Cisco Nexus 7000 Series NX-OS Security Configuration Guide, Release 5.x
Configuring SSH and Telnet
Downloads: This chapterpdf (PDF - 1.35MB) The complete bookPDF (PDF - 10.7MB) | The complete bookePub (ePub - 3.43MB) | Feedback

Configuring SSH and Telnet

Contents

Configuring SSH and Telnet

This chapter describes how to configure Secure Shell Protocol (SSH) and Telnet on Cisco NX-OS devices.

This chapter includes the following sections:

Information About SSH and Telnet

This section includes information about SSH and Telnet.

SSH Server

You can use the SSH server to enable an SSH client to make a secure, encrypted connection to a Cisco NX-OS device. SSH uses strong encryption for authentication. The SSH server in the Cisco NX-OS software can interoperate with publicly and commercially available SSH clients.

The user authentication mechanisms supported for SSH are RADIUS, TACACS+, LDAP, and the use of locally stored usernames and passwords.

SSH Client

The SSH client feature is an application that runs over the SSH protocol to provide device authentication and encryption. The SSH client enables a Cisco NX-OS device to make a secure, encrypted connection to another Cisco NX-OS device or to any other device that runs the SSH server. This connection provides an outbound connection that is encrypted. With authentication and encryption, the SSH client allows for a secure communication over an insecure network.

The SSH client in the Cisco NX-OS software works with publicly and commercially available SSH servers.

SSH Server Keys

SSH requires server keys for secure communications to the Cisco NX-OS device. You can use SSH server keys for the following SSH options:

  • SSH version 2 using Rivest, Shamir, and Adelman (RSA) public-key cryptography
  • SSH version 2 using the Digital System Algrorithm (DSA)

Be sure to have an SSH server key-pair with the appropriate version before enabling the SSH service. You can generate the SSH server key-pair according to the SSH client version used. The SSH service accepts two types of key-pairs for use by SSH version 2:

  • The dsa option generates the DSA key-pair for the SSH version 2 protocol.
  • The rsa option generates the RSA key-pair for the SSH version 2 protocol.

By default, the Cisco NX-OS software generates an RSA key using 1024 bits.

SSH supports the following public key formats:

  • OpenSSH
  • IETF Secure Shell (SECSH)
  • Public Key Certificate in Privacy-Enhanced Mail (PEM)

Caution


If you delete all of the SSH keys, you cannot start the SSH services.


SSH Authentication Using Digital Certificates

SSH authentication on Cisco NX-OS devices provide X.509 digital certificate support for host authentication. An X.509 digital certificate is a data item that ensures the origin and integrity of a message. It contains encryption keys for secured communications and is signed by a trusted certification authority (CA) to verify the identity of the presenter. The X.509 digital certificate support provides either DSA or RSA algorithms for authentication.

The certificate infrastructure uses the first certificate that supports the Secure Socket Layer (SSL) and is returned by the security infrastructure, either through a query or a notification. Verification of certificates is successful if the certificates are from any of the trusted CAs.

You can configure your device for either SSH authentication using an X.509 certificate or SSH authentication using a Public Key Certificate, but not both. If either of them is configured and the authentication fails, you are prompted for a password.

Telnet Server

The Telnet protocol enables TCP/IP connections to a host. Telnet allows a user at one site to establish a TCP connection to a login server at another site and then passes the keystrokes from one device to the other. Telnet can accept either an IP address or a domain name as the remote device address.

The Telnet server is disabled by default on the Cisco NX-OS device.

Virtualization Support for SSH and Telnet

SSH and Telnet configuration and operation are local to the virtual device context (VDC). For more information on VDCs, see the Cisco Nexus 7000 Series NX-OS Virtual Device Context Configuration Guide.

Licensing Requirements for SSH and Telnet

The following table shows the licensing requirements for this feature:

Product

License Requirement

Cisco NX-OS

SSH and Telnet require no license. Any feature not included in a license package is bundled with the Cisco NX-OS system images and is provided at no extra charge to you. For an explanation of the Cisco NX-OS licensing scheme, see the Cisco NX-OS Licensing Guide.

Prerequisites for SSH and Telnet

SSH and Telnet have the following prerequisites:

  • You have configured IP on a Layer 3 interface, out-of-band on the mgmt 0 interface, or inband on an Ethernet interface.

