About SSH and Telnet
This section includes information about SSH and Telnet.
SSH Server
You can use the SSH server to enable an SSH client to make a secure, encrypted connection to a Cisco NX-OS device. SSH uses strong encryption for authentication. The SSH server in the Cisco NX-OS software can interoperate with publicly and commercially available SSH clients.
The user authentication mechanisms supported for SSH are RADIUS, TACACS+, LDAP, and the use of locally stored usernames and passwords.
SSH Client
The SSH client feature is an application that runs over the SSH protocol to provide device authentication and encryption. The SSH client enables a Cisco NX-OS device to make a secure, encrypted connection to another Cisco NX-OS device or to any other device that runs the SSH server. This connection provides an outbound connection that is encrypted. With authentication and encryption, the SSH client allows for a secure communication over an insecure network.
The SSH client in the Cisco NX-OS software works with publicly and commercially available SSH servers.
SSH Server Keys
SSH requires server keys for secure communications to the Cisco NX-OS device. You can use SSH server keys for the following SSH options:
-
SSH version 2 using Rivest, Shamir, and Adelman (RSA) public-key cryptography
-
SSH version 2 using the Digital System Algrorithm (DSA)
-
SSH version 2 using the Elliptic Curve Digital Signature Algorithm (ECDSA)
Be sure to have an SSH server key-pair with the appropriate version before enabling the SSH service. You can generate the SSH server key-pair according to the SSH client version used. The SSH service accepts the following types of key-pairs for use by SSH version 2:
-
The dsa option generates the DSA key-pair for the SSH version 2 protocol.
-
The rsa option generates the RSA key-pair for the SSH version 2 protocol.
-
The ecdsa option generates the ECDSA key-pair for the SSH version 2 protocol.
By default, the Cisco NX-OS software generates an RSA key using 1024 bits.
SSH supports the following public key formats:
-
OpenSSH
-
IETF Secure Shell (SECSH)
-
Public Key Certificate in Privacy-Enhanced Mail (PEM)
![]() Caution |
If you delete all of the SSH keys, you cannot start the SSH services. |
SSH Authentication Using Digital Certificates
SSH authentication on Cisco NX-OS devices provide X.509 digital certificate support for host authentication. An X.509 digital certificate is a data item that ensures the origin and integrity of a message. It contains encryption keys for secured communications and is signed by a trusted certification authority (CA) to verify the identity of the presenter. The X.509 digital certificate support provides either DSA or RSA algorithms for authentication.
The certificate infrastructure uses the first certificate that supports the Secure Socket Layer (SSL) and is returned by the security infrastructure, either through a query or a notification. Verification of certificates is successful if the certificates are from any of the trusted CAs configured and if not revoked or expired.
You can configure your device for SSH authentication using an X.509 certificate. If the authentication fails, you are prompted for a password.
You can configure SSH authentication using X.509v3 certificates (RFC 6187). X.509v3 certificate-based SSH authentication uses certificates combined with a smartcard to enable two-factor authentication for Cisco device access. The SSH client is provided by Cisco partner Pragma Systems.
SSH Authentication Using Host Identity Based Authorization (HIBA)
Host-Based Authentication is an SSH authentication method that authenticates the client's host to the server (Cisco Nexus 9000 switch) by verifying
the client's host public key in the server's known_hosts
file. This is distinct from SSH Certificate-Based Authentication, which uses digital certificates signed by a Certificate
Authority (CA) to authenticate users or hosts.
Host Identity Based Authorization (HIBA) is a method that centralizes SSH authorization management by embedding host authorization information within certificates.
-
Host authorization information is embedded in the host certificate.
-
User certificates contain "grants" specifying permitted access.
-
Authorization is managed centrally by a Certificate Authority (CA).
HIBA simplifies SSH access control, reduces administrative overhead, and eliminates dependencies on external AAA servers for authorization.
Benefits of HIBA
HIBA offers several advantages over traditional SSH key management:
Key benefits of HIBA include:
-
Simplified Management: Centralized authorization through certificate-based identity simplifies management.
-
Scalability: Easier management of SSH access in large, complex environments.
-
Reduced Dependencies: Eliminates the dependency on external AAA servers for authorization, making it suitable for last-resort access.
-
Enhanced Security: Improves control over temporary and privileged access with short-lived certificates.
How SSH Authentication with HIBA Works
This process describes how SSH authentication occurs when HIBA is configured.
Summary
The SSH server invokes the HIBA authorization module to process user certificates during authentication. Access is granted if the HIBA module successfully validates the user's certificate against the configured host identity and grants. If HIBA validation fails, the SSH server may fall back to other authentication methods, depending on the configuration.
Workflow
These stages describe the SSH authentication process with HIBA:
-
SSH Connection Attempt - A user attempts to connect to the switch via SSH.
-
Certificate Presentation - The SSH client presents the user's certificate to the SSH server on the switch.
-
HIBA Module Invocation - The SSH server, based on its configuration (AuthorizedPrincipalsCommand), invokes the HIBA authorization module.
-
Certificate Validation - The HIBA module performs the following validations:
-
Verifies the user certificate's signature against the configured HIBA CA.
-
Extracts the host identity from the host certificate.
-
Checks for a valid "grant" in the user certificate that matches the host identity.
