To enable one or more of the alogrithms used by the client for the SSH session encryption, host-key key exchange (kex) or MAC, use the ip ssh-client algorithm command in Global Configuration mode. To disable one or more of the SSH alogorithm, use the no form of this command.

Syntax

ip ssh-client algorithm {encryption enc-alg1 [enc-alg-2…] | hostkey host-alg1[ host-alg2…] | kex kex-alg1[ kex-alg2…] | mac mac-alg1[ mac-alg2…]}

no ip ssh-client algorithm {encryption enc-alg1 [enc-alg-2…] | hostkey host-alg1[ host-alg2…] | kex kex-alg1[ kex-alg2…] | mac mac-alg1[ mac-alg2…]}

Parameters

• encryption enc-alg1 [enc-alg-2…] (optional) – list of encryption algorithms advertised to the client. One or more of the following algorithms can be specified:

  • aes128-ctr - AES with 128-bit key in CTR mod

  • aes192-ctr - AES with 192-bit key in CTR mod

  • aes256-ctr - AES with 256-bit key in CTR mod

  • aes128-gcm - AES with 128-bit key in GCM mode. Compatible with aes128-gcm@openssh.com

  • aes256-gcm - AES with 256-bit key in GCM mode. Compatible with aes256-gcm@openssh.com

• hostkey host-alg1[ host-alg2…] (optional) – list of Host-key public-key algorithms advertised to the client. One or more of the following algorithms can be specified:

  • ssh-dss - DSA public-key signature with SHA1 hash

  • ssh-rsa - RSA public-key signature with SHA1 hash

  • rsa-sha2-256 - RSA public-key with SHA2-256 hash

  • rsa-sha2-512 - RSA public-key with SHA2-512 hash

• kex kex-alg1[ kex-alg2…] (Optional) – Enable one or more of the following SSH key exchange (kex) algorithms:

  • diffie-hellman-group16-sha512 - Diffie-Hellman key exchange using SHA2-512 as HASH and 4096-bit MODP Group

  • diffie-hellman-group14-sha1 - Diffie-Hellman key exchange using SHA1 as HASH and 2048-bit MODP Group

• mac mac-alg1[ mac-alg2…] (optional) - Enable one or more of the following SSH

  Message Authentication Code (MAC) algorithms:

  • hmac-sha1 - HMAC-SHA1 (digest length = key length = 160 bits)

  • hmac-sha2-256 - HMAC-SHA2-256 (digest length = key length = 256 bits)

  • hmac-sha2-512 - HMAC-SHA2-512 (digest length = key length = 512 bits)

Default Configuration

• Enabled Encryption algorithms: aes128-ctr, aes192-ctr, aes256-ctr, chacha20-poly1305, aes128-gcm and aes256-gcm

• Enabled host-key alogrithms: ssh-dss, ssh-rsa, rsa-sha2-256 and rsa-sha2-512

• Enabled kex algorithms: diffie-hellman-group16-sha512 and diffie-hellman-group14-sha1

• Enabled MAC algorithms: hmac-sha1, hmac-sha2-256 and hmac-sha2-512

Command Mode

Global Configuration mode

User Guidelines

Use the ip ssh-client algorithm command to specify which encryption, host-key, key exchange (kex) and MAC algorithm will be advertised by the SSH client. Algorithms not specified in the command will not be advertised.

The no ip ssh-client algorithm specifies which algorithms to remove from the SSH client advertisement. The no command will change the advertisement list only if it specifies an algorithm that is in the current advertisement list. At least one algorithm must be supported for each category. If the command attempts to remove the last algorithm supported for that category the operation will fail and an error message will be displayed.

The configuration file will include a command that specifies the algorithm that are advertised (even if no ip ssh-client algorithm was used for the configuration)

The following algorithms are supported, and can be disabled only if FIPS mode is disabled:

• chacha20-poly1305 encryption

• ssh-dss host-key

In FIPS enabled mode these algorithms are not supported, and therefore do not need to be disabled.

Examples

Example 1 - The following example enables a few of the SSH encryption algorithms on the device. This means that the other encryption algorithms will not be advertised by the SSH client:

Switchxxxxxx(config)# ip ssh-client algorithm encryption aes256-ctr aes256-gcm

To define the SSH client authentication method used by the local SSH clients to be authenticated by remote SSH servers, use the ip ssh-client authentication command in Global Configuration mode.

To return to default, use the no format of the command.

Syntax

ip ssh-client authentication {password | public-key {rsa | dsa}}

no ip ssh-client authentication

Parameters

• password—Username and password are used for authentication.

• public-key rsa—Username and RSA public key are used for authentication.

• public-key dsa—Username and DSA public key are used for authentication.

Default Configuration

Username and password are used for authentication by the local SSH clients.

