-
Cisco IOS Security Configuration Guide: Securing User Services, Release 12.4T
-
Securing User Services Overview
-
Autosecure
- Authentication, Authorization, and Accounting (AAA)
-
Security Server Protocols
-
RADIUS
-
Configuring RADIUS
-
AAA Dead-Server Detection
-
AAA-SERVER-MIB Set Operation
-
ACL Default Direction
-
Attribute Screening for Access Requests
-
Enable Multilink PPP via RADIUS for Preauthentication User
-
Enhanced Test Command
-
Framed-Route in RADIUS Accounting
-
Offload Server Accounting Enhancement
-
Per VRF AAA
-
RFC-2867 RADIUS Tunnel Accounting
-
RADIUS Attribute Screening
-
RADIUS Centralized Filter Management
-
RADIUS Debug Enhancements
-
RADIUS Logical Line ID
-
RADIUS NAS-IP-Address Attribute Configurability
-
RADIUS Route Download
-
RADIUS Server Load Balancing
-
RADIUS Support of 56-Bit Acct Session-Id
-
RADIUS Tunnel Preference for Load Balancing and Fail-Over
-
RADIUS Server Reorder on Failure
-
Tunnel Authentication via RADIUS on Tunnel Terminator
-
RADIUS Interim Update at Call Connect
-
Define Interface Policy-Map AV Pairs AAA
-
- TACACS+
-
RADIUS
-
RADIUS and TACACS+ Attributes
-
RADIUS Attributes
-
RADIUS Attributes Overview and RADIUS IETF Attributes
-
RADIUS Vendor-Proprietary Attributes
-
Vendor-Specific Attributes (VSA) and RADIUS Disconnect-Cause Attribute Values
-
Connect-Info RADIUS Attribute 77
-
Encrypted Vendor Specific Attributes
-
Local AAA Server
-
Per-User QoS via AAA Policy Name
-
RADIUS Attribute 5 (NAS-Port) Format Specified on a Per-Server Group Level
-
RADIUS Attribute 8 (Framed-IP-Address) in Access Requests
-
RADIUS Attribute 82: Tunnel Assignment ID
-
RADIUS Attribute 104
-
RADIUS Progress Codes
-
RADIUS Timeout Set During Pre-Authentication
-
RADIUS Tunnel Attribute Extensions
-
V.92 Reporting Using RADIUS Attribute v.92-info
-
RADIUS Attribute 66 (Tunnel-Client-Endpoint) Enhancements
-
- TACACS+ Attributes
-
RADIUS Attributes
- Secure Shell (SSH)
-
Cisco IOS Login Enhancements (Login Block)
-
Cisco IOS Resilient Configuration
-
Image Verification
-
IP Source Tracker
-
Role-Based CLI Access
- User Security Configuration
-
Configuring Kerberos
-
Lawful Intercept Architecture
-
Table Of Contents
Secure Shell Version 2 Support
Prerequisites for Secure Shell Version 2 Support
Restrictions for Secure Shell Version 2 Support
Information About Secure Shell Version 2 Support
Secure Shell Version 2 Enhancements
Secure Shell Version 2 Enhancements for RSA Keys
SSH Keyboard Interactive Authentication
How to Configure Secure Shell Version 2 Support
Configuring a Router for SSH Version 2 Using a Host Name and Domain Name
Configuring a Router for SSH Version 2 Using RSA Key Pairs
Configuring a Router for SSH Version 2 Using Private Public Key Pairs
Starting an Encrypted Session with a Remote Device
Enabling Secure Copy Protocol on the SSH Server
Verifying the Status of the Secure Shell Connection Using the show ssh Command
Verifying the Secure Shell Status Using the show ip ssh Command
Monitoring and Maintaining Secure Shell Version 2
Configuration Examples for Secure Shell Version 2 Support
Configuring Secure Shell Version 1: Example
Configuring Secure Shell Version 2: Example
Configuring Secure Shell Versions 1 and 2: Example
Starting an Encrypted Session with a Remote Device: Example
Configuring Server-Side SCP: Example
SSH Keyboard Interactive Authentication: Examples
SSH Debugging Enhancements: Examples
Feature Information for Secure Shell Version 2 Support
Secure Shell Version 2 Support
First Published: November 3, 2003Last Updated: October 8, 2009The Secure Shell Version 2 Support feature allows you to configure Secure Shell (SSH) Version 2 (SSH Version 1 support was implemented in an earlier Cisco IOS software release). SSH runs on top of a reliable transport layer and provides strong authentication and encryption capabilities. Currently, the only reliable transport that is defined for SSH is TCP. SSH provides a means to securely access and securely execute commands on another computer over a network. The Secure Copy Protocol (SCP) feature that is provided with SSH allows for the secure transfer of files.
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "Feature Information for Secure Shell Version 2 Support" section.
