was introduced.

15.1(1)S

This command was integrated into Cisco IOS Release 15.1(1)S.

Usage Guidelines

Use the ip ssh pubkey-chaincommand to ensure SSH server and user public key authentication.

Examples

The following example shows how to enable public key generation:

Router(config)# ip ssh pubkey-chain
 

Related Commands

Command

Description

ip ssh stricthostkeycheck

Enables strict host key checking on the SSH server.

ip ssh stricthostkeycheck

To enable strict host key checking on the Secure Shell (SSH) server, use the ip ssh stricthostcheck command in global configuration mode. To disable strict host key checking, use the no form of this command.

ip ssh stricthostkeycheck

no ip ssh stricthostkeycheck

Syntax Description

This command has no arguments or keywords.

Command Default

Strict host key checking on the SSH server is not enabled.

Command Modes


Global configuration (config)

Command History

Release

Modification

15.0(1)M

This command was introduced.

15.1(1)S

This command was integrated into Cisco IOS Release 15.1(1)S.

Usage Guidelines

Use the ip ssh stricthostkeycheckcommand to ensure SSH server side strict checking. Configuring the ip ssh stricthostkeycheck command authenticates all servers.


Note


This command is not available on SSH Version 1.


  • If the ip ssh pubkey-chain command is not configured, the ip ssh stricthostkeycheck command will lead to connection failure in SSH Version 2.

Examples

The following example shows how to enable strict host key checking:

Router(config)# ip ssh stricthostkeycheck

Related Commands

Command

Description

ip ssh pubkey-chain

Configures SSH-RSA keys for user and server authentication on the SSH server.

ip ssh version

To specify the version of Secure Shell (SSH) to be run on a router, use the ip ssh versioncommand in global configuration mode. To disable the version of SSH that was configured and to return to compatibility mode, use the no form of this command.

ip ssh version [ 1 | 2 ]

no ip ssh version [ 1 | 2 ]

Syntax Description

1

(Optional) Router runs only SSH Version 1.

2

(Optional) Router runs only SSH Version 2.

Command Default

If this command is not configured, SSH operates in compatibility mode, that is, Version 1 and Version 2 are both supported.

Command Modes


Global configuration

Command History

Release

Modification

12.3(4)T

This command was introduced.

12.3(2)XE

This command was integrated into Cisco IOS Release 12.3(2)XE.

12.2(25)S

This command was integrated into Cisco IOS Release 12.2(25)S.

12.3(7)JA

This command was integrated into Cisco IOS Release 12.3(7)JA.

12.0(32)SY

This command was integrated into Cisco IOS Release 12.0(32)SY.

12.4(20)T

This command was integrated into Cisco IOS Release 12.4(20)T.

Usage Guidelines

You can use this command with the 2 keyword to ensure that your router will not inadvertently establish a weaker SSH Version 1 connection.

Examples

The following example shows that only SSH Version 1 support is configured:

Router (config)# ip ssh version 1

The following example shows that only SSH Version 2 is configured:

Router (config)# ip ssh version 2

The following example shows that SSH Versions 1 and 2 are configured:

Router (config)# no ip ssh version

Related Commands

Command

Description

debug ip ssh

Displays debug messages for SSH.

disconnect ssh

Terminates a SSH connection on your router.

ip ssh

Configures SSH control parameters on your router.

ip ssh rsa keypair-name

Specifies which RSA key pair to use for a SSH connection.

show ip ssh

Displays the SSH connections of your router.

ipv6 tacacs source-interface

To specify an interface to use for the source address in TACACS packets, use the ipv6 tacacs source-interfacecommand in global configuration mode. To remove the specified interface from the configuration, use the no form of this command.

ipv6 tacacs source-interface interface

no ipv6 tacacs source-interface interface

Syntax Description

interface

Interface to be used for the source address in TACACS packets.

Command Default

No interface is specified.

Command Modes


Global configuration (config)

Command History

Release

Modification

Cisco IOS XE Release 3.2S

This command was introduced.

Usage Guidelines

The ipv6 tacacs source-interfacecommand specifies an interface to use for the source address in TACACS packets.

Examples

The following example shows how to configure the Gigabit Ethernet interface to be used as the source address in TACACS packets:

Router(config)# ipv6 tacacs source-interface GigabitEthernet 0/0/0

Related Commands

Command

Description

tacacs server

Configures the TACACS+ server for IPv6 or IPv4 and enters TACACS+ server configuration mode.