Cisco Nexus 1000V Security Configuration Guide, 4.2(1)SV2(1.1)
Configuring SSH
Download this chapter
Configuring SSHConfiguring SSH
Download the complete book
Cisco Nexus 1000V Security Configuration Guide, 4.2(1)SV2(1.1)Cisco Nexus 1000V Security Configuration Guide, 4.2(1)SV2(1.1) (PDF - 5 MB)
 Feedback

Configuring SSH

This chapter contains the following sections:

Information About SSH

SSH Server

You can use the SSH server to enable an SSH client to make a secure, encrypted connection. SSH uses strong encryption for authentication. The SSH server can operate with publicly and commercially available SSH clients.

TACACS+ user authentication and locally stored usernames and passwords are supported for SSH.

SSH Client

The SSH client feature is an application that runs over the SSH protocol to provide device authentication and encryption. The SSH client enables a secure, encrypted connection to any device that runs the SSH server. This connection provides an encrypted outbound connection. With authentication and encryption, the SSH client produces secure communication over an insecure network.

The SSH client works with publicly and commercially available SSH servers.

SSH Server Keys

SSH requires server keys for secure communication. You can use SSH server keys for the following SSH options:

  • SSH version 2 using Rivest, Shamir, and Adelman (RSA) public-key cryptography
  • SSH version 2 using the Digital System Algrorithm (DSA)

Be sure to have an SSH server key-pair with the correct version before enabling the SSH service. Generate the SSH server key-pair according to the SSH client version used. The SSH service accepts two types of key-pairs for use by SSH version 2:

  • The dsa option generates the DSA key-pair for the SSH version 2 protocol.
  • The rsa option generates the RSA key-pair for the SSH version 2 protocol.

By default, an RSA key using 1024 bits is generated.

SSH supports the following public key formats

  • OpenSSH
  • IETF Secure Shell (SECSH)
  • Public Key Certificate in Privacy-Enhanced Mail (PEM)

Caution

If you delete all of the SSH keys, you cannot start the SSH services.

Prerequisites for SSH

SSH has the following prerequisites:

  • Configure IP on a Layer 3 interface, out-of-band on the mgmt 0 interface or inband on an Ethernet interface.
  • Before enabling the SSH server, obtain the SSH key.

Guidelines and Limitations for SSH

SSH has the following guidelines and limitations

  • Only SSH version 2 (SSHv2) is supported.
  • SSH is enabled by default.
  • Cisco NX-OS commands might differ from the Cisco IOS commands.

Default Settings

Parameters

Default

SSH server

Enabled

SSH server key

RSA key generated with 1024 bits

RSA key bits for generation

1024

Configuring SSH

Generating SSH Server Keys

Use this procedure to generate an SSH server key based on your security requirements.

The default SSH server key is an RSA key that is generated using 1024 bits

Before You Begin

Before beginning this procedure, you must be logged in to the CLI in EXEC mode.

Procedure
     Command or ActionPurpose
    Step 1 switch# configure terminal 

    Places you into global configuration mode.

     
    Step 2switch(config)# no feature ssh 

    Disables SSH.

     
    Step 3switch(config)# ssh key {dsa [force] | rsa [bits[ force]]} 

    Generates the SSH server key

    The bits argument is the number of bits used to generate the key. The range is from 768 to 2048 and the default value is 1024.

    Use the force keyword to replace an existing key.

     
    Step 4switch(config)# feature ssh  

    Enables SSH.

     
    Step 5switch# show ssh key  (Optional)

    Displays the SSH server keys.