Use Cisco Feature Navigator to find information about platform support and Cisco IOS and Catalyst OS software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Contents
•
Prerequisites for Secure Shell Version 2 Support
•
•
•
•
•
Prerequisites for Secure Shell Version 2 Support
Prior to configuring SSH, perform the following task:
•
Note
For more information on downloading a software image, refer to Cisco IOS Configuration Fundamentals Guide, Release 12.4T and Cisco IOS Network Management Configuration Guide, Release 15.0.
Restrictions for Secure Shell Version 2 Support
•
•
•
•
•
–
–
Information About Secure Shell Version 2 Support
To configure SSH Version 2, you should understand the following concepts:
•
•
•
Secure Shell Version 2
The Secure Shell Version 2 Support feature allows you to configure SSH Version 2.
The configuration for the SSH Version 2 server is similar to the configuration for SSH Version 1. The command ip ssh version has been introduced so that you may define which version of SSH that you want to configure. If you do not configure this command, SSH by default runs in compatibility mode; that is, both SSH Version 1 and SSH Version 2 connections are honored.
Note
The ip ssh rsa keypair-name command was also introduced in Cisco IOS Release 12.3(4)T so that you can enable a SSH connection using RSA keys that you have configured. Previously, SSH was linked to the first RSA keys that were generated (that is, SSH was enabled when the first RSA key pair was generated). The behavior still exists, but by using the ip ssh rsa keypair-name command, you can overcome that behavior. If you configure the ip ssh rsa keypair-name command with a key-pair name, SSH is enabled if the key pair exists, or SSH will be enabled if the key pair is generated later. If you use this command to enable SSH, you are not forced to configure a host name and a domain name, which was required in SSH Version 1 of the Cisco IOS software.
Note
Secure Shell Version 2 Enhancements
The Secure Shell Version 2 Enhancements include a number of additional capabilities such as supporting VRF aware SSH, SSH debug enhancements, and Diffie-Hellman group exchange support.
The Cisco IOS SSH implementation has traditionally used 768 bit modulus but with an increasing need for higher key sizes to accommodate Diffie-Hellman (DH) Group 14 (2048 bits) and Group 16 (4096 bits) cryptographic applications a message exchange between the client and server to establish the favored DH group becomes necessary. The ip ssh dh min size command was introduced in Cisco IOS Release 12.4(20)T so you can configure modulus size on the SSH server. In addition to this the ssh command was extended to add VRF awareness to SSH client side functionality through which the VRF instance name in the client is provided with the IP address to look up the correct routing table and establish a connection.
Debugging has been enhanced by modifying SSH debug commands. The debug ip ssh command has been extended to allow you to simplify the debugging process. Previously this command printed all debug messages related to SSH regardless of what was specifically required. The behavior still exists, but if you configure the debug ip ssh command with a keyword messages are limited to information specified by the keyword.
Secure Shell Version 2 Enhancements for RSA Keys
Cisco IOS SSH supports keyboard-interactive and password-based authentication methods. In addition to these authentication methods SSHv2 Enhancements for RSA Keys supports public key-based user authentication in Cisco IOS SSH. The RSA-based user authentication method uses private-public key pair association. SSH users present a private key encrypted authentication signature. This authentication signature along with their public keys are sent to the SSH server for authentication. If a match is found, the RSA-based verification is completed using the public key.
To complete authentication you must generate a private-public key pair. The public key must be configured and saved on the SSH server.
Note
SNMP Trap Generation
Effective with Cisco IOS Release 12.4(17), Simple Network Management Protocol (SNMP) traps will be generated automatically when an SSH session terminates if the traps have been enabled and SNMP debugging has been turned on. For information about enabling SNMP traps, see the "Configuring SNMP Support" module in the Cisco IOS Network Management Configuration Guide, Release 15.0.
Note
You must also turn on SNMP debugging using the debug snmp packet command to display the traps. The trap information includes information such as the number of bytes sent and the protocol that was used for the SSH session. For an example of SNMP debugging, see the section "SNMP Debugging: Example" section.
SSH Keyboard Interactive Authentication
The SSH Keyboard Interactive Authentication feature, also known as Generic Message Authentication for SSH, is a method that can be used to implement different types of authentication mechanisms. Basically, any currently supported authentication method that requires only user input can be performed with this feature. The feature is automatically deployed.
The following methods are currently supported:
•
•
•
•
For examples of various scenarios in which the SSH Keyboard Interactive Authentication feature has been automatically deployed, see the chapter "SSH Keyboard Interactive Authentication: Examples" section."
How to Configure Secure Shell Version 2 Support
This section contains the following procedures:
•
•
•
•
•
•
•
•
Configuring a Router for SSH Version 2 Using a Host Name and Domain Name
Perform this task to configure your router for SSH Version 2 using a host name and domain name. You may also configure SSH Version 2 by using the RSA key pair configuration (See the section ""Configuring a Router for SSH Version 2 Using RSA Key Pairs" section").