-
-
Access Decision - Based on the HIBA module's validation, one of the following occurs:
When... And... Then... And... The user certificate is successfully validated by the HIBA module
A valid grant for the target host is found in the user certificate
Access is granted to the user.
The SSH session proceeds.
The user certificate is invalid or cannot be validated.
No valid grant is found in the user certificate.
Access is denied by the HIBA module.
The SSH server may fall back to other authentication methods (if configured).
Configuring HIBA for SSH Authentication
This steps guides you through the configuration of SSH Host Identity Based Authorization (HIBA).
This configuration involves generating SSH server keys, configuring a trustpoint for the HIBA CA, enrolling the SSH host certificate, and configuring the SSH server to use HIBA for authentication.
![]() Note |
To configure HIBA for the first time, you can log in to the switch using traditional SSH authentication methods, such as local user accounts or other configured AAA servers. Enabling HIBA does not remove or block existing local SSH users unless you explicitly delete those accounts. |
Before you begin
Before configuring HIBA, ensure that you have:
-
A functional PKI infrastructure, including a Certificate Authority (CA).
-
Connectivity to the CA server.
Procedure
Step 1 |
configure terminal Example:
Enter global configuration mode. |
Step 2 |
ssh key ecdsa bits Example:
Generate ECDSA keypair for the switch. This example uses a 384-bit ECDSA key. Use a key size supported by your security policy and platform. |
Step 3 |
ssh key export bootflash:file_name ecdsa Example:
Export the SSH host ECDSA key to bootflash. Replace After export, transfer
|
Step 4 |
crypto ca trustpoint openssh-ca type ssh Example:
Create a trustpoint for the HIBA CA. Use the name openssh-ca for consistency. |
Step 5 |
crypto ca authenticate openssh-ca type ssh ecdsa-sha2-nistp384 public_key Example:
Authenticate the HIBA CA by importing the CA public key. Replace the key string with your actual CA public key. |
Step 6 |
crypto ca enroll openssh-ca type ssh host-certificate ecdsa-sha2-nistp384-cert-v01@openssh.com certificate_content Example:
Enroll the SSH host certificate signed by your CA. Use the certificate content generated as per the Google HIBA CA wiki instructions. |
Example Configuration: HIBA SSH Client on Linux
![]() Important |
The following steps are provided as an example for configuring a HIBA SSH client on a Linux system. The exact procedure and output may vary depending on your client operating system and SSH version. Consult your system’s official SSH documentation for authoritative instructions. |
This steps guides you through the client-side configuration for using Host Identity Based Authorization (HIBA) with SSH.
![]() Note |
The term "HIBA server" refers to the SSH server running on the Cisco Nexus 9000 switch, configured to use HIBA. |
Before you begin
Before configuring the HIBA SSH client, ensure that you have:
-
A valid installation of
openssh-client
on your host. -
The CA public key (
ca.pub
). -
Your user private key and matching certificate with a valid HIBA extension.
-
Your user public key (
key_rsa.pub
or equivalent).
Procedure
Step 1 |
$ cat /etc/ssh/ssh_config Example:
Configure SSH client settings Edit |
||
Step 2 |
$ echo "@cert-authority * $(cat /etc/ssh/ca.pub)" > /etc/ssh/known_hosts Example:
Populate known_hosts with CA public key Add the CA public key to the |
||
Step 3 |
$ cat ~/.ssh/key_rsa.pub Example:
View your user public key Display the contents of your user public key file. This key is required for certificate-based authentication and should correspond to your private key and certificate.
|
||
Step 4 |
$ ssh -i <path_to_private_key> <user>@<hiba_server_ip> Example:
Connect to the HIBA-enabled SSH server Use your private key (and its matching certificate, if required) to connect to the SSH server.
|
If configured correctly, the SSH connection should be established using HIBA certificate-based authentication, and host validation
will succeed against the CA public key. Passwordless login will be possible if the public key is present in authorized_keys
on the server.
Verifying HIBA Configuration
Procedure
Step 1 |
show crypto ca certificates type ssh Example:
Display the SSH certificates and verify that the host certificate is enrolled and associated with the correct trustpoint ( Expected Output: The output should display the SSH host certificate details, including the "HIBA Info" section, which shows the HIBA grants. If the host certificate and HIBA information are displayed correctly, the certificate enrollment is successful. |
Step 2 |
show crypto ca trustpoints type ssh Example:
Display the SSH trustpoints and verify that the HIBA CA trustpoint (
Expected Output: The output should list the trustpoint names of type If the HIBA CA trustpoint appears in the output, the trustpoint has been configured successfully. |
Step 3 |
ssh -i path_to_private_key> <user>@<switch_ip Example:
Attempt to SSH to the switch using a user with a HIBA-enabled certificate signed by the CA.
Note: The -i option specifies the path to the user's The SSH connection should be established successfully without prompting for a password (if password authentication is disabled). |
Telnet Server
The Telnet protocol enables TCP/IP connections to a host. Telnet allows a user at one site to establish a TCP connection to a login server at another site and then passes the keystrokes from one device to the other. Telnet can accept either an IP address or a domain name as the remote device address.
The Telnet server is disabled by default on the Cisco NX-OS device.