Cisco Nexus 1000V Security Configuration Guide, Release 4.2(1)SV2(2.1)
Configuring SSH
Downloads: This chapterpdf (PDF - 1.36MB) The complete bookPDF (PDF - 5.57MB) | The complete bookePub (ePub - 1.44MB) | Feedback

Configuring SSH

This chapter contains the following sections:

Information About SSH

SSH Server

You can use the Secure Shell (SSH) server to enable an SSH client to make a secure, encrypted connection. SSH uses strong encryption for authentication. The SSH server can operate with publicly and commercially available SSH clients.

TACACS+ user authentication and locally stored usernames and passwords are supported for SSH.

SSH Client

The SSH client feature is an application that runs over the SSH protocol to provide device authentication and encryption. The SSH client enables a secure, encrypted connection to any device that runs the SSH server. This connection provides an encrypted outbound connection. With authentication and encryption, the SSH client produces secure communication over an insecure network.

The SSH client works with publicly and commercially available SSH servers.

SSH Server Keys

SSH requires server keys for secure communication. You can use SSH server keys for the following SSH options:

  • SSH version 2 using Rivest, Shamir, and Adelman (RSA) public-key cryptography
  • SSH version 2 using the Digital System Algrorithm (DSA)

Be sure to have an SSH server key-pair with the correct version before enabling the SSH service. Generate the SSH server key-pair according to the SSH client version used. The SSH service accepts two types of key-pairs for use by SSH version 2:

  • The dsa option generates the DSA key-pair for the SSH version 2 protocol.
  • The rsa option generates the RSA key-pair for the SSH version 2 protocol.

By default, an RSA key that uses 1024 bits is generated.

SSH supports the following public key formats

  • OpenSSH
  • IETF Secure Shell (SECSH)
  • Public Key Certificate in Privacy-Enhanced Mail (PEM)

Caution


If you delete all of the SSH keys, you cannot start the SSH services.


Prerequisites for SSH

  • Configure IP on a Layer 3 interface, out-of-band on the mgmt 0 interface or inband on an Ethernet interface.
  • Before enabling the SSH server, obtain the SSH key.

Guidelines and Limitations for SSH

  • Only SSH version 2 (SSHv2) is supported.
  • SSH is enabled by default.
  • Cisco NX-OS commands might differ from the Cisco IOS commands.

Default Settings

Parameters

Default

SSH server

Enabled

SSH server key

RSA key generated with 1024 bits

RSA key bits for generation

1024

Configuring SSH

Generating SSH Server Keys

You can generate an SSH server key based on your security requirements.

The default SSH server key is an RSA key that is generated using 1024 bits.

Before You Begin

Log in to the CLI in EXEC mode.

Procedure
      Command or Action Purpose
    Step 1 switch# configure terminal 

    Enters global configuration mode.

     
    Step 2 switch(config)# no feature ssh 

    Disables SSH.

     
    Step 3 switch(config)# ssh key {dsa[force] | rsa [bits[ force]]} 

    Generates the SSH server key

    The bits argument is the number of bits used to generate the key. The range is from 768 to 2048 and the default value is 1024.

    Use the force keyword to replace an existing key.

     
    Step 4 switch(config)# feature ssh  

    Enables SSH.

     
    Step 5 switch# show ssh key  (Optional)

    Displays the SSH server keys.

     
    Step 6 switch# copy running-config startup-config  (Optional)

    Copies the running configuration to the startup configuration.

     

    This example shows how to generate SSH server keys:

    switch# configure terminal
    switch(config)# no feature ssh 
    XML interface to system may become unavailable since ssh is disabled
    switch(config)# ssh key dsa force
    generating dsa key(1024 bits).....
    .
    generated dsa key
    n1000v(config)# feature ssh
    n1000v(config)# show ssh key
    **************************************
    rsa Keys generated:Sun Jul 27 15:18:46 2008
    
    ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAyKcb7Nv9Ki1OOId9/tdHHa/ngQujlvK5mXyL/n+DeOXK
    fVhHbX2a+V0cm7CCLUkBh+BvZRmpmOVTmU/5awfVhVxMKXMiPOPBc+A6/n3FVroyRwupMki6mWoM6Uwa
    GID5gsVPqFjFNSgMWtbhjo97XVKhgjFW+wOVt8QoAcrEtnwEfsnQk1EIr/0XIP1mqTsrqTsmjZ2vLk+f
    FzTGYAxMvYZI+BrN47aoH2ywS7CpnODjCDXJuDYSPbc3PA8t0ghU/60m9R+s6AZPuljVQbGfxPrahEu4
    GVc6sMJNU1JxmqDJkodhMArObB4Umzj7E3Rdby/ZWx/clTYiXQR1X1VfhQ==
    
    bitcount:2048
    fingerprint:
    fd:ca:48:73:b9:ee:e7:86:9e:1e:40:46:f1:50:1d:44
    **************************************
    dsa Keys generated:Sun Jul 27 15:20:12 2008
    
    ssh-dss AAAAB3NzaC1kc3MAAACBALpdxLjXNS/jcCNY+F1QZV9HegxBEb0DMUmq9bSq2N+KAcvHllEh
    GnaiHhqarOlcEKqhLbIbuqtKTCvfa+Y1hBIAhWVjg1UR3/M22jqxnfhnxL5YRc1Q7fcesFax0myayAIU
    nXrkO5iwv9XHTu+EInRc4kJ0XrG9SxtLmDe/fi2ZAAAAFQDbRabAjZa6GfDpwjXw5smRhrElJwAAAIEA
    r50yi3hHawNnb5qgYLXhN+KA8XJF753eCWHtMw7NR8fz6fjQ1R2J97UjjGuQ8DvwpGeNQ5S+AuIo0rGq
    svdg7TTecBcbgBOnR7Fs2+W5HiSVEGbvj1xaeK8fkNE6kaJumBB343b8Rgj0G97MP/os1GfkEqmX9glB
    0IOM2mgHHyoAAACAfRir27hHy+fw8CxPlsK0R6cFhxYyd/qYYogXFKYIOPxpLoYrjqODeOFThU7TJuBz
    aS97eXiruzbffHwzUGfXgmQT5o9IMZRTClWPA/5Ju4O9YABYHccUghf0W+QtgGOT6FOSvBh8uOV0kcHC
    GMJAP8omphauZJlc+wgFxhnkyh4=
    
    bitcount:1024
    fingerprint:
    44:91:32:1f:7a:d1:83:3c:f3:5e:db:53:0a:2d:ce:69
    **************************************
    

    Configuring a User Account with a Public Key

    You configure an SSH public key to log in using the SSH client without being prompted for a password. You can specify the SSH public key in one of three different formats:

    • OpenSSH format
    • IETF SECSH format
    • Public Key Certificate in PEM format

    Configuring an OpenSSH Key

    You can specify the SSH public keys in OpenSSH format for user accounts.

    You can configure an SSH public key to log in using the SSH client without being prompted for a password. You can specify the SSH public key in one of three different formats:
    • OpenSSH format
    • IETF SECSH format
    • Public Key Certificate in PEM format
    Before You Begin
    • Log in to the CLI in EXEC mode
    • Generate an SSH public key in OpenSSH format
    • Have an existing user account
    Procedure
        Command or Action Purpose
      Step 1 switch# configure terminal  

      Enters global configuration mode.

       
      Step 2 switch(config)# username username sshkey ssh-key 

      Configures the SSH public key in OpenSSH format with an exiting user account.

      To create a user account use the username name password pwd command.

       
      Step 3 switch(config)# exit 

      Exits global configuration mode and returns to EXEC mode.

       
      Step 4 switch# show user-account  (Optional)

      Displays the user account configuration.

       
      Step 5 switch# copy running-config startup-config  (Optional)

      Copies the running configuration to the startup configuration.

