- Securing User Services Overview
- Autosecure
-
-
-
- Configuring RADIUS
- AAA Dead-Server Detection
- ACL Default Direction
- Attribute Screening for Access Requests
- Enable Multilink PPP via RADIUS for Preauthentication User
- Enhanced Test Command
- Framed-Route in RADIUS Accounting
- Offload Server Accounting Enhancement
- Per VRF AAA
- RFC-2867 RADIUS Tunnel Accounting
- RADIUS Attribute Screening
- RADIUS Centralized Filter Management
- RADIUS Debug Enhancements
- RADIUS Logical Line ID
- RADIUS NAS-IP-Address Attribute Configurability
- RADIUS Route Download
- RADIUS Support of 56-Bit Acct Session-Id
- RADIUS Tunnel Preference for Load Balancing and Fail-Over
- RADIUS Server Reorder on Failure
- Tunnel Authentication via RADIUS on Tunnel Terminator
-
-
-
- RADIUS Attributes Overview and RADIUS IETF Attributes
- RADIUS Vendor-Proprietary Attributes
- Vendor-Specific Attributes (VSA) and RADIUS Disconnect-Cause Attribute Values
- Connect-Info RADIUS Attribute 77
- Encrypted Vendor Specific Attributes
- Local AAA Server
- Per-User QoS via AAA Policy Name
- RADIUS Attribute 5 (NAS-Port) Format Specified on a Per-Server Group Level
- RADIUS Attribute 8 (Framed-IP-Address) in Access Requests
- RADIUS Attribute 82: Tunnel Assignment ID
- RADIUS Attribute 104
- RADIUS Progress Codes
- RADIUS Timeout Set During Pre-Authentication
- RADIUS Tunnel Attribute Extensions
- V.92 Reporting Using RADIUS Attribute v.92-info
-
- Cisco IOS Login Enhancements (Login Block)
- Cisco IOS Resilient Configuration
- Image Verification
- IP Source Tracker
- Role-Based CLI Access
- Finding Feature Information
- Contents
- Prerequisites for Reverse SSH Enhancements
- Restrictions for Reverse SSH Enhancements
- Information About Reverse SSH Enhancements
- How to Configure Reverse SSH Enhancements
- Configuration Examples for Reverse SSH Enhancements
- Additional References
- Feature Information for Reverse SSH Enhancements
Reverse SSH Enhancements
The Reverse SSH Enhancements feature, which is supported for SSH Version 1 and 2, provides an alternative way to configure reverse Secure Shell (SSH) so that separate lines do not need to be configured for every terminal or auxiliary line on which SSH must be enabled. This feature also eliminates the rotary-group limitation.
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "Feature Information for Reverse SSH Enhancements" section.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Contents
•Prerequisites for Reverse SSH Enhancements
•Restrictions for Reverse SSH Enhancements
•Information About Reverse SSH Enhancements
•How to Configure Reverse SSH Enhancements
•Configuration Examples for Reverse SSH Enhancements
•Feature Information for Reverse SSH Enhancements
Prerequisites for Reverse SSH Enhancements
•SSH must be enabled.
•The SSH client and server must be running the same version of SSH.
Restrictions for Reverse SSH Enhancements
•The -l keyword and userid :{number} {ip-address} delimiter and arguments are mandatory when configuring the alternative method of Reverse SSH for console access.
Information About Reverse SSH Enhancements
Reverse Telnet
Cisco IOS software has for quite some time included a feature called Reverse telnet, whereby you can telnet to a certain port range and connect to terminal or auxiliary lines. Reverse telnet has often been used to connect a Cisco IOS router that has many terminal lines to the consoles of other Cisco IOS routers or to other devices. Telnet makes it easy to reach the router console from anywhere simply by telnet to the terminal server on a specific line. This telnet approach can be used to configure a router even if all network connectivity to that router is disconnected. Reverse telnet also allows modems that are attached to Cisco IOS routers to be used for dial-out (usually with a rotary device).