Guidelines and Limitations for SSH and Telnet

SSH and Telnet have the following configuration guidelines and limitations:

  • The Cisco NX-OS software supports only SSH version 2 (SSHv2).
  • You can configure your device for either SSH authentication using an X.509 certificate or SSH authentication using a public key certificate but not both. If either of them is configured and the authentication fails, you are prompted for a password.
  • Beginning in Cisco NX-OS Release 5.1, SSH runs in FIPS mode.
  • The SFTP server feature does not support the regular SFTP chown and chgrp commands.
  • When the SFTP server is enabled, only the admin user can use SFTP to access the switch.

Note


If you are familiar with the Cisco IOS CLI, be aware that the Cisco NX-OS commands for this feature might differ from the Cisco IOS commands that you would use.


Default Settings for SSH and Telnet

This table lists the default settings for SSH and Telnet parameters.

Table 1 Default SSH and Telnet Parameters

Parameters

Default

SSH server

Enabled

SSH server key

RSA key generated with 1024 bits

RSA key bits for generation

1024

Telnet server

Disabled

Telnet port number

23

Maximum number of SSH login attempts

3

SCP server

Disabled

SFTP server

Disabled

Configuring SSH

This section describes how to configure SSH.

Generating SSH Server Keys

You can generate an SSH server key based on your security requirements. The default SSH server key is an RSA key that is generated using 1024 bits.

SUMMARY STEPS

    1.    configure terminal

    2.    no feature ssh

    3.    ssh key {dsa [force] | rsa [bits [force]]}

    4.    feature ssh

    5.    exit

    6.    (Optional) show ssh key

    7.    (Optional) copy running-config startup-config


DETAILED STEPS
      Command or Action Purpose
    Step 1 configure terminal


    Example:
    switch# configure terminal
    switch(config)#
     

    Enters global configuration mode.

     
    Step 2 no feature ssh


    Example:
    switch(config)# no feature ssh
     

    Disables SSH.

     
    Step 3 ssh key {dsa [force] | rsa [bits [force]]}


    Example:
    switch(config)# ssh key rsa 2048
     

    Generates the SSH server key.

    The bits argument is the number of bits used to generate the RSA key. Beginning with Cisco NX-OS Release 5.1, the range is from 1024 to 2048. In Cisco NX-OS Release 5.0, the range is from 768 to 2048. The default value is 1024.

    You cannot specify the size of the DSA key. It is always set to 1024 bits.

    Use the force keyword to replace an existing key.

     
    Step 4 feature ssh


    Example:
    switch(config)# feature ssh
     

    Enables SSH.

     
    Step 5 exit


    Example:
    switch(config)# exit
    switch#
     

    Exits global configuration mode.

     
    Step 6 show ssh key


    Example:
    switch# show ssh key
     
    (Optional)

    Displays the SSH server keys.

     
    Step 7 copy running-config startup-config


    Example:
    switch# copy running-config startup-config
     
    (Optional)

    Copies the running configuration to the startup configuration.

     

    Specifying the SSH Public Keys for User Accounts

    You can configure an SSH public key to log in using an SSH client without being prompted for a password. You can specify the SSH public key in one of these formats:

    • OpenSSH format
    • IETF SECSH format
    • Public Key Certificate in PEM format

    Specifying the SSH Public Keys in IETF SECSH Format

    You can specify the SSH public keys in IETF SECSH format for user accounts.

    Before You Begin

    Generate an SSH public key in IETF SCHSH format.

    SUMMARY STEPS

      1.    copy server-file bootflash:filename

      2.    configure terminal

      3.    username username sshkey file bootflash:filename

      4.    exit

      5.    (Optional) show user-account

      6.    (Optional) copy running-config startup-config


    DETAILED STEPS
        Command or Action Purpose
      Step 1 copy server-file bootflash:filename


      Example:
      switch# copy tftp://10.10.1.1/secsh_file.pub bootflash:secsh_file.pub
       

      Downloads the file containing the SSH key in IETF SECSH format from a server. The server can be FTP, secure copy (SCP), secure FTP (SFTP), or TFTP.

       
      Step 2 configure terminal


      Example:
      switch# configure terminal
      switch(config)#
       

      Enters global configuration mode.

       
      Step 3 username username sshkey file bootflash:filename


      Example:
      switch(config)# username User1 sshkey file bootflash:secsh_file.pub
       

      Configures the SSH public key in IETF SECSH format.

       
      Step 4 exit


      Example:
      switch(config)# exit
      switch#
       

      Exits global configuration mode.