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
DETAILED STEPS
Configuring a Router for SSH Version 2 Using RSA Key Pairs
To enable SSH Version 2 without configuring a host name or domain name, perform the following steps. SSH Version 2 will be enabled if the key pair that you configure already exists or if it is generated later. You may also configure SSH Version 2 by using the host name and domain name configuration (See the section ""Configuring a Router for SSH Version 2 Using a Host Name and Domain Name" section").
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
DETAILED STEPS
Configuring a Router for SSH Version 2 Using Private Public Key Pairs
Perform this task to enable SSH Version 2 public key-based user authentication. SSH Version 2 will be approve authentication if the public-key and private-key encryption messages match the keys stored on the SSH server.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
DETAILED STEPS
Starting an Encrypted Session with a Remote Device
Perform this task to start an encrypted session with a remote networking device, (You do not have to enable your router. SSH can be run in disabled mode.)
Note
SUMMARY STEPS
1.
DETAILED STEPS
Troubleshooting Tips
The ip ssh version command can be used for troubleshooting your SSH configuration. By changing versions, you can determine which SSH version has a problem.
Enabling Secure Copy Protocol on the SSH Server
Perform this task to configure server-side functionality for SCP. This example shows a typical configuration that allows the router to securely copy files from a remote workstation.
Prerequisites
SCP relies on AAA authentication and authorization to function correctly. Therefore AAA must be configured on the router.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
DETAILED STEPS
Troubleshooting Tips
To troubleshoot SCP authentication problems, use the debug ip scp command.
Verifying the Status of the Secure Shell Connection Using the show ssh Command
To display the status of the SSH connection on your router, use the show ssh command.
SUMMARY STEPS
1.
2.
DETAILED STEPS
Step 1
enable
Example:Router> enable
Enables privileged EXEC mode.
•
Step 2
show ssh
Example:Router# show ssh
Displays the status of SSH server connections.
Examples
The following output examples from the show ssh command display status about various SSH Version 1 and Version 2 connections.
Version 1 and Version 2 Connections
-----------------------------------------------------------------------Router# show sshConnection Version Encryption State Username0 1.5 3DES Session started labConnection Version Mode Encryption Hmac StateUsername1 2.0 IN aes128-cbc hmac-md5 Session started lab1 2.0 OUT aes128-cbc hmac-md5 Session started lab-------------------------------------------------------------------------Version 2 Connection with No Version 1
-------------------------------------------------------------------------Router# show sshConnection Version Mode Encryption Hmac StateUsername1 2.0 IN aes128-cbc hmac-md5 Session started lab1 2.0 OUT aes128-cbc hmac-md5 Session started lab%No SSHv1 server connections running.-------------------------------------------------------------------------Version 1 Connection with No Version 2
-------------------------------------------------------------------------Router# show sshConnection Version Encryption State Username0 1.5 3DES Session started lab%No SSHv2 server connections running.-------------------------------------------------------------------------Verifying the Secure Shell Status Using the show ip ssh Command
Perform this task to verify your SSH configuration.
SUMMARY STEPS
1.
2.
DETAILED STEPS
Examples
The following examples from the show ip ssh command display the version of SSH that is enabled, the authentication timeout values, and the number of authentication retries.
Version 1 and Version 2 Connections
-----------------------------------------------------------------------router# show ip sshSSH Enabled - version 1.99Authentication timeout: 120 secs; Authentication retries: 3-----------------------------------------------------------------------Version 2 Connection with No Version 1
------------------------------------------------------------------------Router# show ip sshSSH Enabled - version 2.0Authentication timeout: 120 secs; Authentication retries: 3------------------------------------------------------------------------Version 1 Connection with No Version 2
------------------------------------------------------------------------Router# show ip ssh3d06h: %SYS-5-CONFIG_I: Configured from console by consoleSSH Enabled - version 1.5Authentication timeout: 120 secs; Authentication retries: 3------------------------------------------------------------------------Monitoring and Maintaining Secure Shell Version 2
To display debug messages about the SSH connections, use the debug ip ssh command.
SUMMARY STEPS
1.
2.
3.
DETAILED STEPS
Example
The following output from the debug ip ssh command shows that the digit 2 keyword has been assigned, signifying that it is an SSH Version 2 connection.
