-
Cisco IOS Security Configuration Guide: Securing User Services, Release 12.4T
-
Securing User Services Overview
-
Autosecure
- Authentication, Authorization, and Accounting (AAA)
-
Security Server Protocols
-
RADIUS
-
Configuring RADIUS
-
AAA Dead-Server Detection
-
AAA-SERVER-MIB Set Operation
-
ACL Default Direction
-
Attribute Screening for Access Requests
-
Enable Multilink PPP via RADIUS for Preauthentication User
-
Enhanced Test Command
-
Framed-Route in RADIUS Accounting
-
Offload Server Accounting Enhancement
-
Per VRF AAA
-
RFC-2867 RADIUS Tunnel Accounting
-
RADIUS Attribute Screening
-
RADIUS Centralized Filter Management
-
RADIUS Debug Enhancements
-
RADIUS Logical Line ID
-
RADIUS NAS-IP-Address Attribute Configurability
-
RADIUS Route Download
-
RADIUS Server Load Balancing
-
RADIUS Support of 56-Bit Acct Session-Id
-
RADIUS Tunnel Preference for Load Balancing and Fail-Over
-
RADIUS Server Reorder on Failure
-
Tunnel Authentication via RADIUS on Tunnel Terminator
-
RADIUS Interim Update at Call Connect
-
Define Interface Policy-Map AV Pairs AAA
-
- TACACS+
-
RADIUS
-
RADIUS and TACACS+ Attributes
-
RADIUS Attributes
-
RADIUS Attributes Overview and RADIUS IETF Attributes
-
RADIUS Vendor-Proprietary Attributes
-
Vendor-Specific Attributes (VSA) and RADIUS Disconnect-Cause Attribute Values
-
Connect-Info RADIUS Attribute 77
-
Encrypted Vendor Specific Attributes
-
Local AAA Server
-
Per-User QoS via AAA Policy Name
-
RADIUS Attribute 5 (NAS-Port) Format Specified on a Per-Server Group Level
-
RADIUS Attribute 8 (Framed-IP-Address) in Access Requests
-
RADIUS Attribute 82: Tunnel Assignment ID
-
RADIUS Attribute 104
-
RADIUS Progress Codes
-
RADIUS Timeout Set During Pre-Authentication
-
RADIUS Tunnel Attribute Extensions
-
V.92 Reporting Using RADIUS Attribute v.92-info
-
RADIUS Attribute 66 (Tunnel-Client-Endpoint) Enhancements
-
- TACACS+ Attributes
-
RADIUS Attributes
- Secure Shell (SSH)
-
Cisco IOS Login Enhancements (Login Block)
-
Cisco IOS Resilient Configuration
-
Image Verification
-
IP Source Tracker
-
Role-Based CLI Access
- User Security Configuration
-
Configuring Kerberos
-
Lawful Intercept Architecture
-
Table Of Contents
Information About Secure Shell
Configuration Examples for SSH
SSH on a Cisco 7200 Series Router: Example
SSH on a Cisco 7500 Series Router: Example
SSH on a Cisco 1200 Gigabit Switch Router: Example
Feature Information for Configuring Secure Shell
Configuring Secure Shell
First Published: December 12, 2004Last Updated: September 11, 2009The Secure Shell (SSH) feature is an application and a protocol that provide a secure replacement to the Berkeley r-tools. The protocol secures the sessions using standard cryptographic mechanisms, and the application can be used similarly to the Berkeley rexec and rsh tools. There are currently two versions of SSH available: SSH Version 1 and SSH Version 2. This document describes SSH Version 1. For information about SSH Version 2, see the "Secure Shell Version 2 Support" feature module.
Note
Hereafter, unless otherwise noted, the term "SSH" denotes "SSH Version 1" only.
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "Feature Information for Configuring Secure Shell" section.
Use Cisco Feature Navigator to find information about platform support and Cisco IOS and Catalyst OS software image support. To access Cisco Feature Navigator, go to http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp. An account on Cisco.com is not required.
Contents
•
•
•
Prerequisites
Perform the following tasks before configuring SSH:
•
•
•
Note
•
Restrictions
SSH has the following restrictions:
•
•
•
•
Information About Secure Shell
The following sections provide information about SSH:
SSH Server
The SSH Server feature enables a SSH client to make a secure, encrypted connection to a Cisco router. This connection provides functionality that is similar to that of an inbound Telnet connection. Before SSH, security was limited to Telnet security. SSH allows a strong encryption to be used with the Cisco IOS software authentication. The SSH server in Cisco IOS software works with publicly and commercially available SSH clients.
SSH Integrated Client
The SSH Integrated Client feature is an application running over the SSH protocol to provide device authentication and encryption. The SSH client enables a Cisco router to make a secure, encrypted connection to another Cisco router or to any other device running the SSH server. This connection provides functionality that is similar to that of an outbound Telnet connection except that the connection is encrypted. With authentication and encryption, the SSH client allows for a secure communication over an insecure network.