       
      Step 5 show user-account


      Example:
      switch# show user-account
       
      (Optional)

      Displays the user account configuration.

       
      Step 6 copy running-config startup-config


      Example:
      switch# copy running-config startup-config
       
      (Optional)

      Copies the running configuration to the startup configuration.

       

      Specifying the SSH Public Keys in OpenSSH Format

      You can specify the SSH public keys in OpenSSH format for user accounts.

      Before You Begin

      Generate an SSH public key in OpenSSH format.

      SUMMARY STEPS

        1.    configure terminal

        2.    username username sshkey ssh-key

        3.    exit

        4.    (Optional) show user-account

        5.    (Optional) copy running-config startup-config


      DETAILED STEPS
          Command or Action Purpose
        Step 1 configure terminal


        Example:
        switch# configure terminal
        switch(config)#
         

        Enters global configuration mode.

         
        Step 2 username username sshkey ssh-key


        Example:
        switch(config)# username User1 sshkey
        ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAy19oF6QaZl9G+3f1XswK3OiW4H7YyUyuA50rv7gsEPj
        hOBYmsi6PAVKui1nIf/DQhum+lJNqJP/eLowb7ubO+lVKRXFY/G+lJNIQW3g9igG30c6k6+
        XVn+NjnI1B7ihvpVh7dLddMOXwOnXHYshXmSiH3UD/vKyziEh5S4Tplx8=
        
        
         

        Configures the SSH public key in OpenSSH format.

         
        Step 3 exit


        Example:
        switch(config)# exit
        switch#
        
        
         

        Exits global configuration mode.

         
        Step 4 show user-account


        Example:
        switch# show user-account
        
        
         
        (Optional)

        Displays the user account configuration.

         
        Step 5 copy running-config startup-config


        Example:
        switch# copy running-config startup-config
        
        
         
        (Optional)

        Copies the running configuration to the startup configuration.

         

        Configuring a Maximum Number of SSH Login Attempts

        You can configure the maximum number of SSH login attempts. If the user exceeds the maximum number of permitted attempts, the session disconnects.


        Note


        The total number of login attempts includes attempts through public-key authentication, certificate-based authentication, and password-based authentication. If public-key authentication is enabled, it takes priority. If only certificate-based and password-based authentication are enabled, certificate-based authentication takes priority. If you exceed the configured number of login attempts through all of these methods, a message appears indicating that too many authentication failures have occurred.


        SUMMARY STEPS

          1.    configure terminal

          2.    ssh login-attempts number

          3.    (Optional) show running-config security all

          4.    (Optional) copy running-config startup-config


        DETAILED STEPS
            Command or Action Purpose
          Step 1 configure terminal


          Example:
          switch# configure terminal
          switch(config)#
           

          Enters global configuration mode.

           
          Step 2 ssh login-attempts number


          Example:
          switch(config)# ssh login-attempts 5
           

          Configures the maximum number of times that a user can attempt to log into an SSH session. The default maximum number of login attempts is 3. The range is from 1 to 10.

          Note   

          The no form of this command removes the previous login attempts value and sets the maximum number of login attempts to the default value of 3.

           
          Step 3 show running-config security all


          Example:
          switch(config)# show running-config security all
           
          (Optional)

          Displays the configured maximum number of SSH login attempts.

           
          Step 4 copy running-config startup-config


          Example:
          switch(config)# copy running-config startup-config
           
          (Optional)

          (Optional) Copies the running configuration to the startup configuration.

           

          Starting SSH Sessions

          You can start SSH sessions using IPv4 or IPv6 to connect to remote devices from the Cisco NX-OS device.

          Before You Begin

          Obtain the hostname for the remote device and, if needed, the username on the remote device.

          Enable the SSH server on the remote device.

          SUMMARY STEPS

            1.    ssh [username@]{ipv4-address | hostname} [vrf vrf-name]

            2.    ssh6 [username@]{ipv6-address | hostname} [vrf vrf-name]


          DETAILED STEPS
              Command or Action Purpose
            Step 1 ssh [username@]{ipv4-address | hostname} [vrf vrf-name]


            Example:
            switch# ssh 10.10.1.1
             

            Creates an SSH IPv4 session to a remote device using IPv4. The default VRF is the default VRF.

             
            Step 2 ssh6 [username@]{ipv6-address | hostname} [vrf vrf-name]


            Example:
            switch# ssh6 HostA
             

            Creates an SSH IPv6 session to a remote device using IPv6.