     
    Step 6switch# copy running-config startup-config  (Optional)

    Copies the running configuration to the startup configuration.

      
    switch# configure terminal
switch(config)# no feature ssh 
XML interface to system may become unavailable since ssh is disabled
switch(config)# ssh key dsa force
generating dsa key(1024 bits).....
.
generated dsa key
n1000v(config)# feature ssh
n1000v(config)# show ssh key
**************************************
rsa Keys generated:Sun Jul 27 15:18:46 2008

ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAyKcb7Nv9Ki1OOId9/tdHHa/ngQujlvK5mXyL/n+DeOXK
fVhHbX2a+V0cm7CCLUkBh+BvZRmpmOVTmU/5awfVhVxMKXMiPOPBc+A6/n3FVroyRwupMki6mWoM6Uwa
GID5gsVPqFjFNSgMWtbhjo97XVKhgjFW+wOVt8QoAcrEtnwEfsnQk1EIr/0XIP1mqTsrqTsmjZ2vLk+f
FzTGYAxMvYZI+BrN47aoH2ywS7CpnODjCDXJuDYSPbc3PA8t0ghU/60m9R+s6AZPuljVQbGfxPrahEu4
GVc6sMJNU1JxmqDJkodhMArObB4Umzj7E3Rdby/ZWx/clTYiXQR1X1VfhQ==

bitcount:2048
fingerprint:
fd:ca:48:73:b9:ee:e7:86:9e:1e:40:46:f1:50:1d:44
**************************************
dsa Keys generated:Sun Jul 27 15:20:12 2008

ssh-dss AAAAB3NzaC1kc3MAAACBALpdxLjXNS/jcCNY+F1QZV9HegxBEb0DMUmq9bSq2N+KAcvHllEh
GnaiHhqarOlcEKqhLbIbuqtKTCvfa+Y1hBIAhWVjg1UR3/M22jqxnfhnxL5YRc1Q7fcesFax0myayAIU
nXrkO5iwv9XHTu+EInRc4kJ0XrG9SxtLmDe/fi2ZAAAAFQDbRabAjZa6GfDpwjXw5smRhrElJwAAAIEA
r50yi3hHawNnb5qgYLXhN+KA8XJF753eCWHtMw7NR8fz6fjQ1R2J97UjjGuQ8DvwpGeNQ5S+AuIo0rGq
svdg7TTecBcbgBOnR7Fs2+W5HiSVEGbvj1xaeK8fkNE6kaJumBB343b8Rgj0G97MP/os1GfkEqmX9glB
0IOM2mgHHyoAAACAfRir27hHy+fw8CxPlsK0R6cFhxYyd/qYYogXFKYIOPxpLoYrjqODeOFThU7TJuBz
aS97eXiruzbffHwzUGfXgmQT5o9IMZRTClWPA/5Ju4O9YABYHccUghf0W+QtgGOT6FOSvBh8uOV0kcHC
GMJAP8omphauZJlc+wgFxhnkyh4=

bitcount:1024
fingerprint:
44:91:32:1f:7a:d1:83:3c:f3:5e:db:53:0a:2d:ce:69
**************************************

    Configuring a User Account with a Public Key

    You configure an SSH public key to log in using the SSH client without being prompted for a password. You can specify the SSH public key in one of three different formats:

    • OpenSSH format
    • IETF SECSH format
    • Public Key Certificate in PEM format

    Configuring an OpenSSH Key

    Use this procedure to specify the SSH public keys in OpenSSH format for user accounts.

    Use this procedure to configure an SSH public key to log in using the SSH client without being prompted for a password. You can specify the SSH public key in one of three different formats:
    • OpenSSH format
    • IETF SECSH format
    • Public Key Certificate in PEM format
    Before You Begin

    Before beginning this procedure, be sure you have:

    • Logged in to the CLI in EXEC mode
    • Generated an SSH public key in OpenSSH format
    • An existing user account
    Procedure
       Command or ActionPurpose
      Step 1 switch# configure terminal  

      Places you into global configuration mode.

       
      Step 2 switch(config)# username username sshkey ssh-key 

      Configures the SSH public key in OpenSSH format with an exiting user account.

      To create a user account use the username name password pwd command

       
      Step 3switch(config)# exit 

      Exits global configuration mode and returns you to EXEC mode.

       
      Step 4switch# show user-account  (Optional)

      Displays the user account configuration.