Router# debug ip ssh00:33:55: SSH1: starting SSH control process00:33:55: SSH1: sent protocol version id SSH-1.99-Cisco-1.2500:33:55: SSH1: protocol version id is - SSH-2.0-OpenSSH_2.5.2p200:33:55: SSH2 1: send: len 280 (includes padlen 4)00:33:55: SSH2 1: SSH2_MSG_KEXINIT sent00:33:55: SSH2 1: ssh_receive: 536 bytes received00:33:55: SSH2 1: input: packet len 63200:33:55: SSH2 1: partial packet 8, need 624, maclen 000:33:55: SSH2 1: ssh_receive: 96 bytes received00:33:55: SSH2 1: partial packet 8, need 624, maclen 000:33:55: SSH2 1: input: padlen 1100:33:55: SSH2 1: received packet type 2000:33:55: SSH2 1: SSH2_MSG_KEXINIT received00:33:55: SSH2: kex: client->server aes128-cbc hmac-md5 none00:33:55: SSH2: kex: server->client aes128-cbc hmac-md5 none00:33:55: SSH2 1: expecting SSH2_MSG_KEXDH_INIT00:33:55: SSH2 1: ssh_receive: 144 bytes received00:33:55: SSH2 1: input: packet len 14400:33:55: SSH2 1: partial packet 8, need 136, maclen 000:33:55: SSH2 1: input: padlen 500:33:55: SSH2 1: received packet type 3000:33:55: SSH2 1: SSH2_MSG_KEXDH_INIT received00:33:55: SSH2 1: signature length 11100:33:55: SSH2 1: send: len 384 (includes padlen 7)00:33:55: SSH2: kex_derive_keys complete00:33:55: SSH2 1: send: len 16 (includes padlen 10)00:33:55: SSH2 1: newkeys: mode 100:33:55: SSH2 1: SSH2_MSG_NEWKEYS sent00:33:55: SSH2 1: waiting for SSH2_MSG_NEWKEYS00:33:55: SSH2 1: ssh_receive: 16 bytes received00:33:55: SSH2 1: input: packet len 1600:33:55: SSH2 1: partial packet 8, need 8, maclen 000:33:55: SSH2 1: input: padlen 1000:33:55: SSH2 1: newkeys: mode 000:33:55: SSH2 1: received packet type 2100:33:55: SSH2 1: SSH2_MSG_NEWKEYS received00:33:56: SSH2 1: ssh_receive: 48 bytes received00:33:56: SSH2 1: input: packet len 3200:33:56: SSH2 1: partial packet 16, need 16, maclen 1600:33:56: SSH2 1: MAC #3 ok00:33:56: SSH2 1: input: padlen 1000:33:56: SSH2 1: received packet type 500:33:56: SSH2 1: send: len 32 (includes padlen 10)00:33:56: SSH2 1: done calc MAC out #300:33:56: SSH2 1: ssh_receive: 64 bytes received00:33:56: SSH2 1: input: packet len 4800:33:56: SSH2 1: partial packet 16, need 32, maclen 1600:33:56: SSH2 1: MAC #4 ok00:33:56: SSH2 1: input: padlen 900:33:56: SSH2 1: received packet type 5000:33:56: SSH2 1: send: len 32 (includes padlen 13)00:33:56: SSH2 1: done calc MAC out #400:34:04: SSH2 1: ssh_receive: 160 bytes received00:34:04: SSH2 1: input: packet len 6400:34:04: SSH2 1: partial packet 16, need 48, maclen 1600:34:04: SSH2 1: MAC #5 ok00:34:04: SSH2 1: input: padlen 1300:34:04: SSH2 1: received packet type 5000:34:04: SSH2 1: send: len 16 (includes padlen 10)00:34:04: SSH2 1: done calc MAC out #500:34:04: SSH2 1: authentication successful for lab00:34:04: SSH2 1: input: packet len 6400:34:04: SSH2 1: partial packet 16, need 48, maclen 1600:34:04: SSH2 1: MAC #6 ok00:34:04: SSH2 1: input: padlen 600:34:04: SSH2 1: received packet type 200:34:04: SSH2 1: ssh_receive: 64 bytes received00:34:04: SSH2 1: input: packet len 4800:34:04: SSH2 1: partial packet 16, need 32, maclen 1600:34:04: SSH2 1: MAC #7 ok00:34:04: SSH2 1: input: padlen 1900:34:04: SSH2 1: received packet type 9000:34:04: SSH2 1: channel open request00:34:04: SSH2 1: send: len 32 (includes padlen 10)00:34:04: SSH2 1: done calc MAC out #600:34:04: SSH2 1: ssh_receive: 192 bytes received00:34:04: SSH2 1: input: packet len 6400:34:04: SSH2 1: partial packet 16, need 48, maclen 1600:34:04: SSH2 1: MAC #8 ok00:34:04: SSH2 1: input: padlen 1300:34:04: SSH2 1: received packet type 9800:34:04: SSH2 1: pty-req request00:34:04: SSH2 1: setting TTY - requested: height 24, width 80; set: height 24,width 8000:34:04: SSH2 1: input: packet len 9600:34:04: SSH2 1: partial packet 16, need 80, maclen 1600:34:04: SSH2 1: MAC #9 ok00:34:04: SSH2 1: input: padlen 1100:34:04: SSH2 1: received packet type 9800:34:04: SSH2 1: x11-req request00:34:04: SSH2 1: ssh_receive: 48 bytes received00:34:04: SSH2 1: input: packet len 3200:34:04: SSH2 1: partial packet 16, need 