       

      This example shows how to configure an openSSH key:

      switch# configure terminal
      switch(config)# username user1 sshkey ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAyK
      cb7Nv9Ki1OOId9/tdHHa/ngQujlvK5mXyL/n+DeOXKfVhHbX2a+V0cm7CCLUkBh+BvZRmpmOVTmU/5aw
      fVhVxMKXMiPOPBc+A6/n3FVroyRwupMki6mWoM6UwaGID5gsVPqFjFNSgMWtbhjo97XVKhgjFW+wOVt8
      QoAcrEtnwEfsnQk1EIr/0XIP1mqTsrqTsmjZ2vLk+fFzTGYAxMvYZI+BrN47aoH2ywS7CpnODjCDXJuD
      YSPbc3PA8t0ghU/60m9R+s6AZPuljVQbGfxPrahEu4GVc6sMJNU1JxmqDJkodhMArObB4Umzj7E3Rdby
      /ZWx/clTYiXQR1X1VfhQ==
      switch(config)# exit
      switch# show user-account
      user:admin
              this user account has no expiry date
              roles:network-admin
      user:user1
              this user account has no expiry date
              roles:network-operator
              ssh public key: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAyKcb7Nv9Ki1OOId9/tdH
      Ha/ngQujlvK5mXyL/n+DeOXKfVhHbX2a+V0cm7CCLUkBh+BvZRmpmOVTmU/5awfVhVxMKXMiPOPBc+A6
      /n3FVroyRwupMki6mWoM6UwaGID5gsVPqFjFNSgMWtbhjo97XVKhgjFW+wOVt8QoAcrEtnwEfsnQk1EI
      r/0XIP1mqTsrqTsmjZ2vLk+fFzTGYAxMvYZI+BrN47aoH2ywS7CpnODjCDXJuDYSPbc3PA8t0ghU/60m
      9R+s6AZPuljVQbGfxPrahEu4GVc6sMJNU1JxmqDJkodhMArObB4Umzj7E3Rdby/ZWx/clTYiXQR1X1Vf
      hQ==
      switch# copy running-config startup-config
      

      Configuring IETF or PEM Keys

      You can specify the SSH public keys in IETF SECSH or PEM format for user accounts.

      You can configure an SSH public key to log in using the SSH client without being prompted for a password. You can specify the SSH public key in one of three different formats:
      • OpenSSH format
      • IETF SECSH format
      • Public Key Certificate in PEM format
      Before You Begin
      • Log in to the CLI in EXEC mode
      • Generate an SSH public key in one of the following formats:
        • IETF SECSH format
        • Public Key Certificate in PEM format
      Procedure
          Command or Action Purpose
        Step 1 switch# copy server-file bootflash: filename 

        Downloads the file containing the SSH key from a server. The server can be FTP, secure copy (SCP), secure FTP (SFTP), or TFTP.

         
        Step 2 switch# configure terminal 

        Enters global configuration mode.

         
        Step 3 switch(config)# username username sshkey file bootflash:filename 

        Configures the SSH public key.

         
        Step 4 switch(config)# exit 

        Exits global configuration mode and returns to EXEC mode.

         
        Step 5 switch# show user-account  (Optional)

        Displays the user account configuration.

         
        Step 6 switch# copy running-config startup-config  (Optional)

        Copies the running configuration to the startup configuration.

         

        This example shows how to configure an SSH public key in an IETF SECSH format:

        switch# copy tftp://10.78.1.10/secsh_file.pub bootflash:secsh_file.pub vrf management
        Trying to connect to tftp server......
        Connection to server Established.
        |
        TFTP get operation was successful
        switch# configure terminal
        switch(config)# username User1 sshkey file bootflash:secsh_file.pub
        switch(config)# exit
        switch# show user-account 
        user:admin
                this user account has no expiry date
                roles:network-admin 
        user:user2
                this user account has no expiry date
                roles:network-operator 
                ssh public key: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAyKcb7Nv9Ki1OOId9/tdHHa/
        ngQujlvK5mXyL/n+DeOXKfVhHbX2a+V0cm7CCLUkBh+BvZRmpmOVTmU/5awfVhVxMKXMiPOPBc+A6/n3FVroyRwupMki6
        mWoM6UwaGID5gsVPqFjFNSgMWtbhjo97XVKhgjFW+wOVt8QoAcrEtnwEfsnQk1EIr/0XIP1mqTsrqTsmjZ2vLk+
        fFzTGYAxMvYZI+BrN47aoH2ywS7CpnODjCDXJuDYSPbc3PA8t0ghU/60m9R+s6AZPuljVQbGfxPrahEu4GVc6sMJN
        U1JxmqDJkodhMArObB4Umzj7E3Rdby/ZWx/clTYiXQR1X1VfhQ==
        switch# copy running-config startup-config
        