Command Mode

Global Configuration mode

User Guidelines

A user can use the ip ssh-client key command to generate/configure RSA/DSA keys if SSH authentication is by public key. Otherwise, the default keys generated by the switch are used.

Example

The following example specifies that, username and public key are used for authentication:

switchxxxxxx(config)# ip ssh-client authentication public-key rsa

To change a password of an SSH client on a remote SSH server, use the ip ssh-client change server password command in Global Configuration mode.

Syntax

ip ssh-client change server password server {host | ip-address | ipv6-address} username username old-password old-password new-password new-password

Parameters

• host—DNS name of a remote SSH server.

• ip-address—Specifies the IP address of a remote SSH server. The IP address can be an IPv4, IPv6 or IPv6z address. See IPv6z Address Conventions.

• username —Username of the local SSH clients (1 - 70 characters).

• old-password —Old password of the local SSH client (1 - 70 characters).

• new-password—New password for the local SSH client (1 - 70 characters). The password cannot include the characters "@" and ":".

Command Mode

Global Configuration mode

User Guidelines

Use the command to change a password on a remote SSH server. Use the ip ssh-client password command to change the SSH client password of the switch’s SSH client so that it matches the new password set on the remote SSH server.

Example

The following example changes a password of the local SSH clients:

switchxxxxxx(config)# ip ssh-client change server password server 10.7.50.155 username john old-password &&&@@@aaff new-password &&&@@@aaee

To create a key pair for SSH client authentication by public key (either by generating a key or by importing a key), use the ip ssh-client key command in Global Configuration mode. To remove a key, use the no form of the command.

Syntax

ip ssh-client key {dsa | rsa} {generate | key-pair privkey pubkey}

encrypted ip ssh-client key {dsa | rsa} key-pair encrypted-privkey pubkey

no ip ssh-client key [dsa | rsa]

Parameters

• dsa—DSA key type.

• rsa—RSA key type.

• key-pair—Key that is imported to the device.

  privkey—Plaintext private key.

  encrypted-privkey—private key is in encrypted format.

  pubkey—The plaintext pubic key.

Default Configuration

The application creates a key automatically; this is the default key.

Command Mode

Global Configuration mode

User Guidelines

When using the keyword generate, a private key and a public key of the given type (RSA/DSA) are generated for the SSH client. Downloading a configuration file with a Key Generating command is not allowed, and such download will fail.

When using the keyword key-pair, the user can import a key-pair created by another device. In this case, the keys must follow the format specified by RFC 4716.

If the specified key already exists, a warning will be issued before replacing the existing key with a new key.

Use the no ip ssh-client key command to remove a key pair. Use this command without specifying a key-type to remove both key pairs.

If no keys are included in text-based configuration file, the device generates it’s own keys during initialization. If the Running Configuration contains default keys (not user-defined), the same default keys remain.

To configure the password for SSH client authentication by password, use the ip ssh-client password command in Global Configuration mode. To return to default, use the no form of the command.

Syntax

ip ssh-client password string

encrypted ip ssh-client password encrypted-string

no ip ssh-client password

Parameters

• string—Password for the SSH clients (1 - 70 characters). The password cannot include the characters "@" and ":".

• encrypted-string—Password for the SSH client in encrypted form.

Default Configuration

The default password is anonymous.

Command Mode

Global Configuration mode

User Guidelines

If authentication is configured to use a password (using the command ip ssh-client authentication), use the ip ssh-client password command to define the password.

If the encrypted keyword is used, the password must be in the encrypted form.

Use the command ip ssh-client change server password to change the password on the remote SSH server so that it will match the new password of the SSH client.

Example

The following example specifies a plaintext password for the local SSH clients:

switchxxxxxx(config)# ip ssh-client password &&&111aaff

To enable remote SSH server authentication by the SSH client, use the ip ssh-client server authentication command in Global Configuration mode.

To disable remote SSH server authentication, use the no form of the command.

Syntax

ip ssh-client server authentication

no ip ssh-client server authentication

Parameters

This command has no arguments or keywords.

Default Configuration

SSH server authentication is disabled

Command Mode

Global Configuration mode

User Guidelines

When remote SSH server authentication is disabled, any remote SSH server is accepted (even if there is no entry for the remote SSH server in the SSH Trusted Remote Server table).

When remote SSH server authentication is enabled, only trusted SSH servers are accepted. Use the ip ssh-client server fingerprint command to configure trusted SSH servers.

Example

The following example enables SSH server authentication:

switchxxxxxx(config)# ip ssh-client server authentication

To add a trusted server to the Trusted Remote SSH Server Table, use the ip ssh-client server fingerprint command in Global configuration mode. To remove an entry or all entries from the Trusted Remote SSH Server Table, use the no form of the command.

Syntax

ip ssh-client server fingerprint {host | ip-address} fingerprint

no ip ssh-client server fingerprint [host | ip-address]

Parameters

• host—DNS name of an SSH server.

