Table Of Contents

SSH Terminal-Line Access

Finding Feature Information

Contents

Prerequisites for SSH Terminal-Line Access

Restrictions for SSH Terminal-Line Access

Information About SSH Terminal-Line Access

Overview of SSH Terminal-Line Access

How to Configure SSH Terminal-Line Access

Configuring SSH Terminal-Line Access

Verifying SSH Terminal-Line Access

Configuration Examples for SSH Terminal-Line Access

SSH Terminal-Line Access Configuration: Example

SSH Terminal-Line Access for a Console (Serial Line) Ports Configuration: Example

Additional References

Related Documents

Standards

MIBs

RFCs

Technical Assistance

Feature Information for SSH Terminal-Line Access

SSH Terminal-Line Access

---

First Published: October 2, 2002

Last Updated: November 5, 2009

The SSH Terminal-Line Access feature provides users secure access to tty (text telephone) lines. tty allows the hearing- and speech-impaired to communicate by using a telephone to type messages.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "Feature Information for SSH Terminal-Line Access" section.

Use Cisco Feature Navigator to find information about platform support and Cisco IOS and Catalyst OS software image support. To access Cisco Feature Navigator, go to http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp. An account on Cisco.com is not required.

Contents

•Prerequisites for SSH Terminal-Line Access

•Restrictions for SSH Terminal-Line Access

•Information About SSH Terminal-Line Access

•How to Configure SSH Terminal-Line Access

•Configuration Examples for SSH Terminal-Line Access

•Additional References

•Feature Information for SSH Terminal-Line Access

Prerequisites for SSH Terminal-Line Access

Download the required image to your router. The secure shell (SSH) server requires the router to have an IPSec (Data Encryption Standard (DES) or 3DES) encryption software image from Cisco IOS Release 12.1(1)T or a later release. The SSH client requires the router to have an IPSec (DES or 3DES) encryption software image from Cisco IOS Release 12.1(3)T or a later release. See the Cisco IOS Configuration Fundamentals Configuration Guide, Release 12.4T for more information on downloading a software image.

The SSH server requires the use of a username and password, which must be defined through the use of a local username and password, TACACS+, or RADIUS.

---

Note The SSH Terminal-Line Access feature is available on any image that contains SSH.

---

Restrictions for SSH Terminal-Line Access

Console Server Requirement

To configure secure console server access, you must define each line in its own rotary and configure SSH to use SSH over the network when user want to access each of those devices.

Memory and Performance Impact

Replacing reverse Telnet with SSH may reduce the performance of available tty lines due to the addition of encryption and decryption processing above the vty processing. (Any cryptographic mechanism uses more memory than a regular access.)

Information About SSH Terminal-Line Access

To configure the SSH Terminal-Line Access feature, you should understand the following concept:

•Overview of SSH Terminal-Line Access

Overview of SSH Terminal-Line Access

Cisco IOS supports reverse Telnet, which allows users to Telnet through the router—via a certain port range—to connect them to tty (asynchronous) lines. Reverse Telnet has allowed users to connect to the console ports of remote devices that do not natively support Telnet. However, this method has provided very little security because all Telnet traffic goes over the network in the clear. The SSH Terminal-Line Access feature replaces reverse Telnet with SSH. This feature may be configured to use encryption to access devices on the tty lines, which provide users with connections that support strong privacy and session integrity.

SSH is an application and a protocol that provides secure replacement for the suite of Berkeley r-tools such as rsh, rlogin, and rcp. (Cisco IOS supports rlogin.) The protocol secures the sessions using standard cryptographic mechanisms, and the application can be used similarly to the Berkeley rexec and rsh tools. Currently two versions of SSH are available: SSH Version 1 and SSH Version 2. Only SSH Version 1 is implemented in the Cisco IOS software.

The SSH Terminal-Line Access feature enables users to configure their router with secure access and perform the following tasks:

•Connect to a router that has multiple terminal lines connected to consoles or serial ports of other routers, switches, or devices.

•Simplify connectivity to a router from anywhere by securely connecting to the terminal server on a specific line.

•Allow modems attached to routers to be used for dial-out securely.

•Require authentication of each of the lines through a locally defined username and password, TACACS+, or RADIUS.

---

Note The session slot command that is used to start a session with a module requires Telnet to be accepted on the virtual tty (vty) lines. When you restrict vty lines only to SSH, you cannot use the command to communicate with the modules. This applies to any Cisco IOS device where the user can telnet to a module on the device.

---

How to Configure SSH Terminal-Line Access

This section contains the following task:

•Configuring SSH Terminal-Line Access

Configuring SSH Terminal-Line Access

Perform this task to configure a Cisco router to support reverse secure Telnet:

---

Note SSH must already be configured on the router.

---

SUMMARY STEPS

1. enable

2. configure terminal

3. line line-number [ending-line-number]