             

            Starting SSH Sessions from Boot Mode

            You can start SSH sessions from the boot mode of the Cisco NX-OS device to connect to remote devices.

            Before You Begin

            Obtain the hostname for the remote device and, if needed, the username on the remote device.

            Enable the SSH server on the remote device.

            Ensure that the Cisco NX-OS device is loaded with only the kickstart image.

            SUMMARY STEPS

              1.    ssh [username@]hostname

              2.    exit

              3.    copy scp://[username@]hostname/filepath directory


            DETAILED STEPS
                Command or Action Purpose
              Step 1 ssh [username@]hostname


              Example:
              switch(boot)# ssh user1@10.10.1.1
               

              Creates an SSH session to a remote device from the boot mode of the Cisco NX-OS device. The default VRF is always used.

               
              Step 2 exit


              Example:
              switch(boot)# exit
               

              Exits boot mode.

               
              Step 3 copy scp://[username@]hostname/filepath directory


              Example:
              switch# copy scp://user1@10.10.1.1/users abc
               

              Copies a file from the Cisco NX-OS device to a remote device using the Secure Copy Protocol (SCP). The default VRF is always used.

               

              Configuring SSH Passwordless File Copy

              You can copy files from a Cisco NX-OS device to a secure copy (SCP) or secure FTP (SFTP) server without a password. To do so, you must create an RSA or DSA identity that consists of public and private keys for authentication with SSH.

              SUMMARY STEPS

                1.    configure terminal

                2.    [no] username username keypair generate {rsa [bits [force]] | dsa [force]}

                3.    (Optional) show username username keypair

                4.    username username keypair export {bootflash:filename | volatile:filename} {rsa | dsa} [force]

                5.    username username keypair import {bootflash:filename | volatile:filename} {rsa | dsa} [force]


              DETAILED STEPS
                  Command or Action Purpose
                Step 1 configure terminal


                Example:
                switch# configure terminal
                switch(config)#
                 

                Enters global configuration mode.

                 
                Step 2 [no] username username keypair generate {rsa [bits [force]] | dsa [force]}


                Example:
                switch(config)# username user1 keypair generate rsa 2048 force
                 

                Generates the SSH public and private keys and stores them in the home directory ($HOME/.ssh) of the Cisco NX-OS device for the specified user. The Cisco NX-OS device uses the keys to communicate with the SSH server on the remote machine.

                The bits argument is the number of bits used to generate the key. Beginning with Cisco NX-OS Release 5.1, the range is from 1024 to 2048. In Cisco NX-OS Release 5.0, the range is from 768 to 2048. The default value is 1024.

                Use the force keyword to replace an existing key. The SSH keys are not generated if the force keyword is omitted and SSH keys are already present.

                 
                Step 3 show username username keypair


                Example:
                switch(config)# show username user1 keypair
                 
                (Optional)

                Displays the public key for the specified user.

                Note   

                For security reasons, this command does not show the private key.

                 
                Step 4 username username keypair export {bootflash:filename | volatile:filename} {rsa | dsa} [force]


                Example:
                switch(config)# username user1 keypair export bootflash:key_rsa rsa
                 

                Exports the public and private keys from the home directory of the Cisco NX-OS device to the specified bootflash or volatile directory.

                Use the force keyword to replace an existing key. The SSH keys are not exported if the force keyword is omitted and SSH keys are already present.

                To export the generated key pair, you are prompted to enter a passphrase that encrypts the private key. The private key is exported as the file that you specify, and the public key is exported with the same filename followed by a .pub extension. You can now copy this key pair to any Cisco NX-OS device and use SCP or SFTP to copy the public key file (*.pub) to the home directory of the server.

                Note   

                For security reasons, this command can be executed only from global configuration mode.

                 
                Step 5 username username keypair import {bootflash:filename | volatile:filename} {rsa | dsa} [force]


                Example:
                switch(config)# username user1 keypair import bootflash:key_rsa rsa
                 

                Imports the exported public and private keys from the specified bootflash or volatile directory to the home directory of the Cisco NX-OS device.

                Use the force keyword to replace an existing key. The SSH keys are not imported if the force keyword is omitted and SSH keys are already present.

                To import the generated key pair, you are prompted to enter a passphrase that decrypts the private key. The private key is imported as the file that you specify, and the public key is imported with the same filename followed by a .pub extension.

                Note   

                For security reasons, this command can be executed only from global configuration mode.

