Secure Shell
Secure Shell (SSH) is a protocol that provides a secure, remote connection to a device.
SSH provides more security for remote connections than Telnet does by providing strong encryption when a device is authenticated. This software release supports SSH Version 1 (SSHv1) and SSH Version 2 (SSHv2).
Prerequisites for configuring Secure Shell
Secure Shell (SSH) prerequisites are the mandatory configuration and software requirements that must be met before the device can support secure remote connections.
-
An RSA public/private key pair must be generated on the device.
-
An IPsec encryption software image (DES or 3DES) must be installed for both the SSH server and client.
-
A valid hostname and host domain must be configured using global configuration commands.
Configuration requirements for Secure Shell
To successfully configure the device for SSH, ensure the following settings are applied:
-
Configure the device identity by using the hostname and ip domain-name commands in global configuration mode.
Restrictions for configuring Secure Shell
Provides the necessary constraints and configuration requirements for enabling secure shell on the IR8100.
These are restrictions for configuring the IR8100 for secure shell.
-
The router supports RSA authentication.
-
SSH supports only the execution-shell application.
-
The SSH server and the SSH client are supported only on Data Encryption Standard (DES) (56-bit) and 3DES (168-bit) data encryption software. In DES software images, DES is the only encryption algorithm available. In 3DES software images, both DES and 3DES encryption algorithms are available.
-
This software release supports IP Security (IPSec).
-
The IR8100 supports the Advanced Encryption Standard (AES) encryption algorithm with a 128-bit key, 192-bit key, or 256-bit key. However, symmetric cipher AES to encrypt the keys is not supported.
-
The login banner is not supported in Secure Shell Version 1. It is supported in Secure Shell Version 2, which Cisco recommends due to its better security.
-
The -l keyword and userid :{number} {ip-address} delimiter and arguments are mandatory when configuring the alternative method of Reverse SSH for console access.
![]() Note |
Cisco highly recommends the 3DES encryption as it is stronger. See the Cisco IOS-XE Device hardening guide at https://www.cisco.com/c/en/us/support/docs/ip/access-lists/13608-21.html for details. |
SSH and router access
Secure Shell (SSH) is a protocol that provides a secure, remote connection to a device.
-
Provides more security for remote connections than Telnet by using strong encryption.
-
Supports SSH Version 1 (SSHv1) and SSH Version 2 (SSHv2).
-
Functions consistently in both IPv4 and IPv6, supporting IPv6 addresses and secure transport.
SSH servers, integrated clients, and supported versions
The SSH Integrated Client is an application that runs over the SSH protocol to provide device authentication and encryption.
-
Enables secure, encrypted connections to Cisco or non-Cisco devices running an SSH server.
-
Supports ciphers including DES, 3DES, and password authentication.
-
Requires the SSH server to be enabled for client functionality.
SSH authentication methods
The SSH client supports the following user authentication methods:
-
TACACS+
-
RADIUS
-
Local authentication and authorization
![]() Note |
The SSH client functionality is available only when the SSH server is enabled. |
SSH configuration guidelines
Follow these guidelines when configuring the device as an SSH server or SSH client:
-
An RSA key pair generated by a SSHv1 server can be used by an SSHv2 server, and the reverse.
-
If you get CLI error messages after entering the crypto key generate rsa global configuration command, an RSA key pair has not been generated. Reconfigure the hostname and domain, and then enter the crypto key generate rsa command.
-
When generating the RSA key pair, the message No hostname specified might appear. If it does, you must configure an IP hostname by using the hostname global configuration command.
-
When generating the RSA key pair, the message No domain specified might appear. If it does, you must configure an IP domain name by using the ip domain-name global configuration command.
-
When configuring the local authentication and authorization authentication method, make sure that AAA is disabled on the console.

Feedback