        Starting SSH Sessions

        You can start SSH sessions using IP to connect to remote devices.

        Before You Begin
        • Log in to the CLI in EXEC mode.
        • Obtain the hostname and, if needed, the username, for the remote device.
        • Enable the SSH server on the remote device
        Procedure
            Command or Action Purpose
          Step 1 switch# ssh [root@] {ip address | hostname } [vrf vrf-name] 

          Creates an SSH IP session to a remote device using IP. The default virtual routing and forwarding (VRF) instance is the default VRF.

           

          This example shows how to start an SSH session:

          switch# ssh root@172.28.30.77
          root@172.28.30.77's password: 
          Last login: Sat Jul 26 11:07:23 2008 from 171.70.209.64

          Clearing SSH Hosts

          You can clear from your account the list of trusted SSH servers that were added when you downloaded a file from a server using SCP or SFTP, or when you started an SSH session to a remote host.

          Procedure
              Command or Action Purpose
            Step 1 switch# clear ssh hosts 

            Clears the SSH host sessions.

             

            Disabling the SSH Server

            You can disable the SSH server to prevent SSH access to the switch. By default, the SSH server is enabled.

            If you disable SSH, you must first generate an SSH server key before you can enable it again.

            Before You Begin

            Log in to the CLI in EXEC mode.

            Procedure
                Command or Action Purpose
              Step 1 switch# configure terminal  

              Enters global configuration mode.

               
              Step 2 switch(config)# no feature ssh 

              Disables the SSH server. The default is enabled.

               
              Step 3 switch(config)# show ssh server  (Optional)

              Displays the SSH server configuration.

               
              Step 4 switch(config)# copy running-config startup-config  (Optional)

              Copies the running configuration to the startup configuration.

               

              This example shows how to disable the SSH server:

              switch# configure terminal
              switch(config)# no feature ssh 
              XML interface to system may become unavailable since ssh is disabled
              switch(config)#  show ssh server
              ssh is not enabled
              switch(config)# copy running-config startup-config
              

              Deleting SSH Server Keys

              You can delete SSH server keys after you disable the SSH server.

              If you disable SSH, you must first generate an SSH server key before you can enable it again.

              Before You Begin

              Log in to the CLI in EXEC mode.

              Procedure
                  Command or Action Purpose
                Step 1 switch# configure terminal 

                Enters global configuration mode.

                 
                Step 2 switch(config)# no feature ssh  

                Disables the SSH server.

                 
                Step 3 switch(config)# no ssh key [dsa | rsa] 

                Deletes the SSH server key.

                The default is to delete all the SSH keys.

                 
                Step 4 switch(config)# show ssh key  (Optional)

                Displays the SSH server key configuration.

                 
                Step 5 switch(config)# copy running-config startup-config  (Optional)

                Copies the running configuration to the startup configuration.

                 

                This example shows how to delete an SSH server key:

                switch# configure terminal
                switch(config)# no feature ssh 
                switch(config)# no ssh key rsa
                switch(config)# show ssh key
                **************************************
                rsa Keys generated:Sun Jul 27 15:18:46 2008
                
                ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAyKcb7Nv9Ki1OOId9/tdHHa/ngQujlvK5mXyL/n+DeOXK
                fVhHbX2a+V0cm7CCLUkBh+BvZRmpmOVTmU/5awfVhVxMKXMiPOPBc+A6/n3FVroyRwupMki6mWoM6Uwa
                GID5gsVPqFjFNSgMWtbhjo97XVKhgjFW+wOVt8QoAcrEtnwEfsnQk1EIr/0XIP1mqTsrqTsmjZ2vLk+f
                FzTGYAxMvYZI+BrN47aoH2ywS7CpnODjCDXJuDYSPbc3PA8t0ghU/60m9R+s6AZPuljVQbGfxPrahEu4
                GVc6sMJNU1JxmqDJkodhMArObB4Umzj7E3Rdby/ZWx/clTYiXQR1X1VfhQ==
                
                bitcount:2048
                fingerprint:
                fd:ca:48:73:b9:ee:e7:86:9e:1e:40:46:f1:50:1d:44
                **************************************
                dsa Keys generated:Sun Jul 27 15:20:12 2008
                
                ssh-dss AAAAB3NzaC1kc3MAAACBALpdxLjXNS/jcCNY+F1QZV9HegxBEb0DMUmq9bSq2N+KAcvHllEh
                GnaiHhqarOlcEKqhLbIbuqtKTCvfa+Y1hBIAhWVjg1UR3/M22jqxnfhnxL5YRc1Q7fcesFax0myayAIU
                nXrkO5iwv9XHTu+EInRc4kJ0XrG9SxtLmDe/fi2ZAAAAFQDbRabAjZa6GfDpwjXw5smRhrElJwAAAIEA
                r50yi3hHawNnb5qgYLXhN+KA8XJF753eCWHtMw7NR8fz6fjQ1R2J97UjjGuQ8DvwpGeNQ5S+AuIo0rGq
                svdg7TTecBcbgBOnR7Fs2+W5HiSVEGbvj1xaeK8fkNE6kaJumBB343b8Rgj0G97MP/os1GfkEqmX9glB
                0IOM2mgHHyoAAACAfRir27hHy+fw8CxPlsK0R6cFhxYyd/qYYogXFKYIOPxpLoYrjqODeOFThU7TJuBz
                aS97eXiruzbffHwzUGfXgmQT5o9IMZRTClWPA/5Ju4O9YABYHccUghf0W+QtgGOT6FOSvBh8uOV0kcHC
                GMJAP8omphauZJlc+wgFxhnkyh4=
                
                bitcount:1024
                fingerprint:
                44:91:32:1f:7a:d1:83:3c:f3:5e:db:53:0a:2d:ce:69
                **************************************
                mcs-srvr43(config)# no ssh key rsa
                mcs-srvr43(config)# show ssh key
                **************************************
                could not retrieve rsa key information
                **************************************
                dsa Keys generated:Sun Jul 27 15:20:12 2008
                
                ssh-dss AAAAB3NzaC1kc3MAAACBALpdxLjXNS/jcCNY+F1QZV9HegxBEb0DMUmq9bSq2N+KAcvHllEh
                GnaiHhqarOlcEKqhLbIbuqtKTCvfa+Y1hBIAhWVjg1UR3/M22jqxnfhnxL5YRc1Q7fcesFax0myayAIU
                nXrkO5iwv9XHTu+EInRc4kJ0XrG9SxtLmDe/fi2ZAAAAFQDbRabAjZa6GfDpwjXw5smRhrElJwAAAIEA
                r50yi3hHawNnb5qgYLXhN+KA8XJF753eCWHtMw7NR8fz6fjQ1R2J97UjjGuQ8DvwpGeNQ5S+AuIo0rGq
                svdg7TTecBcbgBOnR7Fs2+W5HiSVEGbvj1xaeK8fkNE6kaJumBB343b8Rgj0G97MP/os1GfkEqmX9glB
                0IOM2mgHHyoAAACAfRir27hHy+fw8CxPlsK0R6cFhxYyd/qYYogXFKYIOPxpLoYrjqODeOFThU7TJuBz
                aS97eXiruzbffHwzUGfXgmQT5o9IMZRTClWPA/5Ju4O9YABYHccUghf0W+QtgGOT6FOSvBh8uOV0kcHC
                GMJAP8omphauZJlc+wgFxhnkyh4=
                
                bitcount:1024
                fingerprint:
                44:91:32:1f:7a:d1:83:3c:f3:5e:db:53:0a:2d:ce:69
                **************************************
                mcs-srvr43(config)# no ssh key dsa
                mcs-srvr43(config)# show ssh key
                **************************************
                could not retrieve rsa key information
                **************************************
                could not retrieve dsa key information
                **************************************
                no ssh keys present. you will have to generate them
                **************************************

                Clearing SSH Sessions

                You can clear SSH sessions from the device.