                Note   

                Only the users whose keys are configured on the server are able to access the server without a password.

                 
                What to Do Next

                On the SCP or SFTP server, use the following command to append the public key stored in the *.pub file (for example, key_rsa.pub) to the authorized_keys file:

                $ cat key_rsa.pub >> $HOME/.ssh/ authorized_keys

                You can now copy files from the Cisco NX-OS device to the server without a password using standard SSH and SCP commands.

                Configuring SCP and SFTP Servers

                You can configure an SCP or SFTP server on the Cisco NX-OS device in order to copy files to and from a remote device. After you enable the SCP or SFTP server, you can execute an SCP or SFTP command on the remote device to copy the files to or from the Cisco NX-OS device.


                Note


                The arcfour and blowfish cipher options are not supported for the SCP server.


                SUMMARY STEPS

                  1.    configure terminal

                  2.    [no] feature scp-server

                  3.    [no] feature sftp-server

                  4.    exit

                  5.    (Optional) show running-config security

                  6.    (Optional) copy running-config startup-config


                DETAILED STEPS
                    Command or Action Purpose
                  Step 1 configure terminal


                  Example:
                  switch# configure terminal
                  switch(config)#
                   

                  Enters global configuration mode.

                   
                  Step 2 [no] feature scp-server


                  Example:
                  switch(config)# feature scp-server
                   

                  Enables or disables the SCP server on the Cisco NX-OS device.

                   
                  Step 3 [no] feature sftp-server


                  Example:
                  switch(config)# feature sftp-server
                   

                  Enables or disables the SFTP server on the Cisco NX-OS device.

                   
                  Step 4 exit


                  Example:
                  switch(config)# exit
                  switch#
                   

                  Exits global configuration mode.

                   
                  Step 5 show running-config security


                  Example:
                  switch# show running-config security
                   
                  (Optional)

                  Displays the configuration status of the SCP and SFTP servers.

                   
                  Step 6 copy running-config startup-config


                  Example:
                  switch# copy running-config startup-config
                   
                  (Optional)

                  Copies the running configuration to the startup configuration.

                   

                  Clearing SSH Hosts

                  When you download a file from a server using SCP or SFTP, or when you start an SSH session from this device to a remote host, you establish a trusted SSH relationship with that server. You can clear the list of trusted SSH servers for your user account.

                  SUMMARY STEPS

                    1.    clear ssh hosts


                  DETAILED STEPS
                      Command or Action Purpose
                    Step 1 clear ssh hosts


                    Example:
                    switch# clear ssh hosts
                     

                    Clears the SSH host sessions and the known host file.

                     

                    Disabling the SSH Server

                    By default, the SSH server is enabled on the Cisco NX-OS device. You can disable the SSH server to prevent SSH access to the switch.

                    SUMMARY STEPS

                      1.    configure terminal

                      2.    no feature ssh

                      3.    exit

                      4.    (Optional) show ssh server

                      5.    (Optional) copy running-config startup-config


                    DETAILED STEPS
                        Command or Action Purpose
                      Step 1 configure terminal


                      Example:
                      switch# configure terminal
                      switch(config)#
                       

                      Enters global configuration mode.

                       
                      Step 2 no feature ssh


                      Example:
                      switch(config)# no feature ssh
                       

                      Disables SSH.

                       
                      Step 3 exit


                      Example:
                      switch(config)# exit
                      switch#
                       

                      Exits global configuration mode.

                       
                      Step 4 show ssh server


                      Example:
                      switch# show ssh server
                       
                      (Optional)

                      Displays the SSH server configuration.

                       
                      Step 5 copy running-config startup-config


                      Example:
                      switch# copy running-config startup-config
                       
                      (Optional)

                      Copies the running configuration to the startup configuration.

                       

                      Deleting SSH Server Keys

                      You can delete SSH server keys on the Cisco NX-OS device after you disable the SSH server.


                      Note


                      To reenable SSH, you must first generate an SSH server key.


                      SUMMARY STEPS

                        1.    configure terminal

                        2.    no feature ssh

                        3.    no ssh key [dsa | rsa]

                        4.    exit

                        5.    (Optional) show ssh key

                        6.    (Optional) copy running-config startup-config


                      DETAILED STEPS
                          Command or Action Purpose
                        Step 1 configure terminal


                        Example:
                        switch# configure terminal
                        switch(config)#
                         

                        Enters global configuration mode.