Reverse SSH
Reverse telnet can be accomplished using SSH. Unlike reverse telnet, SSH provides for secure connections. The Reverse SSH Enhancements feature provides you with a simplified method of configuring SSH. Using this feature, you no longer have to configure a separate line for every terminal or auxiliary line on which you want to enable SSH. The previous method of configuring reverse SSH limited the number of ports that can be accessed to 100. The Reverse SSH Enhancements feature removes the port number limitation. For information on the alternative method of configuring reverse SSH, see "How to Configure Reverse SSH Enhancements" section."
How to Configure Reverse SSH Enhancements
•Configuring Reverse SSH for Console Access
•Configuring Reverse SSH for Modem Access
•Troubleshooting Reverse SSH on the Client
•Troubleshooting Reverse SSH on the Server
Configuring Reverse SSH for Console Access
To configure reverse SSH console access on the SSH server, perform the following steps.
SUMMARY STEPS
1. enable
2. configure terminal
3. line line-number [ending-line-number]
4. no exec
5. login authentication listname
6. transport input ssh
7. exit
8. exit
9. ssh -l userid:{number} {ip-address}
DETAILED STEPS
Configuring Reverse SSH for Modem Access
To configure Reverse SSH for modem access, perform the steps shown in the "SUMMARY STEPS" section below.
In this configuration, reverse SSH is being configured on a modem used for dial-out lines. To get any of the dial-out modems, you can use any SSH client and start a SSH session as shown (in Step 10) to get to the next available modem from the rotary device.
SUMMARY STEPS
1. enable
2. configure terminal
3. line line-number [ending-line-number]
4. no exec
5. login authentication listname
6. rotary group
7. transport input ssh
8. exit
9. exit
10. ssh -l userid:rotary{number} {ip-address}
DETAILED STEPS
Troubleshooting Reverse SSH on the Client
To troubleshoot the reverse SSH configuration on the client (remote device), perform the following steps.
SUMMARY STEPS
1. enable
2. debug ip ssh client
DETAILED STEPS
Troubleshooting Reverse SSH on the Server
To troubleshoot the reverse SSH configuration on the terminal server, perform the following steps. The steps may be configured in any order or independent of one another.
SUMMARY STEPS
1. enable
2. debug ip ssh
3. show ssh
4. show line
DETAILED STEPS
Configuration Examples for Reverse SSH Enhancements
•Example: Reverse SSH Console Access
•Example: Reverse SSH Modem Access
Example: Reverse SSH Console Access
The following configuration example shows that reverse SSH has been configured for console access for terminal lines 1 through 3:
Terminal Server Configuration
line 1 3
no exec
login authentication default
transport input ssh
Client Configuration
The following commands configured on the SSH client will form the reverse SSH session with lines 1, 2, and 3, respectively:
ssh -l lab:1 router.example.com
ssh -l lab:2 router.example.com
ssh -l lab:3 router.example.com
Example: Reverse SSH Modem Access
The following configuration example shows that dial-out lines 1 through 200 have been grouped under rotary group 1 for modem access:
line 1 200
no exec
login authentication default
rotary 1
transport input ssh
exit
The following command shows that reverse SSH will connect to the first free line in the rotary group:
ssh -l lab:rotary1 router.example.com
Additional References
Related Documents
|
|
---|---|
Cisco IOS commands |
|
Configuring Secure Shell |
See the following modules: •"Configuring Secure Shell" •"Secure Shell Version 2 Support" |
Security commands |
Standards
|
|
---|---|
No new or modified standards are supported by this feature. |
— |
MIBs
|
|
---|---|
None |
To locate and download MIBs for selected platforms, Cisco software releases, and feature sets, use Cisco MIB Locator found at the following URL: |
RFCs
|
|
---|---|
None |
— |
Technical Assistance
Feature Information for Reverse SSH Enhancements
Table 1 lists the release history for this feature.
Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Note Table 1 lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1005R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.
© 2004-2009 Cisco Systems, Inc. All rights reserved.