4. no exec

5. login {local | authentication listname}

6. rotary group

7. transport input {all | ssh}

8. exit

9. ip ssh port portnum rotary group

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: Router> enable	Enables privileged EXEC mode. •Enter your password if prompted.
Step 2	configure terminal Example: Router# configure terminal	Enters global configuration mode.
Step 3	line line-number [ending-line-number] Example: Router(config)# line 1 200	Identifies a line for configuration and enters line configuration mode. Note For router console configurations, each line must be defined in its own rotary, and SSH must be configured to listen in on each rotary. Note An authentication method requiring a username and password must be configured for each line. This may be done through the use of a local username and password stored on the router, through the use of TACACS+, or through the use of RADIUS. Neither Line passwords nor the enable password are sufficient to be used with SSH.
Step 4	no exec Example: Router(config-line)# no exec	Disables exec processing on each of the lines.
Step 5	login {local | authentication listname} Example: Router(config-line)# login authentication default	Defines a login authentication mechanism for the lines. Note The authentication method must utilize a username and password.
Step 6	rotary group Example: Router(config-line)# rotary 1	Defines a group of lines consisting of one or more lines. Note All rotaries used must be defined, and each defined rotary must be used when SSH is enabled.
Step 7	transport input {all | ssh} Example: Router(config-line)# transport input ssh	Defines which protocols to use to connect to a specific line of the router.
Step 8	exit Example: Router(config-line)# exit	Exits line configuration mode.
Step 9	ip ssh port portnum rotary group Example: Router(config)# ip ssh port 2000 rotary 1	Enables secure network access to the tty lines. •Use this command to connect the portnum argument with the rotary group argument, which is associated with a line or group of lines. Note The group argument must correspond with the rotary group number chosen in Step 6.

Verifying SSH Terminal-Line Access

To verify that this functionality is working, you can connect to a router using an SSH client.

Configuration Examples for SSH Terminal-Line Access

This section provides the following configuration examples:

•SSH Terminal-Line Access Configuration: Example

•SSH Terminal-Line Access for a Console (Serial Line) Ports Configuration: Example

SSH Terminal-Line Access Configuration: Example

The following example shows how to configure the SSH Terminal-Line Access feature on a modem used for dial-out on lines 1 through 200. To get any of the dial-out modems, use any SSH client and start an SSH session to port 2000 of the router to get to the next available modem from the rotary.

line 1 200

 no exec

 login authentication default

 rotary 1

 transport input ssh

 exit

ip ssh port 2000 rotary 1

SSH Terminal-Line Access for a Console (Serial Line) Ports Configuration: Example

The following example shows how to configure the SSH Terminal-Line Access feature to access the console or serial line interface of various devices. For this type of access, each line is put into its own rotary, and each rotary is used for a single port. In this example, lines 1 through 3 are used; the port (line) mappings of the configuration are shown in Table 1.

Table 1 Port (line) Configuration Mappings

Line Number	SSH Port Number
1	2001
2	2002
3	2003

line 1

 no exec

 login authentication default

 rotary 1

 transport input ssh

line 2

 no exec

 login authentication default

 rotary 2

 transport input ssh

line 3

 no exec

 login authentication default

 rotary 3

 transport input ssh

ip ssh port 2001 rotary 1 3

Additional References

The following sections provide references related to the SSH Terminal-Line Access feature.

Related Documents

Related Topic	Document Title
SSH	Cisco IOS Security Configuration Guide: Securing User Services
SSH commands	Cisco IOS Security Command Reference
Dial Technologies	Cisco IOS Dial Technologies Configuration Guide
Dial commands	Cisco IOS Dial Technologies Command Reference
Downloading a software image	Cisco IOS Configuration Fundamentals Configuration Guide

Standards

Standard	Title
	—

MIBs

MIB	MIBs Link
	To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL: http://www.cisco.com/go/mibs

RFCs

RFC	Title
None.	—

Technical Assistance

Description

Link

The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies. To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds. Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.

http://www.cisco.com/techsupport

Feature Information for SSH Terminal-Line Access

Table 2 lists the release history for this feature.

Not all commands may be available in your Cisco IOS software release. For release information about a specific command, see the command reference documentation.

Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which Cisco IOS and Catalyst OS software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp. An account on Cisco.com is not required.

---

Note Table 2 lists only the Cisco IOS software release that introduced support for a given feature in a given Cisco IOS software release train. Unless noted otherwise, subsequent releases of that Cisco IOS software release train also support that feature.

---

Table 2 Feature Information for SSH Terminal-Line Access

Feature Name	Releases	Feature Information
SSH Terminal-Line Access	12.2(4)JA 12.2(15)T 12.2(6th)S	The SSH Terminal-Line Access feature provides users secure access to tty (text telephone) lines. tty allows the hearing- and speech-impaired to communicate by using a telephone to type messages. This feature was introduced in Cisco IOS Release 12.2(4)JA. This feature was integrated into Cisco IOS Release 12.2(15)T. This feature was integrated into Cisco IOS Release 12.2(6th)S. The following command was introduced or modified: ip ssh port.

CCDE, CCENT, CCSI, Cisco Eos, Cisco HealthPresence, Cisco IronPort, the Cisco logo, Cisco Nurse Connect, Cisco Pulse, Cisco SensorBase, Cisco StackPower, Cisco StadiumVision, Cisco TelePresence, Cisco Unified Computing System, Cisco WebEx, DCE, Flip Channels, Flip for Good, Flip Mino, Flipshare (Design), Flip Ultra, Flip Video, Flip Video (Design), Instant Broadband, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn, Cisco Capital, Cisco Capital (Design), Cisco:Financed (Stylized), Cisco Store, Flip Gift Card, and One Million Acts of Green are service marks; and Access Registrar, Aironet, AllTouch, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Lumin, Cisco Nexus, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, Continuum, EtherFast, EtherSwitch, Event Center, Explorer, Follow Me Browsing, GainMaker, iLYNX, IOS, iPhone, IronPort, the IronPort logo, Laser Link, LightStream, Linksys, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, PCNow, PIX, PowerKEY, PowerPanels, PowerTV, PowerTV (Design), PowerVu, Prisma, ProConnect, ROSA, SenderBase, SMARTnet, Spectrum Expert, StackWise, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.

All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0910R)

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.

© 2002-2009 Cisco Systems, Inc. All rights reserved.