                         
                        Step 2 no feature ssh


                        Example:
                        switch(config)# no feature ssh
                         

                        Disables SSH.

                         
                        Step 3 no ssh key [dsa | rsa]


                        Example:
                        switch(config)# no ssh key rsa 
                         

                        Deletes the SSH server key.

                        The default is to delete all the SSH keys.

                         
                        Step 4 exit


                        Example:
                        switch(config)# exit
                        switch#
                         

                        Exits global configuration mode.

                         
                        Step 5 show ssh key


                        Example:
                        switch# show ssh key
                         
                        (Optional)

                        Displays the SSH server key configuration.

                         
                        Step 6 copy running-config startup-config


                        Example:
                        switch# copy running-config startup-config
                         
                        (Optional)

                        Copies the running configuration to the startup configuration.

                         

                        Clearing SSH Sessions

                        You can clear SSH sessions from the Cisco NX-OS device.

                        SUMMARY STEPS

                          1.    show users

                          2.    clear line vty-line


                        DETAILED STEPS
                            Command or Action Purpose
                          Step 1 show users


                          Example:
                          switch# show users
                           

                          Displays user session information.

                           
                          Step 2 clear line vty-line


                          Example:
                          switch(config)# clear line pts/12
                           

                          Clears a user SSH session.

                           

                          Configuring Telnet

                          This section describes how to configure Telnet on the Cisco NX-OS device.

                          Enabling the Telnet Server

                          You can enable the Telnet server on the Cisco NX-OS device. By default, the Telnet server is disabled.

                          SUMMARY STEPS

                            1.    configure terminal

                            2.    feature telnet

                            3.    exit

                            4.    (Optional) show telnet server

                            5.    (Optional) copy running-config startup-config


                          DETAILED STEPS
                              Command or Action Purpose
                            Step 1 configure terminal


                            Example:
                            switch# configure terminal
                            switch(config)#
                             

                            Enters global configuration mode.

                             
                            Step 2 feature telnet


                            Example:
                            switch(config)# feature telnet
                             

                            Enables the Telnet server. The default is disabled.

                             
                            Step 3 exit


                            Example:
                            switch(config)# exit
                            switch#
                             

                            Exits global configuration mode.

                             
                            Step 4 show telnet server


                            Example:
                            switch# show telnet server
                             
                            (Optional)

                            Displays the Telnet server configuration.

                             
                            Step 5 copy running-config startup-config


                            Example:
                            switch# copy running-config startup-config
                             
                            (Optional)

                            Copies the running configuration to the startup configuration.

                             

                            Starting Telnet Sessions to Remote Devices

                            You can start Telnet sessions to connect to remote devices from the Cisco NX-OS device. You can start Telnet sessions using either IPv4 or IPv6.

                            Before You Begin

                            Obtain the hostname or IP address for the remote device and, if needed, the username on the remote device.

                            Enable the Telnet server on the Cisco NX-OS device.

                            Enable the Telnet server on the remote device.

                            SUMMARY STEPS

                              1.    telnet {ipv4-address | host-name} [port-number] [vrf vrf-name]

                              2.    telnet6 {ipv6-address | host-name} [port-number] [vrf vrf-name]


                            DETAILED STEPS
                                Command or Action Purpose
                              Step 1 telnet {ipv4-address | host-name} [port-number] [vrf vrf-name]


                              Example:
                              switch# telnet 10.10.1.1
                               

                              Starts a Telnet session to a remote device using IPv4. The default port number is 23. The range is from 1 to 65535. The default VRF is the default VRF.

                               
                              Step 2 telnet6 {ipv6-address | host-name} [port-number] [vrf vrf-name]


                              Example:
                              switch# telnet6 2001:0DB8::ABCD:1 vrf management
                               

                              Starts a Telnet session to a remote device using IPv6. The default port number is 23. The range is from 1 to 65535. The default VRF is the default VRF.

                               

                              Clearing Telnet Sessions

                              You can clear Telnet sessions from the Cisco NX-OS device.

                              Before You Begin

                              Enable the Telnet server on the Cisco NX-OS device.

                              SUMMARY STEPS

                                1.    show users

                                2.    clear line vty-line


                              DETAILED STEPS
                                  Command or Action Purpose
                                Step 1 show users


                                Example:
                                switch# show users
                                 

                                Displays user session information.

                                 
                                Step 2 clear line vty-line


                                Example:
                                switch(config)# clear line pts/12
                                 

                                Clears a user Telnet session.