The SSH client in the Cisco IOS software works with publicly and commercially available SSH servers. The SSH client supports the ciphers of Data Encryption Standard (DES), Triple DES (3DES), and password authentication. User authentication is performed like that in the Telnet session to the router. The user authentication mechanisms supported for SSH are RADIUS, TACACS+ and the use of locally stored user names and passwords.
Note
How to Configure SSH
Perform the following tasks for configuring SSH.
•
•
Configuring SSH Server
Perform the following steps to enable the Cisco router for SSH.
Note
Note
SUMMARY STEPS
1.
2.
3.
DETAILED STEPS
Verifying SSH
To verify that the SSH server is enabled and view the version and configuration data for your SSH connection, use the show ip ssh command. The following example shows that SSH is enabled:
Router# show ip sshSSH Enabled - version 1.5Authentication timeout: 120 secs; Authentication retries: 3The following example shows that SSH is disabled:
Router# show ip ssh%SSH has not been enabledTo verify the status of your SSH server connections, use the show ssh command. The following example shows the SSH server connections on the router when SSH is enabled:
Router# show sshConnection Version Encryption State Username0 1.5 3DES Session Started guestThe following example shows that SSH is disabled:
Router# show ssh%No SSH server connections running.Troubleshooting Tips
•
•
–
You must configure a host name for the router using the hostname global configuration command. See the "IPsec and Quality of Service" feature module for more information.
–
You must configure a host domain for the router using the ip domain-name global configuration command. See the "IPsec and Quality of Service" feature module for more information.
•
•
Configuration Examples for SSH
This section provides the following configuration examples, which are output from the show running configuration EXEC command on a Cisco 7200, Cisco 7500, and Cisco 12000.
•
•
•
Note
SSH on a Cisco 7200 Series Router: Example
In the following example, SSH is configured on a Cisco 7200 with a timeout that is not to exceed 60 seconds, and no more than 2 authentication retries. Also, before configuring the SSH server feature on the router, TACACS+ is specified as the method of authentication.
hostname Router72Kaaa new-modelaaa authentication login default tacacs+aaa authentication login aaa7200kw noneenable password enable7200pwusername username1 password 0 password1username username2 password 0 password2ip subnet-zerono ip domain-lookupip domain-name cisco.com! Enter the ssh commands.ip ssh time-out 60ip ssh authentication-retries 2controller E1 2/0controller E1 2/1interface Ethernet1/0ip address 192.168.110.2 255.255.255.0 secondaryip address 192.168.109.2 255.255.255.0no ip directed-broadcastno ip route-cacheno ip mroute-cacheno keepaliveno cdp enableinterface Ethernet1/1no ip addressno ip directed-broadcastno ip route-cacheno ip mroute-cacheshutdownno cdp enableinterface Ethernet1/2no ip addressno ip directed-broadcastno ip route-cacheno ip mroute-cacheshutdownno cdp enableno ip classlessip route 192.168.1.0 255.255.255.0 10.1.10.1ip route 192.168.9.0 255.255.255.0 10.1.1.1ip route 192.168.10.0 255.255.255.0 10.1.1.1map-list atmip 10.1.10.1 atm-vc 7 broadcastno cdp runtacacs-server host 192.168.109.216 port 9000tacacs-server key ciscoradius-server host 192.168.109.216 auth-port 1650 acct-port 1651radius-server key ciscoline con 0exec-timeout 0 0login authentication aaa7200kwtransport input noneline aux 0line vty 0 4password enable7200pwendSSH on a Cisco 7500 Series Router: Example
In the following example, SSH is configured on a Cisco 7500 with a timeout that is not to exceed 60 seconds and no more than 5 authentication retries. Before the SSH Server feature is configured on the router, RADIUS is specified as the method of authentication.
