Secure Shell (SSH) FAQ

Document ID: 19143

Questions

Introduction
How do I configure SSH terminal-line access (also known as reverse-telnet)?
Is SSH supported on the Catalyst 2900?
How can I determine which platforms and versions of code support SSH?
When I try to remove certain SSH commands from my router, it continues to ask me to create RSA keys in order to enable SSH. Why is this?
Does Cisco IOS® SSH version 2 support Digital Signature Standard (DSS)?
Does the Cisco IOS SSH server support agent forwarding?
Does Cisco IOS support SSH authentication with digital certificates?
What does the error Local: Corrupted check bytes on input mean?
Does Cisco IOS support SSH with Blowfish cipher?
NetPro Discussion Forums - Featured Conversations
Related Information

Introduction

This document answers the most Frequently Asked Questions (FAQs) related to Secure Shell (SSH).

Q. How do I configure SSH terminal-line access (also known as reverse-telnet)?

A. This was first introduced in some platforms of Cisco IOS® Software Release 12.2.2.T.

Router(config)#line line-number [ending-line-number] 
Router(config-line)#no exec 
Router(config-line)#login {local | authentication listname 
Router(config-line)#rotary group 
Router(config-line)#transport input {all | ssh} 
Router(config-line)#exit 
Router(config)#ip ssh port portnum rotary group 


!--- Line 1 SSH Port Number 2001

line 1
   no exec
   login authentication default
   rotary 1
   transport input ssh

!--- Line 2 SSH Port Number 2002

line 2
   no exec
   login authentication default
   rotary 2
   transport input ssh

!--- Line 3 SSH Port Number 2003

line 3
   no exec
   login authentication default
   rotary 3
   transport input ssh
 
ip ssh port 2001 rotary 1 3

Command Reference:

ip ssh port
	ip ssh port portnum rotary group

	no ip ssh port portnum rotary group

portnum —Specifies the port to which SSH needs to connect, such as 2001.
rotary group —Specifies the defined rotary that needs to search for a valid name.

Q. Is SSH supported on the Catalyst 2900?

A. No, it is not.

Q. How can I determine which platforms and versions of code support SSH?

A. See the Feature Navigator ( registered customers only) and specify the SSH feature.

Q. When I try to remove certain SSH commands from my router, it continues to ask me to create RSA keys in order to enable SSH. Why is this?

A. An example of this problem is show here:

804#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
804(config)#no ip ssh time-out 120
Please create RSA keys to enable SSH.
804(config)#no ip ssh authen
Please create RSA keys to enable SSH.
804(config)

You are encountering Cisco bug ID CSCdv70159 ( registered customers only) .

Q. Does Cisco IOS® SSH version 2 support Digital Signature Standard (DSS)?

A. Cisco IOS SSH version 2 (derived from OpenSSH code) does not support DSS.

Q. Does the Cisco IOS SSH server support agent forwarding?

A. Cisco IOS SSH does not support agent forwarding. Cisco IOS SSH is derived from OpenSSH code. It interoperates with all the commercial SSH implementations.

Q. Does Cisco IOS support SSH authentication with digital certificates?

A. Cisco IOS does not support SSH authentication with digital certificates.

Q. What does the error `Local: Corrupted check bytes on input` mean?

A. Corrupted checkbytes means the SSH packet received failed its integrity check. This is usually because of incorrect decryption. This is also because of an incorrect key used. The incorrect key is caused by the dropping of an encrypted SSH packet. You have either dropped an encrypted packet which should have been sent or dropped a received encrypted packet which should have been decrypted.

Q. Does Cisco IOS support SSH with Blowfish cipher?

A. Cisco IOS does not support SSH with Blowfish cipher. When an SSH client sends such unsupported cipher, the router displays debug messages mentioned in SSH Client Sends Unsupported (Blowfish) Cipher.