                                 

                                Verifying the SSH and Telnet Configuration

                                To display the SSH and Telnet configuration information, perform one of the following tasks:

                                Command

                                Purpose

                                show ssh key [dsa | rsa]

                                Displays SSH server key-pair information.

                                show running-config security [all]

                                Displays the SSH and user account configuration in the running configuration. The all keyword displays the default values for the SSH and user accounts.

                                show ssh server

                                Displays the SSH server configuration.

                                show telnet server

                                Displays the Telnet server configuration.

                                show username username keypair

                                Displays the public key for the specified user.

                                For detailed information about the fields in the output from these commands, see the Cisco Nexus 7000 Series NX-OS Security Command Reference.

                                Configuration Example for SSH

                                The following example shows how to configure SSH with an OpenSSH key:


                                  Step 1   Disable the SSH server.

                                  Example:
                                  switch# configure terminal      
                                  switch(config)# no feature ssh      
                                  
                                  
                                  Step 2   Generate an SSH server key.

                                  Example:
                                        
                                  switch(config)# ssh key rsa      
                                  generating rsa key(1024 bits)......
                                  generated rsa key
                                  
                                  
                                  Step 3   Enable the SSH server.

                                  Example:
                                  switch(config)# feature ssh      
                                  
                                  
                                  Step 4   Display the SSH server key.

                                  Example:
                                  switch(config)# show ssh key      
                                  rsa Keys generated:Sat Sep 29 00:10:39 2007
                                  
                                  ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAvWhEBsF55oaPHNDBnpXOTw6+/OdHoLJZKr
                                  +MZm99n2U0ChzZG4svRWmHuJY4PeDWl0e5yE3g3EO3pjDDmt923siNiv5aSga60K36lr39
                                  HmXL6VgpRVn1XQFiBwn4na+H1d3Q0hDt+uWEA0tka2uOtXlDhliEmn4HVXOjGhFhoNE=
                                  
                                  bitcount:1024
                                  fingerprint:
                                  51:6d:de:1c:c3:29:50:88:df:cc:95:f0:15:5d:9a:df
                                  **************************************
                                  could not retrieve dsa key information
                                  **************************************
                                  
                                  
                                  Step 5   Specify the SSH public key in OpenSSH format.

                                  Example:
                                  switch(config)# username User1 sshkey ssh-rsa      
                                  AAAAB3NzaC1yc2EAAAABIwAAAIEAy19oF6QaZl9G+3f1XswK3OiW4H7YyUyuA50r
                                  v7gsEPjhOBYmsi6PAVKui1nIf/DQhum+lJNqJP/eLowb7ubO+lVKRXFY/G+lJNIQ
                                  W3g9igG30c6k6+XVn+NjnI1B7ihvpVh7dLddMOXwOnXHYshXmSiH3UD/vKyziEh5
                                  4Tplx8=
                                  
                                  
                                  Step 6   Save the configuration.

                                  Example:
                                  switch(config)# copy running-config startup-config      
                                  
                                  

                                  Configuration Example for SSH Passwordless File Copy

                                  The following example shows how to copy files from a Cisco NX-OS device to a secure copy (SCP) or secure FTP (SFTP) server without a password:


                                    Step 1   Generate the SSH public and private keys and store them in the home directory of the Cisco NX-OS device for the specified user.

                                    Example:
                                    switch# configure terminal      
                                    switch(config)# username admin keypair generate rsa      
                                    generating rsa key(1024 bits)......
                                    generated rsa key
                                    
                                    
                                    Step 2   Display the public key for the specified user.

                                    Example:
                                    switch(config)# show username admin keypair      
                                    
                                    **************************************
                                    
                                    rsa Keys generated: Thu Jul  9 11:10:29 2009
                                    
                                    ssh-rsa
                                    AAAAB3NzaC1yc2EAAAABIwAAAIEAxWmjJT+oQhIcvnrMbx2BmD0P8boZElTfJ
                                    Fx9fexWp6rOiztlwODtehnjadWc6A+DE2DvYNvqsrU9TBypYDPQkR/+Y6cKubyFW
                                    VxSBG/NHztQc3+QC1zdkIxGNJbEHyFoajzNEO8LLOVFIMCZ2Td7gxUGRZc+fbq
                                    S33GZsCAX6v0=
                                    
                                    bitcount:262144
                                    fingerprint:
                                    8d:44:ee:6c:ca:0b:44:95:36:d0:7d:f2:b5:78:74:7d
                                    **************************************
                                    
                                    could not retrieve dsa key information
                                    **************************************
                                    
                                    
                                    
                                    Step 3   Export the public and private keys from the home directory of the Cisco NX-OS device to the specified bootflash directory.

