Secure Shell Commands
ErrorMessage : Error while constructing the Hinav

null
Downloads: This chapterpdf (PDF - 151.0KB) | Feedback

Secure Shell Commands

Table Of Contents

Secure Shell Commands

disconnect ssh

ip ssh

show ip ssh

show ssh

ssh


Secure Shell Commands


This chapter describes Secure Shell (SSH) commands. SSH is an application and a protocol that provides a secure replacement to the Berkeley r-tools. The protocol secures the remote connection to a router using standard cryptographic mechanisms, and the application can be used similarly to the Berkeley rexec and rsh tools. There are currently two versions of SSH available, SSH Version 1 and SSH Version 2. Only SSH Version 1 is implemented in the Cisco IOS software.

To find complete descriptions of other commands used when configuring SSH, refer to the Cisco IOS Command Reference Master Index or search online.

For SSH configuration information, refer to the "Configuring Secure Shell" chapter in the Cisco IOS Security Configuration Guide.

disconnect ssh

To terminate a Secure Shell (SSH) connection on your router, use the disconnect ssh privileged EXEC command.

disconnect ssh [vty] session-id

Syntax Description

vty

(Optional) Virtual terminal for remote console access.

session-id

The session-id is the number of connection displayed in the show ip ssh command output.


Command Modes

Privileged EXEC

Command History

Release
Modification

12.0(5)S

This command was introduced.

12.1(1)T

This command was integrated into Cisco IOS Release 12.1 T.


Usage Guidelines

The clear line vty n command, where n is the connection number displayed in the show ip ssh command output, may be used instead of the disconnect ssh command.

When the EXEC connection ends, whether normally or abnormally, the SSH connection also ends.

Examples

The following example terminates SSH connection number 1:

disconnect ssh 1

Related Commands

Command
Description

clear line vty

Returns a terminal line to idle state using the privileged EXEC command.


ip ssh

To configure Secure Shell (SSH) control parameters on your router, use the ip ssh global configuration command. To restore the default value, use the no form of this command.

ip ssh {[timeout seconds]} | [authentication-retries integer]}

no ip ssh {[timeout seconds]} | [authentication-retries integer]}

Syntax Description

timeout

(Optional) The time interval that the router waits for the SSH client to respond.

This setting applies to the SSH negotiation phase. Once the EXEC session starts, the standard timeouts configured for the vty apply. By default, there are 5 vtys defined (0-4), therefore 5 terminal sessions are possible. After the SSH executes a shell, the vty timeout starts. The vty timeout defaults to 10 minutes.

authentication-
retries

(Optional) The number of attempts after which the interface is reset.

seconds

(Optional) The number of seconds until timeout disconnects, with a maximum of 120 seconds. The default is 120 seconds.

integer

(Optional) The number of retries, with a maximum of 5 authentication retries. The default is 3.


Defaults

120 seconds for the timeout timer.

3 authentication-retries.

Command Modes

Global configuration

Command History

Release
Modification

12.0(5)S

This command was introduced.

12.1(1)T

This command was integrated into Cisco IOS Release 12.1 T.


Usage Guidelines

Before you configure SSH on your router, you must enable the SSH server using the crypto key generate rsa command.

Examples

The following examples configure SSH control parameters on your router:

ip ssh timeout 120
ip ssh authentication-retries 3

show ip ssh

To display the version and configuration data for Secure Shell (SSH), use the show ip ssh privileged EXEC command.

show ip ssh

Syntax Description

This command has no arguments or keywords.

Command Modes

Privileged EXEC

Command History

Release
Modification

12.0(5)S

This command was introduced.

12.1(1)T

This command was integrated into Cisco IOS Release 12.1 T.

12.1(5)T

This command was modified to display the SSH status—enabled or disabled.


Usage Guidelines

Use the show ip ssh command to view the status of configured options such as retries and timeouts. This command allows you to see if SSH is enabled or disabled.

Examples

The following is sample output from the show ip ssh command when SSH has been enabled:

Router# show ip ssh

SSH Enabled - version 1.5
Authentication timeout: 120 secs; Authentication retries: 3

The following is sample output from the show ip ssh command when SSH has been disabled:
Router# show ip ssh

%SSH has not been enabled

Related Commands

Command
Description

show ssh

Displays the status of SSH server connections.


show ssh

To display the status of Secure Shell (SSH) server connections, use the show ssh privileged EXEC command.

show ssh

Syntax Description

This command has no arguments or keywords.

