Cisco IOS XR System Security Configuration Guide, Release 3.3
Implementing Secure Shell on Cisco IOS XR Software
Downloads: This chapterpdf (PDF - 227.0KB) The complete bookPDF (PDF - 1.83MB) | Feedback

Implementing Secure Shell on Cisco IOS XR Software

Table Of Contents

Implementing Secure Shell on Cisco IOS XR Software

Contents

Prerequisites to Implementing Secure Shell

Restrictions for Implementing Secure Shell

Information About Implementing Secure Shell

SSH Server

SSH Client

SFTP Feature Overview

AAA Feature

How to Implement Secure Shell

Configuring SSH

Configuring the SSH Client

Troubleshooting Tips

Configuration Examples for Implementing Secure Shell

Configuring Secure Shell: Example

Additional References

Related Documents

Standards

MIBs

RFCs

Technical Assistance


Implementing Secure Shell on Cisco IOS XR Software


Secure Shell (SSH) is an application and a protocol that provides a secure replacement to the Berkeley r-tools. The protocol secures sessions using standard cryptographic mechanisms, and the application can be used similarly to the Berkeley rexec and rsh tools.

Two versions of SSH are available: SSH Version 1 (SSHv1) and SSH Version 2 (SSHv2). SSHv1 uses Rivest, Shamir, and Adelman (RSA) keys and SSHv2 uses Digital Signature Algorithm (DSA) keys. Cisco IOS XR software supports both SSHv1 and SSHv2.

This module describes the new and revised tasks you need to implement Secure Shell on your
Cisco IOS XR network.


Note For a complete description of the Secure Shell commands used in this chapter, see the Secure Shell Commands on Cisco IOS XR Software module of the Cisco IOS XR System Security Command Reference publication. To locate documentation of other commands that appear in this chapter, use the command reference master index, or search online.


Feature History for Implementing Secure Shell on Cisco Cisco IOS XR Software

Release
Modification

Release 2.0

This feature was introduced on the Cisco CRS-1.

Release 3.0

No modification.

Release 3.2

Support was added for the Cisco XR 12000 Series Router.

Release 3.3.0

The ssh server v2 command was added.


Contents

Prerequisites to Implementing Secure Shell

Restrictions for Implementing Secure Shell

Information About Implementing Secure Shell

How to Implement Secure Shell

Configuration Examples for Implementing Secure Shell

Additional References

Prerequisites to Implementing Secure Shell

The following prerequisites are required to implement Secure Shell:

You must be in a user group associated with a task group that includes the proper task IDs for security commands. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS-XR Software module of the Cisco IOS-XR System Security Configuration Guide.

Download the required image on your router. The SSH server and SSH client require you to have a a crypto package (data encryption standard [DES], 3DES and AES) from Cisco downloaded on your router.

Configure user authentication for local or remote access. You can configure authentication with or without authentication, authorization, and accounting (AAA). For more information, see the Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software module in the Cisco IOS XR System Security Command Reference publication and Configuring AAA Services on Cisco IOS XR Software module in the Cisco IOS XR System Security Configuration Guide publication.

AAA authentication and authorization must be configured correctly for Secure Shell File Transfer Protocol (SFTP) to work.

Restrictions for Implementing Secure Shell

The following are some basic SSH restrictions and limitations of the SFTP feature:

In order for an outside client to connect to the router, the router needs to have an RSA (for SSHv1) or DSA (for SSHv2) key pair configured. DSA and RSA keys are not required if you are initiating an SSH client connection from the router to an outside routing device. The same is true for SFTP: DSA and RSA keys are not required because SFTP only operates in client mode.

For SFTP to work properly, the remote SSH server should enable SFTP server functionality. For example, the SSHv2 server is configured to handle the SFTP subsystem with a line such as /etc/ssh2/sshd2_config:

subsystem-sftp /usr/local/sbin/sftp-server

The SFTP server is usually included as part of SSH packages from public domain and is turned on by default configuration.

SFTP is compatible with sftp server version OpenSSH_2.9.9p2 or higher.

RSA-based user authentication available in SSH clients is not supported in the SSH server for
Cisco IOS XR software.

Execution shell and SFTP are the only applications supported.

The SFTP client does not support remote filenames containing wildcards (*, ?, []). The user must issue the sftp command multiple times or list all of the source files from the remote host to download them on to the router. For uploading, the router SFTP client can support multiple files specified using a wildcard provided that the issues mentioned in the first through third bullets in this section are resolved.

Because the router infrastructure does not provide support for UNIX-like file permissions, files created on the local device lose the original permission information. For files created on the remote file system, the file permission adheres to the umask on the destination host and the modification and last access times are the time of the copy.

Information About Implementing Secure Shell

To implement SSH, you should understand the following concepts:

SSH Server

SSH Client

SFTP Feature Overview

AAA Feature

SSH Server

The SSH server feature enables an SSH client to make a secure, encrypted connection to a Cisco router. This connection provides functionality that is similar to that of an inbound Telnet connection. Before SSH, security was limited to Telnet security. SSH allows a strong encryption to be used with the Cisco IOS XR software authentication. The SSH server in Cisco IOS XR software works with publicly and commercially available SSH clients.