hostname Router75Kaaa new-modelaaa authentication login default radiusaaa authentication login aaa7500kw noneenable password enable7500pwusername username1 password 0 password1username username2 password 0 password2ip subnet-zerono ip cefno ip domain-lookupip domain-name cisco.com! Enter ssh commands.ip ssh time-out 60ip ssh authentication-retries 5controller E1 3/0channel-group 0 timeslots 1controller E1 3/1channel-group 0 timeslots 1channel-group 1 timeslots 2interface Ethernet0/0/0no ip addressno ip directed-broadcastno ip route-cache distributedshutdowninterface Ethernet0/0/1no ip addressno ip directed-broadcastno ip route-cache distributedshutdowninterface Ethernet0/0/2no ip addressno ip directed-broadcastno ip route-cache distributedshutdowninterface Ethernet0/0/3no ip addressno ip directed-broadcastno ip route-cache distributedshutdowninterface Ethernet1/0ip address 192.168.110.2 255.255.255.0 secondaryip address 192.168.109.2 255.255.255.0no ip directed-broadcastno ip route-cacheno ip mroute-cacheinterface Ethernet1/1ip address 192.168.109.2 255.255.255.0no ip directed-broadcastno ip route-cacheno ip mroute-cacheshutdowninterface Ethernet1/2no ip addressno ip directed-broadcastno ip route-cacheno ip mroute-cacheinterface Ethernet1/3no ip addressno ip directed-broadcastno ip route-cacheno ip mroute-cacheshutdowninterface Ethernet1/4no ip addressno ip directed-broadcastno ip route-cacheno ip mroute-cacheshutdowninterface Ethernet1/5no ip addressno ip directed-broadcastno ip route-cacheno ip mroute-cacheshutdowninterface Serial2/0ip address 10.1.1.2 255.0.0.0no ip directed-broadcastencapsulation pppno ip route-cacheno ip mroute-cacheip classlessip route 192.168.9.0 255.255.255.0 10.1.1.1ip route 192.168.10.0 255.255.255.0 10.1.1.1tacacs-server host 192.168.109.216 port 9000tacacs-server key ciscoradius-server host 192.168.109.216 auth-port 1650 acct-port 1651radius-server key ciscoline con 0exec-timeout 0 0login authentication aaa7500kwtransport input noneline aux 0transport input allline vty 0 4endSSH on a Cisco 1200 Gigabit Switch Router: Example
In the following example, SSH is configured on a Cisco 12000 with a timeout that is not to exceed 60 seconds and no more than 2 authentication retries. Before the SSH Server feature is configured on the router, TACACS+ is specified as the method of authentication.
hostname Router12Kaaa new-modelaaa authentication login default tacacs+ localaaa authentication login aaa12000kw localenable password enable12000pwusername username1 password 0 password1username username2 password 0 password2redundancymain-cpuauto-sync startup-configip subnet-zerono ip domain-lookupip domain-name cisco.com! Enter ssh commands.ip ssh time-out 60ip ssh authentication-retries 2interface ATM0/0no ip addressno ip directed-broadcastno ip route-cache cefshutdowninterface POS1/0ip address 10.100.100.2 255.255.255.0no ip directed-broadcastencapsulation pppno ip route-cache cefno keepalivecrc 16no cdp enableinterface POS1/1no ip addressno ip directed-broadcastno ip route-cache cefshutdowncrc 32interface POS1/2no ip addressno ip directed-broadcastno ip route-cache cefshutdowncrc 32interface POS1/3no ip addressno ip directed-broadcastno ip route-cache cefshutdowncrc 32interface POS2/0ip address 10.1.1.1 255.255.255.0no ip directed-broadcastencapsulation pppno ip route-cache cefcrc 16interface Ethernet0ip address 172.17.110.91 255.255.255.224no ip directed-broadcastrouter ospf 1network 0.0.0.0 255.255.255.255 area 0.0.0.0ip classlessip route 0.0.0.0 0.0.0.0 172.17.110.65logging trap debuggingtacacs-server host 172.17.116.138tacacs-server key ciscoradius-server host 172.17.116.138 auth-port 1650 acct-port 1651radius-server key ciscoline con 0exec-timeout 0 0login authentication aaa12000kwtransport input noneline aux 0line vty 0 4no scheduler max-task-timeno exception linecard slot 0 sqe-registersno exception linecard slot 1 sqe-registersno exception linecard slot 2 sqe-registersno exception linecard slot 3 sqe-registersno exception linecard slot 4 sqe-registersno exception linecard slot 5 sqe-registersno exception linecard slot 6 sqe-registersendAdditional References
The following sections provide references related to the SSH feature.
Related Documents
Authentication, Authorization, and Accounting (AAA)
"Configuring Authentication," "Configuring Authorization," and "Configuring Accounting" feature modules.
IPsec
"IPsec and Quality of Service" feature module.
SSH Version 2
"Secure Shell Version 2 Support" feature module.
Downloading a software image.
Cisco IOS Configuration Fundamentals Configuration Guide, Release 12.4T.
Standards
No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.
—
MIBs
RFCs
Technical Assistance
Feature Information for Configuring Secure Shell
Table 1 lists the release history for this feature.
Not all commands may be available in your Cisco IOS software release. For release information about a specific command, see the command reference documentation.
Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which Cisco IOS and Catalyst OS software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp. An account on Cisco.com is not required.
Note
CCDE, CCENT, CCSI, Cisco Eos, Cisco HealthPresence, Cisco Ironport, the Cisco logo, Cisco Lumin, Cisco Nexus, Cisco Nurse Connect, Cisco Stackpower, Cisco StadiumVision, Cisco TelePresence, Cisco Unified Computing System, Cisco WebEx, DCE, Flip Channels, Flip for Good, Flip Mino, Flip Video, Flip Video (Design), Flipshare (Design), Flip Ultra, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn, Cisco Store, and Flip Gift Card are service marks; and Access Registrar, Aironet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, iQuick Study, IronPort, the IronPort logo, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0907R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.
© 2004-2009 Cisco Systems, Inc. All rights reserved.