Command Modes

Privileged EXEC

Command History

Release
Modification

12.1(5)T

This command was introduced.


Usage Guidelines

Use the show ssh command to display the status of the SSH connections on your router. This command does not display any SSH configuration data; use the show ip ssh command for SSH configuration information such as timeouts and retries.

Examples

The following is sample output from the show ssh command with SSH enabled:

Router# show ssh

Connection      Version     Encryption     	State	Username
	0	1.5	3DES	Session Started		guest

The following is sample output from the show ssh command with SSH disabled:

Router# show ssh

%No SSH server connections running.

Related Commands

Command
Description

show ip ssh

Displays the version and configuration data for SSH.


ssh

To start an encrypted session with a remote networking device, use the ssh user EXEC command.

ssh [-l userid] [-c {des | 3des}] [-o numberofpasswdprompts n] [-p portnum] {ipaddr | hostname} [command]

Syntax Description

-l userid

(Optional) Specifies the user ID to use when logging in as on the remote networking device running the SSH server. If no user ID is specified, the default is the current user ID.

-c {des | 3des}

(Optional) Specifies the crypto algorithm, DES or 3DES, to use for encrypting data. To use SSH, you must have an encryption image must be running on the router. Cisco software images that include encryption have the designators "k8" (DES) or "k9" (3DES).

-o numberofpasswdprompts n

(Optional) Specifies the number of password prompts that the software generates before ending the session. The SSH server may also apply a limit to the number of attempts. If the limit set by the server is less than the value specified by the -o numberofpasswdprompts keyword, the limit set by the server takes precedence. The default is 3 attempts, which is also the Cisco IOS SSH server default. The range of values is from 1 to 5.

-p portnum

(Optional) Indicates the desired port number for the remote host. The default port number is 22.

ipaddr | hostname

Specifies the IP address or host name of the remote networking device.

command

(Optional) Specifies the Cisco IOS command that you want to run on the remote networking device. If the remote host is not running Cisco IOS software, this may be any command recognized by the remote host. If the command includes spaces, you must enclose the command in quotation marks.


Defaults

Disabled

Command Modes

User EXEC

Command History

Release
Modification

12.1(3)T

This command was introduced.


Usage Guidelines

The ssh command enables a Cisco router to make a secure, encrypted connection to another Cisco router or device running an SSH Version 1 server. This connection provides functionality that is similar to that of an outbound Telnet connection except that the connection is encrypted. With authentication and encryption, the SSH client allows for a secure communication over an insecure network.


Note SSH is supported on DES (56-bit) and 3DES (168-bit) data encryption software images only. In DES software images, DES is the only encryption algorithm available. In 3DES software images, both DES and 3DES encryption algorithms are available.


The ssh command requires that you first enable the SSH server on the router. The SSH client is available only when the SSH server is enabled.

Examples

The following example illustrates initiating a secure session between the local router and the remote host HQhost to run the show users command. The result of the show users command is a list of valid users who are logged in to HQhost. The remote host will prompt for the adminHQ password to authenticate the user adminHQ. If the authentication step is successful, the remote host will return the result of the show users command to the local router and will then close the session.

ssh -l adminHQ HQhost "show users"

The following example illustrates initiating a secure session between the local router and the edge router HQedge to run the show ip route command. In this example, the edge router prompts for the adminHQ password to authenticate the user. If the authentication step is successful, the edge router will return the result of the show ip route command to the local router.

ssh -l adminHQ HQedge "show ip route" 

The following example shows the SSH client using 3DES to initiate a secure remote command connection with the HQedge router. The SSH server running on HQedge authenticates the session for the admin7 user on the HQedge router using standard authentication methods. The HQedge router must have SSH enabled for this to work.

ssh -l admin7 -c 3des -o numberofpasswdprompts 5 HQedge

Related Commands

Command
Description

ip ssh

Configures SSH server control parameters on the router.

show ip ssh

Displays the version and configuration data for SSH.

show ssh

Displays the status of SSH server connections.