                Before You Begin

                Log in to the CLI in EXEC mode.

                Procedure
                    Command or Action Purpose
                  Step 1 switch# show users  

                  Displays user session information.

                   
                  Step 2 switch# clear line vty-line 

                  Clears a user SSH session.

                   
                  Step 3 switch# show users  (Optional)

                  Displays user session information.

                   

                  This example shows how to clear an SSH session:

                  switch# show users
                  NAME     LINE         TIME         IDLE          PID COMMENT
                  admin    tty1         Jul 25 19:13  old         2867
                  admin    pts/0        Jul 28 09:49 00:02       28556 (10.21.148.122)
                  admin    pts/1        Jul 28 09:46   .         28437 (::ffff:10.21.148.122)*
                  switch# clear line 0
                  switch# show users
                  NAME     LINE         TIME         IDLE          PID COMMENT
                  admin    tty1         Jul 25 19:13  old         2867
                  admin    pts/1        Jul 28 09:46   .         28437 (::ffff:10.21.148.122)*
                  mcs-srvr43(config)#
                  

                  Verifying the SSH Configuration

                  Use the following commands to verify the configuration.

                  Command

                  Purpose

                  show ssh key [dsa | rsa]

                  Displays SSH server key-pair information.

                  show running-config security [all]

                  Displays the SSH and user account configuration in the running configuration. The all keyword displays the default values for the SSH and user accounts.

                  show ssh server

                  Displays the SSH server configuration.

                  Configuration Example for SSH

                  This example shows how to configure SSH with an OpenSSH key:

                  1. Disable the SSH server.
                    switch# configure terminal
                    switch(config)# no feature ssh 
                  2. Generate an SSH server key.
                    switch(config)# ssh key rsa
                    generating rsa key(1024 bits).....
                    .generated rsa key
                  3. Enable the SSH server.
                    switch(config)# feature ssh 
                  4. Display the SSH server key.
                    switch(config)# show ssh key
                    rsa Keys generated:Sat Sep 29 00:10:39 2007
                    
                    ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAvWhEBsF55oaPHNDBnpXOTw6+/OdHoLJZKr+MZm99n2U0
                    ChzZG4svRWmHuJY4PeDWl0e5yE3g3EO3pjDDmt923siNiv5aSga60K36lr39HmXL6VgpRVn1XQFiBwn4
                    na+H1d3Q0hDt+uWEA0tka2uOtXlDhliEmn4HVXOjGhFhoNE=
                    
                    bitcount:1024
                    fingerprint:
                    51:6d:de:1c:c3:29:50:88:df:cc:95:f0:15:5d:9a:df
                    **************************************
                    could not retrieve dsa key information
                    **************************************
                  5. Specify the SSH public key in OpenSSH format.
                    switch(config)# username User1 sshkey ssh-rsa 
                    AAAAB3NzaC1yc2EAAAABIwAAAIEAy19oF6QaZl9G+3f1XswK3OiW4H7YyUyuA50rv7gsEPjhOBYmsi6PAVKui1nIf/
                    DQhum+lJNqJP/eLowb7ubO+lVKRXFY/G+lJNIQW3g9igG30c6k6+XVn+NjnI1B7ihvpVh7dLddMOXwOnXHYshXmSiH
                    3UD/vKyziEh5S4Tplx8=
                  6. Save the configuration.
                    switch(config)# copy running-config startup-config

                  Feature History for SSH

                  This table only includes updates for those releases that have resulted in additions to the feature.

                  Feature Name

                  Releases

                  Feature Information

                  SSH

                  4.0(4)SV1(1)

                  This feature was introduced.