SSH Client

The SSH client feature is an application running over the SSH protocol to provide device authentication and encryption. The SSH client enables a Cisco router to make a secure, encrypted connection to another Cisco router or to any other device running the SSH server. This connection provides functionality that is similar to that of an outbound Telnet connection except that the connection is encrypted. With authentication and encryption, the SSH client allows for a secure communication over an insecure network.

The SSH client in the Cisco IOS XR software works with publicly and commercially available SSH servers. The SSH client supports the ciphers of DES, 3DES, message digest algorithm 5 (MD5), SHA1, and password authentication. User authentication is performed like that in the Telnet session to the router. The user authentication mechanisms supported for SSH are RADIUS, TACACS+, and the use of locally stored usernames and passwords.

SFTP Feature Overview

SSH includes support for SFTP, which is a feature that provides a secure and authenticated method for copying router configuration or router image files.

SFTP is the new, standard file transfer protocol introduced in SSHv2. The SFTP client functionality is provided as part of the SSH component and is always enabled on the router. Therefore, a user with the appropriate level can copy files to and from the router. Like the copy command, the sftp command can be used only in EXEC mode.

AAA Feature

AAA is a suite of network security services that provide the primary framework through which access control can be set up on your Cisco router or access server. For more information on AAA, see the Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software module in the Cisco IOS XR System Security Command Reference publication and the Configuring AAA Services on Cisco IOS XR Software module in the Cisco IOS XR System Security Configuration Guide publication.

How to Implement Secure Shell

To configure SSH, perform the tasks described in the following sections:

Configuring SSH (required)

Configuring the SSH Client (required)

Configuring SSH

Perform this task to configure SSH.


Note For SSHv1 configuration, Step 1 to Step 4 are required. For SSHv2 configuration, Step 1 to Step 4 are optional.


SUMMARY STEPS

1. configure

2. hostname hostname

3. domain name domain-name

4. exit

5. crypto key generate rsa [usage keys | general-keys] [keypair-label]

6. crypto key generate dsa

7. configure

8. ssh timeout seconds

9. ssh server
or
ssh server v2 (optional)

10. end
or
commit

11. show ssh

12. show ssh session details

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

configure

Example:

RP/0/RP0/CPU0:router# configure

Enters global configuration mode.

Step 2 

hostname hostname

Example:

RP/0/RP0/CPU0:router(config)# hostname router1

Configures a host name for your router.

Step 3 

domain name domain-name

Example:

RP/0/RP0/CPU0:router(config)# domain name cisco.com

Defines a default domain name that the software uses to complete unqualified host names.

Step 4 

exit

Example:

RP/0/RP0/CPU0:router(config)# exit

Exits global configuration mode, and returns the router to EXEC mode.

Step 5 

crypto key generate rsa [usage keys |
general-keys
] [keypair-label]

Example:

RP/0/RP0/CPU0:router# crypto key generate rsa general-keys

Generates an RSA key pair.

To delete the RSA key pair, use the crypto key zeroize rsa command.

This command is used for SSHv1 only.

Step 6 

crypto key generate dsa

Example:

RP/0/RP0/CPU0:router# crypto key generate dsa

Enables the SSH server for local and remote authentication on the router.

The recommended minimum modulus size is 1024 bits.

Generates a DSA key pair.

To delete the DSA key pair, use the crypto key zeroize dsa command.

This command is used only for SSHv2.

Step 7 

configure

Example:

RP/0/RP0/CPU0:router# configure

Enters global configuration mode.

Step 8 

ssh timeout seconds

Example:

RP/0/RP0/CPU0:router(config)# ssh timeout 60

(Optional) Configures the timeout value for user authentication to AAA.

If the user fails to authenticate itself to AAA within the configured time, the connection is aborted.

If no value is configured, the default value of
30 seconds is used. The range is from 5 to 120.

Step 9 

ssh server

or

ssh server v2

Example:

RP/0/RP0/CPU0:router(config)# ssh server

or

RP/0/RP0/CPU0:router(config)# ssh server v2

Brings up an SSH server.

To bring down an SSH server, use the no ssh server command.

(Optional) Forces the SSH server to accept only SSHv2 clients if you configure the SSHv2 option by using the ssh server v2 command. If you choose the ssh server v2 command, only the SSH v2 client connections are accepted.

Step 10 

end

or

commit

Example:

RP/0/RP0/CPU0:router(config)# end

or

RP/0/RP0/CPU0:router(config)# commit

Saves configuration changes.

When you issue the end command, the system prompts you to commit changes:

Uncommitted changes found, commit them before 
exiting(yes/no/cancel)? 
[cancel]:
 
        

Entering yes saves configuration changes to the running configuration file, exits the configuration session, and returns the router to EXEC mode.

Entering no exits the configuration session and returns the router to EXEC mode without committing the configuration changes.

Entering cancel leaves the router in the current configuration session without exiting or committing the configuration changes.

Use the commit command to save the configuration changes to the running configuration file and remain within the configuration session.