       
      Step 5switch# copy running-config startup-config  (Optional)

      Copies the running configuration to the startup configuration.

        
      switch# configure terminal
switch(config)# username user1 sshkey ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAyK
cb7Nv9Ki1OOId9/tdHHa/ngQujlvK5mXyL/n+DeOXKfVhHbX2a+V0cm7CCLUkBh+BvZRmpmOVTmU/5aw
fVhVxMKXMiPOPBc+A6/n3FVroyRwupMki6mWoM6UwaGID5gsVPqFjFNSgMWtbhjo97XVKhgjFW+wOVt8
QoAcrEtnwEfsnQk1EIr/0XIP1mqTsrqTsmjZ2vLk+fFzTGYAxMvYZI+BrN47aoH2ywS7CpnODjCDXJuD
YSPbc3PA8t0ghU/60m9R+s6AZPuljVQbGfxPrahEu4GVc6sMJNU1JxmqDJkodhMArObB4Umzj7E3Rdby
/ZWx/clTYiXQR1X1VfhQ==
switch(config)# exit
switch# show user-account
user:admin
        this user account has no expiry date
        roles:network-admin
user:user1
        this user account has no expiry date
        roles:network-operator
        ssh public key: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAyKcb7Nv9Ki1OOId9/tdH
Ha/ngQujlvK5mXyL/n+DeOXKfVhHbX2a+V0cm7CCLUkBh+BvZRmpmOVTmU/5awfVhVxMKXMiPOPBc+A6
/n3FVroyRwupMki6mWoM6UwaGID5gsVPqFjFNSgMWtbhjo97XVKhgjFW+wOVt8QoAcrEtnwEfsnQk1EI
r/0XIP1mqTsrqTsmjZ2vLk+fFzTGYAxMvYZI+BrN47aoH2ywS7CpnODjCDXJuDYSPbc3PA8t0ghU/60m
9R+s6AZPuljVQbGfxPrahEu4GVc6sMJNU1JxmqDJkodhMArObB4Umzj7E3Rdby/ZWx/clTYiXQR1X1Vf
hQ==
switch# copy running-config startup-config

      Configuring IETF or PEM Keys

      Use this procedure to specify the SSH public keys in IETF SECSH or PEM format for user accounts.

      Use this procedure to configure an SSH public key to log in using the SSH client without being prompted for a password. You can specify the SSH public key in one of three different formats:
      • OpenSSH format
      • IETF SECSH format
      • Public Key Certificate in PEM format
      Before You Begin

      Before beginning this procedure, you must have done the following:

      • Logged in to the CLI in EXEC mode
      • Generated an SSH public key in one of the following formats:
        • IETF SECSH format
        • Public Key Certificate in PEM format
      Procedure
         Command or ActionPurpose
        Step 1 switch# copy server-file bootflash: filename 

        Downloads the file containing the SSH key from a server. The server can be FTP, secure copy (SCP), secure FTP (SFTP), or TFTP.

         
        Step 2switch# configure terminal 

        Places you into global configuration mode.

         
        Step 3switch(config)# username username sshkey file bootflash:filename 

        Configures the SSH public key.

         
        Step 4switch(config)# exit 

        Exits global configuration mode and returns you to EXEC mode.

         
        Step 5switch# show user-account  (Optional)

        Displays the user account configuration.

         
        Step 6switch# copy running-config startup-config  (Optional)

        Copies the running configuration to the startup configuration.

          
        switch# copy tftp://10.78.1.10/secsh_file.pub bootflash:secsh_file.pub vrf management
Trying to connect to tftp server......
Connection to server Established.
|
TFTP get operation was successful
switch# configure terminal
switch(config)# username User1 sshkey file bootflash:secsh_file.pub
switch(config)# exit
switch# show user-account 
user:admin
        this user account has no expiry date
        roles:network-admin 
user:user2
        this user account has no expiry date
        roles:network-operator 
        ssh public key: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAyKcb7Nv9Ki1OOId9/tdHHa/
ngQujlvK5mXyL/n+DeOXKfVhHbX2a+V0cm7CCLUkBh+BvZRmpmOVTmU/5awfVhVxMKXMiPOPBc+A6/n3FVroyRwupMki6
mWoM6UwaGID5gsVPqFjFNSgMWtbhjo97XVKhgjFW+wOVt8QoAcrEtnwEfsnQk1EIr/0XIP1mqTsrqTsmjZ2vLk+
fFzTGYAxMvYZI+BrN47aoH2ywS7CpnODjCDXJuDYSPbc3PA8t0ghU/60m9R+s6AZPuljVQbGfxPrahEu4GVc6sMJN
U1JxmqDJkodhMArObB4Umzj7E3Rdby/ZWx/clTYiXQR1X1VfhQ==
switch# copy running-config startup-config