16, maclen 1600:34:04: SSH2 1: MAC #10 ok00:34:04: SSH2 1: input: padlen 1200:34:04: SSH2 1: received packet type 9800:34:04: SSH2 1: shell request00:34:04: SSH2 1: shell message received00:34:04: SSH2 1: starting shell for vty00:34:04: SSH2 1: send: len 48 (includes padlen 18)00:34:04: SSH2 1: done calc MAC out #700:34:07: SSH2 1: ssh_receive: 48 bytes received00:34:07: SSH2 1: input: packet len 3200:34:07: SSH2 1: partial packet 16, need 16, maclen 1600:34:07: SSH2 1: MAC #11 ok00:34:07: SSH2 1: input: padlen 1700:34:07: SSH2 1: received packet type 9400:34:07: SSH2 1: send: len 32 (includes padlen 17)00:34:07: SSH2 1: done calc MAC out #800:34:07: SSH2 1: ssh_receive: 48 bytes received00:34:07: SSH2 1: input: packet len 3200:34:07: SSH2 1: partial packet 16, need 16, maclen 1600:34:07: SSH2 1: MAC #12 ok00:34:07: SSH2 1: input: padlen 1700:34:07: SSH2 1: received packet type 9400:34:07: SSH2 1: send: len 32 (includes padlen 17)00:34:07: SSH2 1: done calc MAC out #900:34:07: SSH2 1: ssh_receive: 48 bytes received00:34:07: SSH2 1: input: packet len 3200:34:07: SSH2 1: partial packet 16, need 16, maclen 1600:34:07: SSH2 1: MAC #13 ok00:34:07: SSH2 1: input: padlen 1700:34:07: SSH2 1: received packet type 9400:34:07: SSH2 1: send: len 32 (includes padlen 17)00:34:07: SSH2 1: done calc MAC out #1000:34:08: SSH2 1: ssh_receive: 48 bytes received00:34:08: SSH2 1: input: packet len 3200:34:08: SSH2 1: partial packet 16, need 16, maclen 1600:34:08: SSH2 1: MAC #14 ok00:34:08: SSH2 1: input: padlen 1700:34:08: SSH2 1: received packet type 9400:34:08: SSH2 1: send: len 32 (includes padlen 17)00:34:08: SSH2 1: done calc MAC out #1100:34:08: SSH2 1: ssh_receive: 48 bytes received00:34:08: SSH2 1: input: packet len 3200:34:08: SSH2 1: partial packet 16, need 16, maclen 1600:34:08: SSH2 1: MAC #15 ok00:34:08: SSH2 1: input: padlen 1700:34:08: SSH2 1: received packet type 9400:34:08: SSH2 1: send: len 32 (includes padlen 16)00:34:08: SSH2 1: done calc MAC out #1200:34:08: SSH2 1: send: len 48 (includes padlen 18)00:34:08: SSH2 1: done calc MAC out #1300:34:08: SSH2 1: send: len 16 (includes padlen 6)00:34:08: SSH2 1: done calc MAC out #1400:34:08: SSH2 1: send: len 16 (includes padlen 6)00:34:08: SSH2 1: done calc MAC out #1500:34:08: SSH1: Session terminated normallyConfiguration Examples for Secure Shell Version 2 Support
This section provides the following configuration examples:
•
•
•
•
•
•
•
•
Configuring Secure Shell Version 1: Example
Router# configure terminalRouter (config)# ip ssh version 1Router (config)# endConfiguring Secure Shell Version 2: Example
Router# configure terminalEnter configuration commands, one per line. End with CNTL/Z.Router(config)# ip ssh version 2Router(config)# endConfiguring Secure Shell Versions 1 and 2: Example
Router# configure terminalRouter (config)# no ip ssh versionRouter (config)# endStarting an Encrypted Session with a Remote Device: Example
Router# ssh -v 2 -c aes256-cbc -m hmac-sha1-160 -l shaship 10.76.82.24Configuring Server-Side SCP: Example
The following example shows how to configure server-side functionality for SCP. This example also configures AAA authentication and Authorization on the router. This example uses a locally defined username and password.Router# configure terminalRouter (config)# aaa new-modelRouter (config)# aaa authentication login default localRouter (config)# aaa authorization exec default localRouter (config)# username samplename privilege 15 password password1Router (config)# ip ssh time-out 120Router (config)# ip ssh authentication-retries 3Router (config)# ip scp server enableRouter (config)# endSetting an SNMP Trap: Example
The following shows that an SNMP trap has been set. The trap notification is generated automatically when the SSH session terminates. For an example of SNMP trap debug output, see the section "SNMP Debugging: Example" section."
snmp-serversnmp-server host a.b.c.d public ttyWhere a.b.c.d is the IP address of the SSH client.
