Contents
- Secure Shell—Configuring User Authentication Methods
- Finding Feature Information
- Restrictions for Secure Shell—Configuring User Authentication Methods
- Information About Secure Shell—Configuring User Authentication Methods
- Secure Shell User Authentication Overview
- How to Configure Secure Shell—Configuring User Authentication Methods
- Configuring User Authentication for the SSH Server
- Troubleshooting Tips
- Verifying User Authentication for the SSH Server
- Configuration Examples for Secure Shell—Configuring User Authentication Methods
- Example: Disabling User Authentication Methods
- Example: Enabling User Authentication Methods
- Example: Configuring Default User Authentication Methods
- Additional References for Secure Shell—Configuring User Authentication Methods
- Feature Information for Secure Shell—Configuring User Authentication Methods
Secure Shell—Configuring User Authentication Methods
The Secure Shell—Configuring User Authentication Methods feature helps configure the user authentication methods available in the Secure Shell (SSH) server.
- Finding Feature Information
- Restrictions for Secure Shell—Configuring User Authentication Methods
- Information About Secure Shell—Configuring User Authentication Methods
- How to Configure Secure Shell—Configuring User Authentication Methods
- Configuration Examples for Secure Shell—Configuring User Authentication Methods
- Additional References for Secure Shell—Configuring User Authentication Methods
- Feature Information for Secure Shell—Configuring User Authentication Methods
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Information About Secure Shell—Configuring User Authentication Methods
Secure Shell User Authentication Overview
Secure Shell (SSH) enables an SSH client to make a secure, encrypted connection to a Cisco device (Cisco IOS SSH server). The SSH client uses the SSH protocol to provide device authentication and encryption.
The SSH server supports three types of user authentication methods and sends these authentication methods to the SSH client in the following predefined order:
- Public-key authentication method
- Keyboard-interactive authentication method
- Password authentication method
By default, all the user authentication methods are enabled. Use the no ip ssh server authenticate user {publickey | keyboard | pasword} command to disable any specific user authentication method so that the disabled method is not negotiated in the SSH user authentication protocol. This feature helps the SSH server offer any preferred user authentication method in an order different from the predefined order. The disabled user authentication method can be enabled using the ip ssh server authenticate user {publickey | keyboard | pasword} command.
As per RFC 4252 (The Secure Shell (SSH) Authentication Protocol), the public-key authentication method is mandatory. This feature enables the SSH server to override the RFC behavior and disable any SSH user authentication method, including public-key authentication.
For example, if the SSH server prefers the password authentication method, the SSH server can disable the public-key and keyboard-interactive authentication methods.
How to Configure Secure Shell—Configuring User Authentication Methods
Configuring User Authentication for the SSH Server
SUMMARY STEPS
1. enable
2. configure terminal
3. no ip ssh server authenticate user {publickey | keyboard | pasword}
4. ip ssh server authenticate user {publickey | keyboard | pasword}
5. default ip ssh server authenticate user
6. end
DETAILED STEPS
Troubleshooting Tips
- If the public-key-based authentication method is disabled using the no ip ssh server authenticate user publickey command, the RFC 4252 (The Secure Shell (SSH) Authentication Protocol) behavior in which public-key authentication is mandatory is overridden and the following warning message is displayed:
%SSH:Publickey disabled.Overriding RFC- If all three authentication methods are disabled, the following warning message is displayed:
%SSH:No auth method configured.Incoming connection will be dropped- In the event of an incoming SSH session request from the SSH client when all three user authentication methods are disabled on the SSH server, the connection request is dropped at the SSH server and a system log message is available in the following format:
%SSH-3-NO_USERAUTH: No auth method configured for SSH Server. Incoming connection from <ip address> (tty = <ttynum>) droppedVerifying User Authentication for the SSH Server
SUMMARY STEPS
1. enable
2. show ip ssh
DETAILED STEPS
Step 1 enable
Enables privileged EXEC mode.
Example:Device> enableStep 2 show ip ssh
Displays the version and configuration data for Secure Shell (SSH).
Example:The following sample output from the show ip ssh command confirms that all three user authentication methods are enabled in the SSH server:Device# show ip ssh Authentication methods:publickey,keyboard-interactive,password
The following sample output from the show ip ssh command confirms that all three user authentication methods are disabled in the SSH server:Device# show ip ssh Authentication methods:NONE
Configuration Examples for Secure Shell—Configuring User Authentication Methods
- Example: Disabling User Authentication Methods
- Example: Enabling User Authentication Methods
- Example: Configuring Default User Authentication Methods
Example: Disabling User Authentication Methods
The following example shows how to disable the public-key-based authentication and keyboard-based authentication methods, allowing the SSH client to connect to the SSH server using the password-based authentication method:
Device> enable Device# configure terminal Device(config)# no ip ssh server authenticate user publickey %SSH:Publickey disabled.Overriding RFC Device(config)# no ip ssh server authenticate user keyboard Device(config)# exitAdditional References for Secure Shell—Configuring User Authentication Methods
Related Documents
Technical Assistance
Description Link The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies.
To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds.
Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.
Feature Information for Secure Shell—Configuring User Authentication Methods
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Table 1 Feature Information for Secure Shell—Configuring User Authentication Methods Feature Name
Releases
Feature Information
Secure Shell—Configuring User Authentication Methods
Cisco IOS XE Release 3.10S
The Secure Shell—Configuring User Authentication Methods feature helps configure the user authentication methods available in the Secure Shell (SSH) server.
The following command was introduced: ip ssh server authenticate user.
In Cisco IOS XE Release 3.10, this feature was introduced on Cisco ASR 1000 Series Aggregation Services Routers.