        Starting SSH Sessions

        Use this procedure to start SSH sessions using IP to connect to remote devices.

        Before You Begin

        Before beginning this procedure, be sure you have done the following:

        • Logged in to the CLI in EXEC mode.
        • Obtained the hostname and, if needed, the username, for the remote device.
        • Enabled the SSH server on the remote device
        Procedure
           Command or ActionPurpose
          Step 1 switch# ssh [root@] {ip address | hostname } [vrf vrf-name] 

          Creates an SSH IP session to a remote device using IP. The default virtual routing and forwarding (VRF) instance is the default VRF.

            
          switch# ssh root@172.28.30.77
root@172.28.30.77's password: 
Last login: Sat Jul 26 11:07:23 2008 from 171.70.209.64

          Clearing SSH Hosts

          Use this procedure to clear from your account the list of trusted SSH servers that were added when you downloaded a file from a server using SCP or SFTP, or when you started an SSH session to a remote host.

          Procedure
             Command or ActionPurpose
            Step 1switch# clear ssh hosts 

            Clears the SSH host sessions.

              
            switch# clear ssh hosts

            Disabling the SSH Server

            Use this procedure to disable the SSH server to prevent SSH access to the switch. By default, the SSH server is enabled.

            If you disable SSH, to enable it again you must first generate an SSH server key

            Before You Begin

            Before beginning this procedure, you must be logged in to the CLI in EXEC mode.

            Procedure
               Command or ActionPurpose
              Step 1switch# configure terminal  

              Places you into global configuration mode.

               
              Step 2switch(config)# no feature ssh 

              Disables the SSH server. The default is enabled.

               
              Step 3switch(config)# show ssh server  (Optional)

              Displays the SSH server configuration.

               
              Step 4switch(config)# copy running-config startup-config  (Optional)

              Copies the running configuration to the startup configuration.

                
              switch# configure terminal
switch(config)# no feature ssh 
XML interface to system may become unavailable since ssh is disabled
switch(config)#  show ssh server
ssh is not enabled
switch(config)# copy running-config startup-config

              Deleting SSH Server Keys

              Use this procedure to delete SSH server keys after you disable the SSH server.

              If you disable SSH, to enable it again you must first generate an SSH server key.

              Before You Begin

              Before beginning this procedure, you must be logged in to the CLI in EXEC mode.

              Procedure
                 Command or ActionPurpose
                Step 1 switch# configure terminal 

                Places you into global configuration mode.

                 
                Step 2switch(config)# no feature ssh  

                Disables the SSH server.

                 
                Step 3switch(config)# no ssh key [dsa | rsa] 

                Deletes the SSH server key.

                The default is to delete all the SSH keys.

                 
                Step 4switch(config)# show ssh key  (Optional)

                Displays the SSH server key configuration.

                 
                Step 5switch(config)# copy running-config startup-config  (Optional)

                Copies the running configuration to the startup configuration.