SSH Keyboard Interactive Authentication: Examples
The following are examples of various scenarios in which the SSH Keyboard Interactive Authentication feature has been automatically deployed:
Client-Side Debugs
In the following example, client-side debugs are turned on and the maximum number of prompts = six, (three each for the SSH Keyboard Interactive Authentication method and for the password method of authentication).
Password:Password:Password:Password:Password:Password: cisco123Last login: Tue Dec 6 13:15:21 2005 from 10.76.248.213user1@courier:~> exitlogout[Connection to 10.76.248.200 closed by foreign host]Router1# debug ip ssh clientSSH Client debugging is onRouter1# ssh -l lab 10.1.1.3Password:*Nov 17 12:50:53.199: SSH0: sent protocol version id SSH-1.99-Cisco-1.25*Nov 17 12:50:53.199: SSH CLIENT0: protocol version id is - SSH-1.99-Cisco-1.25*Nov 17 12:50:53.199: SSH CLIENT0: sent protocol version id SSH-1.99-Cisco-1.25*Nov 17 12:50:53.199: SSH CLIENT0: protocol version exchange successful*Nov 17 12:50:53.203: SSH0: protocol version id is - SSH-1.99-Cisco-1.25*Nov 17 12:50:53.335: SSH CLIENT0: key exchange successful and encryption on*Nov 17 12:50:53.335: SSH2 CLIENT 0: using method keyboard-interactivePassword:Password:Password:*Nov 17 12:51:01.887: SSH2 CLIENT 0: using method password authenticationPassword:Password: labRouter2>*Nov 17 12:51:11.407: SSH2 CLIENT 0: SSH2_MSG_USERAUTH_SUCCESS message received*Nov 17 12:51:11.407: SSH CLIENT0: user authenticated*Nov 17 12:51:11.407: SSH2 CLIENT 0: pty-req request sent*Nov 17 12:51:11.411: SSH2 CLIENT 0: shell request sent*Nov 17 12:51:11.411: SSH CLIENT0: session openTACACS+ ACS Is the Backend AAA Server, ChPass Is Enabled, and a Blank Password Change Is Made
In the following example, a TACACS+ access control server (ACS) is the backend Accounting, Authentication, and Authorization (AAA) server; the ChPass feature is enabled; and a blank password change is accomplished using the SSH Keyboard Interactive Authentication method:
Router1# ssh -l cisco 10.1.1.3Password:Old Password: ciscoNew Password: cisco123Re-enter New password: cisco123Router2> exit[Connection to 10.1.1.3 closed by foreign host]TACACS+ ACS Is the Backend AAA Server, ChPass Is Enabled, and the Password Is Changed on First Login
In the following example, a TACACS+ ACS is the backend server, and the ChPass feature is enabled. The password is changed on the first login using the SSH Keyboard Interactive Authentication method:
Router1# ssh -l cisco 10.1.1.3Password: ciscoYour password has expired.Enter a new one now.New Password: cisco123Re-enter New password: cisco123Router2> exit[Connection to 10.1.1.3 closed by foreign host]Router1# ssh -l cisco 10.1.1.3Password:cisco1Your password has expired.Enter a new one now.New Password: ciscoRe-enter New password: cisco12The New and Re-entered passwords have to be the same.Try again.New Password: ciscoRe-enter New password: ciscoRouter2>TACACS+ ACS Is the Backend AAA Server, ChPass Is Enabled, and the Password Expires After Three Logins
In the following example, a TACACS+ ACS is the backend AAA server, and the ChPass feature is enabled. The password expires after three logins using the SSH Keyboard Interactive Authentication method:
Router# ssh -l cisco. 10.1.1.3Password: ciscoRouter2> exit[Connection to 10.1.1.3 closed by foreign host]Router1# ssh -l cisco 10.1.1.3Password: ciscoRouter2> exitRouter1# ssh -l cisco 10.1.1.3Password: ciscoRouter2> exit[Connection to 10.1.1.3 closed by foreign host]Router1# ssh -l cisco 10.1.1.3Password: ciscoYour password has expired.Enter a new one now.New Password: cisco123Re-enter New password: cisco123Router2>SNMP Debugging: Example
The following is sample output using the debug snmp packet command. The output provides SNMP trap information for an SSH session.