                                    Example:
                                    switch(config)# username admin keypair export bootflash:key_rsa rsa      
                                    Enter Passphrase:
                                    switch(config)# dir
                                    .
                                    .
                                    .
                                            951     Jul 09 11:13:59 2009  key_rsa
                                            221     Jul 09 11:14:00 2009  key_rsa.pub
                                    .
                                    .
                                    
                                    
                                    
                                    Step 4   After copying these two files to another Cisco NX-OS device using the copy scp or copy sftp command, import them to the home directory of the Cisco NX-OS device.

                                    Example:
                                    switch(config)# username admin keypair import bootflash:key_rsa rsa      
                                    Enter Passphrase:
                                    switch(config)# show username admin keypair
                                    **************************************
                                    
                                    rsa Keys generated: Thu Jul  9 11:10:29 2009
                                    
                                    ssh-rsa
                                    AAAAB3NzaC1yc2EAAAABIwAAAIEAxWmjJT+oQhIcvnrMbx2BmD0P8boZElTfJ
                                    Fx9fexWp6rOiztlwODtehnjadWc6A+DE2DvYNvqsrU9TBypYDPQkR/+Y6cKubyFW
                                    VxSBG/NHztQc3+QC1zdkIxGNJbEHyFoajzNEO8LLOVFIMCZ2Td7gxUGRZc+fbq
                                    S33GZsCAX6v0=
                                    
                                    bitcount:262144
                                    fingerprint:
                                    8d:44:ee:6c:ca:0b:44:95:36:d0:7d:f2:b5:78:74:7d
                                    **************************************
                                    
                                    could not retrieve dsa key information
                                    **************************************
                                    switch(config)#
                                    
                                    
                                    
                                    Step 5   On the SCP or SFTP server, append the public key stored in key_rsa.pub to the authorized_keys file.

                                    Example:
                                    $ cat key_rsa.pub >> $HOME/.ssh/ authorized_keys      
                                    
                                    

                                    You can now copy files from the Cisco NX-OS device to the server without a password using standard SSH and SCP commands.

                                    Step 6   (Optional)Repeat this procedure for the DSA keys.

                                    Additional References for SSH and Telnet

                                    This section describes additional information related to implementing SSH and Telent.

                                    Related Documents

                                    Related Topic

                                    Document Title

                                    Cisco NX-OS licensing

                                    Cisco NX-OS Licensing Guide

                                    Command reference

                                    Cisco Nexus 7000 Series NX-OS Security Command Reference

                                    VRF configuration

                                    Cisco Nexus 7000 Series NX-OS Unicast Routing Configuration Guide

                                    Standards

                                    Standards

                                    Title

                                    No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.

                                    MIBs

                                    MIBs

                                    MIBs Link

                                    • CISCO-SECURE-SHELL-MIB

                                    To locate and download MIBs, go to the following URL:

                                    http:/​/​www.cisco.com/​public/​sw-center/​netmgmt/​cmtk/​mibs.shtml

                                    Feature History for SSH and Telnet

                                    This table lists the release history for these features.

                                    Table 2 Feature History for SSH and Telnet

                                    Feature Name

                                    Releases

                                    Feature Information

                                    SSH and Telnet

                                    5.2(1)

                                    No change from Release 5.1.

                                    SCP and SFTP servers

                                    5.1(1)

                                    Added the ability to configure SCP and SFTP servers on the Cisco NX-OS device to support the copy of files to and from a remote device.

                                    SSH

                                    5.1(1)

                                    SSH runs in FIPS mode.

                                    SSH

                                    5.1(1)

                                    Changed the minimum RSA key size from 768 to 1024 bits.

                                    SSH

                                    5.0(2)

                                    Added support for configuring a maximum number of SSH login attempts.

                                    SSH

                                    5.0(2)

                                    Added the ability to start SSH sessions from the boot mode of the Cisco NX-OS device in order to connect to a remote device.

                                    SSH

                                    5.0(2)

                                    Added the ability to copy files from the Cisco NX-OS device to an SCP or SFTP server without a password.

                                    PKI

                                    5.0(2)

                                    Added support for a remote cert-store.