                  
                switch# configure terminal
switch(config)# no feature ssh 
switch(config)# no ssh key rsa
switch(config)# show ssh key
**************************************
rsa Keys generated:Sun Jul 27 15:18:46 2008

ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAyKcb7Nv9Ki1OOId9/tdHHa/ngQujlvK5mXyL/n+DeOXK
fVhHbX2a+V0cm7CCLUkBh+BvZRmpmOVTmU/5awfVhVxMKXMiPOPBc+A6/n3FVroyRwupMki6mWoM6Uwa
GID5gsVPqFjFNSgMWtbhjo97XVKhgjFW+wOVt8QoAcrEtnwEfsnQk1EIr/0XIP1mqTsrqTsmjZ2vLk+f
FzTGYAxMvYZI+BrN47aoH2ywS7CpnODjCDXJuDYSPbc3PA8t0ghU/60m9R+s6AZPuljVQbGfxPrahEu4
GVc6sMJNU1JxmqDJkodhMArObB4Umzj7E3Rdby/ZWx/clTYiXQR1X1VfhQ==

bitcount:2048
fingerprint:
fd:ca:48:73:b9:ee:e7:86:9e:1e:40:46:f1:50:1d:44
**************************************
dsa Keys generated:Sun Jul 27 15:20:12 2008

ssh-dss AAAAB3NzaC1kc3MAAACBALpdxLjXNS/jcCNY+F1QZV9HegxBEb0DMUmq9bSq2N+KAcvHllEh
GnaiHhqarOlcEKqhLbIbuqtKTCvfa+Y1hBIAhWVjg1UR3/M22jqxnfhnxL5YRc1Q7fcesFax0myayAIU
nXrkO5iwv9XHTu+EInRc4kJ0XrG9SxtLmDe/fi2ZAAAAFQDbRabAjZa6GfDpwjXw5smRhrElJwAAAIEA
r50yi3hHawNnb5qgYLXhN+KA8XJF753eCWHtMw7NR8fz6fjQ1R2J97UjjGuQ8DvwpGeNQ5S+AuIo0rGq
svdg7TTecBcbgBOnR7Fs2+W5HiSVEGbvj1xaeK8fkNE6kaJumBB343b8Rgj0G97MP/os1GfkEqmX9glB
0IOM2mgHHyoAAACAfRir27hHy+fw8CxPlsK0R6cFhxYyd/qYYogXFKYIOPxpLoYrjqODeOFThU7TJuBz
aS97eXiruzbffHwzUGfXgmQT5o9IMZRTClWPA/5Ju4O9YABYHccUghf0W+QtgGOT6FOSvBh8uOV0kcHC
GMJAP8omphauZJlc+wgFxhnkyh4=

bitcount:1024
fingerprint:
44:91:32:1f:7a:d1:83:3c:f3:5e:db:53:0a:2d:ce:69
**************************************
mcs-srvr43(config)# no ssh key rsa
mcs-srvr43(config)# show ssh key
**************************************
could not retrieve rsa key information
**************************************
dsa Keys generated:Sun Jul 27 15:20:12 2008

ssh-dss AAAAB3NzaC1kc3MAAACBALpdxLjXNS/jcCNY+F1QZV9HegxBEb0DMUmq9bSq2N+KAcvHllEh
GnaiHhqarOlcEKqhLbIbuqtKTCvfa+Y1hBIAhWVjg1UR3/M22jqxnfhnxL5YRc1Q7fcesFax0myayAIU
nXrkO5iwv9XHTu+EInRc4kJ0XrG9SxtLmDe/fi2ZAAAAFQDbRabAjZa6GfDpwjXw5smRhrElJwAAAIEA
r50yi3hHawNnb5qgYLXhN+KA8XJF753eCWHtMw7NR8fz6fjQ1R2J97UjjGuQ8DvwpGeNQ5S+AuIo0rGq
svdg7TTecBcbgBOnR7Fs2+W5HiSVEGbvj1xaeK8fkNE6kaJumBB343b8Rgj0G97MP/os1GfkEqmX9glB
0IOM2mgHHyoAAACAfRir27hHy+fw8CxPlsK0R6cFhxYyd/qYYogXFKYIOPxpLoYrjqODeOFThU7TJuBz
aS97eXiruzbffHwzUGfXgmQT5o9IMZRTClWPA/5Ju4O9YABYHccUghf0W+QtgGOT6FOSvBh8uOV0kcHC
GMJAP8omphauZJlc+wgFxhnkyh4=

bitcount:1024
fingerprint:
44:91:32:1f:7a:d1:83:3c:f3:5e:db:53:0a:2d:ce:69
**************************************
mcs-srvr43(config)# no ssh key dsa
mcs-srvr43(config)# show ssh key
**************************************
could not retrieve rsa key information
**************************************
could not retrieve dsa key information
**************************************
no ssh keys present. you will have to generate them
**************************************

                Clearing SSH Sessions

                Use this procedure to clear SSH sessions from the device.