Router1# debug snmp packetSNMP packet debugging is onRouter1# ssh -l lab 10.0.0.2Password:Router2# exit[Connection to 10.0.0.2 closed by foreign host]Router1#*Jul 18 10:18:42.619: SNMP: Queuing packet to 10.0.0.2*Jul 18 10:18:42.619: SNMP: V1 Trap, ent cisco, addr 10.0.0.1, gentrap 6, spectrap 1local.9.3.1.1.2.1 = 6tcpConnEntry.1.10.0.0.1.22.10.0.0.2.55246 = 4ltcpConnEntry.5.10.0.0.1.22.10.0.0.2.55246 = 1015ltcpConnEntry.1.10.0.0.1.22.10.0.0.2.55246 = 1056ltcpConnEntry.2.10.0.0.1.22.10.0.0.2.55246 = 1392local.9.2.1.18.2 = lab*Jul 18 10:18:42.879: SNMP: Packet sent via UDP to 10.0.0.2Router1#SSH Debugging Enhancements: Examples
The following is sample output from the debug ip ssh detail command. The output provides debugging information regarding the SSH protocol and channel requests.Router# debug ip ssh detail00:04:22: SSH0: starting SSH control process00:04:22: SSH0: sent protocol version id SSH-1.99-Cisco-1.2500:04:22: SSH0: protocol version id is - SSH-1.99-Cisco-1.2500:04:22: SSH2 0: SSH2_MSG_KEXINIT sent00:04:22: SSH2 0: SSH2_MSG_KEXINIT received00:04:22: SSH2:kex: client->server enc:aes128-cbc mac:hmac-sha100:04:22: SSH2:kex: server->client enc:aes128-cbc mac:hmac-sha100:04:22: SSH2 0: expecting SSH2_MSG_KEXDH_INIT00:04:22: SSH2 0: SSH2_MSG_KEXDH_INIT received00:04:22: SSH2: kex_derive_keys complete00:04:22: SSH2 0: SSH2_MSG_NEWKEYS sent00:04:22: SSH2 0: waiting for SSH2_MSG_NEWKEYS00:04:22: SSH2 0: SSH2_MSG_NEWKEYS received00:04:24: SSH2 0: authentication successful for lab00:04:24: SSH2 0: channel open request00:04:24: SSH2 0: pty-req request00:04:24: SSH2 0: setting TTY - requested: height 24, width 80; set: height 24, width 8000:04:24: SSH2 0: shell request00:04:24: SSH2 0: shell message received00:04:24: SSH2 0: starting shell for vty00:04:38: SSH0: Session terminated normallyThe following is sample output from the debug ip ssh packet command. The output provides debugging information regarding the ssh packet.Router# debug ip ssh packet00:05:43: SSH2 0: send:packet of length 280 (length also includes padlen of 4)00:05:43: SSH2 0: ssh_receive: 64 bytes received00:05:43: SSH2 0: input: total packet length of 280 bytes00:05:43: SSH2 0: partial packet length(block size)8 bytes,needed 272 bytes, maclen 000:05:43: SSH2 0: ssh_receive: 64 bytes received00:05:43: SSH2 0: partial packet length(block size)8 bytes,needed 272 bytes, maclen 000:05:43: SSH2 0: ssh_receive: 64 bytes received00:05:43: SSH2 0: partial packet length(block size)8 bytes,needed 272 bytes, maclen 000:05:43: SSH2 0: ssh_receive: 64 bytes received00:05:43: SSH2 0: partial packet length(block size)8 bytes,needed 272 bytes, maclen 000:05:43: SSH2 0: ssh_receive: 24 bytes received00:05:43: SSH2 0: partial packet length(block size)8 bytes,needed 272 bytes, maclen 000:05:43: SSH2 0: input: padlength 4 bytes00:05:43: SSH2 0: ssh_receive: 64 bytes received00:05:43: SSH2 0: input: total packet length of 144 bytes00:05:43: SSH2 0: partial packet length(block size)8 bytes,needed 136 bytes, maclen 000:05:43: SSH2 0: ssh_receive: 64 bytes received00:05:43: SSH2 0: partial packet length(block size)8 bytes,needed 136 bytes, maclen 000:05:43: SSH2 0: ssh_receive: 16 bytes received00:05:43: SSH2 0: partial packet length(block size)8 bytes,needed 136 bytes, maclen 000:05:43: SSH2 0: input: padlength 6 bytes00:05:43: SSH2 0: signature length 14300:05:43: SSH2 0: send:packet of length 448 (length also includes padlen of 7)00:05:43: SSH2 0: send:packet of length 16 (length also includes padlen of 10)00:05:43: SSH2 0: newkeys: mode 100:05:43: SSH2 0: ssh_receive: 16 bytes received00:05:43: SSH2 0: input: total packet length of 16 bytes00:05:43: SSH2 0: partial packet length(block size)8 bytes,needed 8 bytes, maclen 000:05:43: SSH2 0: input: padlength 10 bytes00:05:43: SSH2 0: newkeys: mode 000:05:43: SSH2 0: ssh_receive: 52 bytes received00:05:43: SSH2 0: input: total packet length of 32 bytes00:05:43: SSH2 0: partial packet length(block size)16 bytes,needed 16 bytes, maclen 2000:05:43: SSH2 0: MAC compared for #3 :ok
Where to Go Next
You have to use a SSH remote device that supports SSH Version 2, and you have to connect to a Cisco IOS router.