Step 11 

show ssh

Example:

RP/0/RP0/CPU0:router# show ssh

(Optional) Displays all of the incoming and outgoing SSHv1 and SSHv2 connections to the router.

Step 12 

show ssh session details

Example:

RP/0/RP0/CPU0:router# show ssh session details

(Optional) Displays a detailed report of the SSHv2 connections to and from the router.

Configuring the SSH Client

Perform this task to configure an SSH client.

SUMMARY STEPS

1. configure

2. ssh client knownhost device:/filename

3. exit

4. ssh {ipv4-address | ipv6-address | hostname} [username user-id | cipher des | source-interface type instance]

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

configure

Example:

RP/0/RP0/CPU0:router# configure

Enters global configuration mode.

Step 2 

ssh client knownhost device:/filename

Example:

RP/0/RP0/CPU0:router(config)# ssh client knownhost slot0:/server_pubkey

(Optional) Enables the feature to authenticate and check the server public key (pubkey) at the client end.

The complete path of the filename is required. The colon (:) and slash mark (/) are also required.

Step 3 

exit

Example:

RP/0/RP0/CPU0:router(config)# exit

Exits global configuration mode, and returns the router to EXEC mode.

Step 4 

ssh {ipv4-address | ipv6-address | hostname} [username user-id | cipher des | source-interface type instance]

Example:

RP/0/RP0/CPU0:router# ssh remotehost username user1234

Enables an outbound SSH connection.

The SSH client tries to make an SSHv2 connection to the remote peer. If the remote peer supports only the SSHv1 server, the peer internally spawns an
SSHv1 connection to the remote server.

The cipher des option can be used only with an
SSHv1 client.

If the hostname argument is used and the host has both IPv4 and IPv6 addresses, the IPv6 address is used.

Troubleshooting Tips

If you are using SSHv1 and your SSH connection is being rejected, you have not successfully generated an RSA key pair for your router. Make sure that you have specified a host name and domain. Then use the crypto key generate rsa command to generate an RSA key pair and enable the SSH server.

If you are using SSHv2 and your SSH connection is being rejected, you have not successfully generated a DSA key pair for your router. Make sure that you have specified a host name and domain. Then use the crypto key generate dsa command to generate a DSA key pair and enable the SSH server.

When configuring the RSA or DSA key pair, you might encounter the following error messages:

No hostname specified

You must configure a host name for the router using the hostname global configuration command.

No domain specified

You must configure a host domain for the router using the domain-name global configuration command.

The number of allowable SSH connections is limited to the maximum number of virtual terminal lines configured for the router. Each SSH connection uses a vty resource.

SSH uses either local security or the security protocol that is configured through AAA on your router for user authentication. When configuring AAA, you must ensure that the console is not running under AAA by applying a keyword in the global configuration mode to disable AAA on the console.

Configuration Examples for Implementing Secure Shell

This section provides the following configuration example:

Configuring Secure Shell: Example

Configuring Secure Shell: Example

The following example shows how to configure SSHv2 by creating a host name, defining a domain name, enabling the SSH server for local and remote authentication on the router by generating a DSA key pair, bringing up the SSH server, and saving the configuration commands to the running configuration file.

After SSH has been configured, the SFTP feature is available on the router.

configure
	hostname router1
	domain name cisco.com
	exit
crypto key generate dsa
configure
	ssh server
	end

Additional References

The following sections provide references related to implementing secure shell.

Related Documents

Related Topic
Document Title

AAA commands: complete command syntax, command modes, command history, defaults, usage guidelines, and examples

Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software

AAA configuration tasks

Configuring AAA Services on Cisco IOS XR Software

Host services and applications commands: complete command syntax, command modes, command history, defaults, usage guidelines, and examples

Host Services and Applications Commands on Cisco IOS XR Software

IPSec commands: complete command syntax, command modes, command history, defaults, usage guidelines, and examples

IPSec Network Security Commands on Cisco IOS XR Software

SSH commands: complete command syntax, command modes, command history, defaults, usage guidelines, and examples

Secure Shell Commands on Cisco IOS XR Software


Standards

Standards
Title

Draft-ietf-secsh-userauth-17.txt

SSH Authentication Protocol, July 2003

Draft-ietf-secsh-connect-17.txt

SSH Connection Protocol, July 2003

Draft-ietf-secsh-architecture-14.txt

SSH Protocol Architecture, July 2003

Draft-ietf-secsh-transport-16.txt

SSH Transport Layer Protocol, July 2003


MIBs

MIBs
MIBs Link

There are no applicable MIBs for this module.

To locate and download MIBs for selected platforms using Cisco IOS XR software, use the Cisco MIB Locator found at the following URL:

http://cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml


RFCs

RFCs
Title

No new or modified RFCs are supported by this feature, and support for existing RFCs has not been modified by this feature.


Technical Assistance

Description
Link

The Cisco Technical Support website contains thousands of pages of searchable technical content, including links to products, technologies, solutions, technical tips, and tools. Registered Cisco.com users can log in from this page to access even more content.

http://www.cisco.com/techsupport