                Before You Begin

                Before beginning this procedure, you must be logged in to the CLI in EXEC mode.

                Procedure
                   Command or ActionPurpose
                  Step 1switch# show users  

                  Displays user session information.

                   
                  Step 2switch# clear line vty-line 

                  Clears a user SSH session.

                   
                  Step 3switch# show users  (Optional)

                  Displays user session information.

                    
                  switch# show users
NAME     LINE         TIME         IDLE          PID COMMENT
admin    tty1         Jul 25 19:13  old         2867
admin    pts/0        Jul 28 09:49 00:02       28556 (10.21.148.122)
admin    pts/1        Jul 28 09:46   .         28437 (::ffff:10.21.148.122)*
switch# clear line 0
switch# show users
NAME     LINE         TIME         IDLE          PID COMMENT
admin    tty1         Jul 25 19:13  old         2867
admin    pts/1        Jul 28 09:46   .         28437 (::ffff:10.21.148.122)*
mcs-srvr43(config)#

                  Verifying the SSH Configuration

                  Use one of the following commands to verify the configuration.

                  Command

                  Purpose

                  show ssh key [dsa | rsa]

                  Displays SSH server key-pair information.

                  show running-config security [all]

                  Displays the SSH and user account configuration in the running configuration. The all keyword displays the default values for the SSH and user accounts.

                  show ssh server

                  Displays the SSH server configuration

                  Configuration Example for SSH

                  This example shows the steps you use to configure SSH with an OpenSSH key.

                  1. Disable the SSH server. 
                    switch# configure terminal
switch(config)# no feature ssh
                  2. Generate an SSH server key. 
                    switch(config)# ssh key rsa
generating rsa key(1024 bits).....
.generated rsa key
                  3. Enable the SSH server. 
                    switch(config)# feature ssh
                  4. Display the SSH server key. 
                    switch(config)# show ssh key
rsa Keys generated:Sat Sep 29 00:10:39 2007

ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAvWhEBsF55oaPHNDBnpXOTw6+/OdHoLJZKr+MZm99n2U0
ChzZG4svRWmHuJY4PeDWl0e5yE3g3EO3pjDDmt923siNiv5aSga60K36lr39HmXL6VgpRVn1XQFiBwn4
na+H1d3Q0hDt+uWEA0tka2uOtXlDhliEmn4HVXOjGhFhoNE=

bitcount:1024
fingerprint:
51:6d:de:1c:c3:29:50:88:df:cc:95:f0:15:5d:9a:df
**************************************
could not retrieve dsa key information
**************************************
                  5. Specify the SSH public key in OpenSSH format. 
                    switch(config)# username User1 sshkey ssh-rsa 
AAAAB3NzaC1yc2EAAAABIwAAAIEAy19oF6QaZl9G+3f1XswK3OiW4H7YyUyuA50rv7gsEPjhOBYmsi6PAVKui1nIf/
DQhum+lJNqJP/eLowb7ubO+lVKRXFY/G+lJNIQW3g9igG30c6k6+XVn+NjnI1B7ihvpVh7dLddMOXwOnXHYshXmSiH
3UD/vKyziEh5S4Tplx8=
                  6. Save the configuration. 
                    switch(config)# copy running-config startup-config

                  Feature History for SSH

                  This table only includes updates for those releases that have resulted in additions to the feature.

                  Feature Name

                  Releases

                  Feature Information

                  SSH

                  4.0(4)SV1(1)

                  This feature was introduced.