Additional References
The following sections provide references related to Secure Shell Version 2.
Related Documents
AAA
Cisco IOS Security Configuration Guide: Securing User Services, Release 15.0.
Configuring a host name and host domain
"Configuring Secure Shell" module.
Configuring Secure Shell
Debugging commands
Downloading a Cisco software image
Cisco IOS Configuration Fundamentals Guide, Release 12.4T and Cisco IOS Network Management Configuration Guide, Release 15.0.
IOS configuration fundamentals
IPSec
Cisco IOS Security Configuration Guide: Secure Connectivity, Release 15.0.
Security commands
SNMP, configuring traps
"Configuring SNMP Support" module in the Cisco IOS Network Management Configuration Guide, Release 15.0.
Standards
MIBs
•
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:
RFCs
Technical Assistance
Feature Information for Secure Shell Version 2 Support
Table 1 lists the release history for this feature.
Not all commands may be available in your Cisco IOS software release. For release information about a specific command, see the command reference documentation.
Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which Cisco IOS, Catalyst OS, and Cisco IOS XE software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Note
Table 1 Feature Information for Secure Shell Version 2 Support
Secure Shell Version 2 Support
12.3(4)T
12.2(25)SThe Secure Shell Version 2 Support feature allows you to configure Secure Shell (SSH) Version 2 (SSH Version 1 support was implemented in an earlier Cisco IOS software release). SSH runs on top of a reliable transport layer and provides strong authentication and encryption capabilities.
In 12.3(11)T, support was added for the Cisco 10000.>>
The following sections provide information about this feature:
•
•
The following commands were introduced or modified: debug ip ssh, ip ssh min dh size, ip ssh rsa keypair-name and ip ssh version, ssh.
Secure Shell Version 2 Client and Server Support
12.3(7)JA
12.0(32)SYThis feature was integrated into Cisco IOS Release 12.3(7)JA.
Secure Shell Version 2 Client and Server Support
12.4(17)
The Cisco IOS image was updated to provide for the automatic generation of SNMP traps when an SSH session terminates.
For information about this feature, see the following section:
•
SSH Keyboard Interactive Authentication
12.4(18)
12.2(33)SXH3
This feature, also known as Generic Message Authentication for SSH, is a method that can be used to implement different types of authentication mechanisms. Basically, any currently supported authentication method that requires only user input can be performed with this feature.
For information about this feature see the following sections:
•
•
Secure Shell SSH Version 2 Client Support
Cisco IOS XE Release 2.1
This feature was introduced on the Cisco ASR 1000 series routers.
Secure Shell Version 2 Enhancements
12.4(20)T
Cisco IOS XE Release 2.4The Secure Shell Version 2 Enhancements include a number of additional capabilities such as support for VRF aware SSH, SSH debug enhancements, and Diffie-Hellman group 14 and group 16 exchange support.
This feature was implemented on the Cisco ASR 1000 series routers.
For information about this feature see the following sections:
•
Secure Shell Version 2 Enhancements for RSA Keys.
15.0(1)M
The Secure Shell Version 2 Enhancements for RSA Keys includes a number of additional capabilities to support RSA key based user authentication for SSH and SSH server host key storage and verification.
For information about this feature see the following sections:
•
•
The following commands were introduced or modified: ip ssh pubkey-chain and ip ssh stricthostkeycheck.
CCDE, CCENT, CCSI, Cisco Eos, Cisco HealthPresence, Cisco IronPort, the Cisco logo, Cisco Lumin, Cisco Nexus, Cisco Nurse Connect, Cisco Pulse, Cisco StackPower, Cisco StadiumVision, Cisco TelePresence, Cisco Unified Computing System, Cisco WebEx, DCE, Flip Channels, Flip for Good, Flip Mino, Flipshare (Design), Flip Ultra, Flip Video, Flip Video (Design), Instant Broadband, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn, Cisco Capital, Cisco Capital (Design), Cisco:Financed (Stylized), Cisco Store, and Flip Gift Card are service marks; and Access Registrar, Aironet, AllTouch, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, Continuum, EtherFast, EtherSwitch, Event Center, Explorer, Fast Step, Follow Me Browsing, FormShare, GainMaker, GigaDrive, HomeLink, iLYNX, Internet Quotient, IOS, iPhone, iQuick Study, IronPort, the IronPort logo, Laser Link, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerKEY, PowerPanels, PowerTV, PowerTV (Design), PowerVu, Prisma, ProConnect, ROSA, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0908R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.
© 2003 - 2009 Cisco Systems, Inc. All rights reserved.