• ip-address—Specifies the address of an SSH server. The IP address can be an IPv4, IPv6 or IPv6z address. See IPv6z Address Conventions.

• fingerprint—FIngerprint of the SSH server public key (32 Hex characters).

Default Configuration

The Trusted Remote SSH Server table is empty.

Command Mode

Global Configuration mode

User Guidelines

Fingerprints are created by applying a cryptographic hash function to a public key. Fingerprints are shorter than the keys they refer to, making it simpler to use (easier to manually input than the original key). Whenever the switch is required to authenticate an SSH server’s public key, it calculates the received key’s fingerprint and compares it to the previously-configured fingerprint.

The fingerprint can be obtained from the SSH server (the fingerprint is calculated when the public key is generated on the SSH server).

The no ip ssh-client server fingerprint command removes all entries from the Trusted Remote SSH Server table.

Example

In the following example, a trusted server is added to the Trusted Servers table (with and without a separator ":"):

switchxxxxxx(config)# ip ssh-client server fingerprint 1.1.1.1 DC789788DC88A988127897BCBB789788
switchxxxxxx(config)# ip ssh-client server fingerprint 1.1.1.1 DC:78:97:88:DC:88:A9:88:12:78:97:BC:BB:78:97:88

To specify the source interface which IPv4 address will be used as the Source IPv4 address for communication with IPv4 SSH servers, use the ip ssh-client source-interface Global Configuration mode command. To restore the default configuration, use the no form of this command.

Syntax

ip ssh-client source-interface interface-id

no ip ssh-client source-interface

Parameters

• interface-id—Specifies the source interface.

Default Configuration

The source IPv4 address is the IPv4 address defined on the outgoing interface and belonging to next hop IPv4 subnet.

Command Mode

Global Configuration mode

User Guidelines

If the source interface is the outgoing interface then the interface IP address belonging to next hop IPv4 subnet is applied.

If the source interface is not the outgoing interface then the minimal IPv4 address defined on the source interface is applied.

If there is no available IPv4 source address, a SYSLOG message is issued when attempting to communicate with an IPv4 SSH servers.

Example

The following example configures the VLAN 10 as the source interface.

switchxxxxxx(config)# ip ssh-client source-interface vlan 100

To specify the source interface whose IPv6 address will be used as the Source IPv6 address for communication with IPv6 SSH servers, use the ipv6 ssh-client source-interface Global Configuration mode command. To restore the default configuration, use the no form of this command.

Syntax

ipv6 ssh-client source-interface interface-id

no ipv6 ssh-client source-interface

Parameters

• interface-id—(Optional) Specifies the source interface.

Default Configuration

The IPv6 source address is the IPv6 address defined of the outgoing interface and selected in accordance with RFC6724.

Command Mode

Global Configuration mode

User Guidelines

If the source interface is the outgoing interface then the IPv6 address defined on the interfaces and selected in accordance with RFC 6724.

If the source interface is not the outgoing interface then the minimal IPv4 address defined on the source interface and with the scope of the destination IPv6 address is applied.

If there is no available IPv6 source address, a SYSLOG message is issued when attempting to communicate with an IPv6 SSH servers.

Example

The following example configures the VLAN 10 as the source interface.

switchxxxxxx(config)# ipv6 ssh-client source-interface vlan 100

To configure the SSH client username of the switch, use the ip ssh-client username command in Global Configuration mode.

To return to default, use the no form of the command.

Syntax

ip ssh-client username string

no ip ssh-client username

Parameters

• string—Username of the SSH client.The length is 1 - 70 characters. The username cannot include the characters "@" and ":".

Default Configuration

The default username is anonymous

Command Mode

Global Configuration mode

User Guidelines

The configured username is used when SSH client authentication is done both by password or by key.

Example

The following example specifies a username of the SSH client:

switchxxxxxx(config)# ip ssh-client username jeff

To display the SSH client credentials, both default and user-defined keys, use the show ip ssh-client command in Privilege EXEC mode.

Syntax

show ip ssh-client

show ip ssh-client {mypubkey | key} {dsa | rsa}

Parameters

• dsa—Specifies displaying the DSA key type.

• rsa—Specifies displaying the RSA key type.

• mypubkey—Specifies that only the public key is selected to be displayed.

Command Mode

Privileged EXEC mode

User Guidelines

Use the command with a specific key-type to display the SSH client key; You can either specify display of public key or private key, or with no parameter to display both private and public keys. The keys are displayed in the format specified by RFC 4716.

To display the SSH remote server authentication method and the Trusted Remote SSH Server table, use the show ip ssh-client server command in Privilege EXEC Configuration mode.

Syntax

show ip ssh-client server [host | ip-address]

Parameters

• host—(Optional) DNS name of an SSH server.

• ip-address—(Optional) IP Address of an SSH server. The IP address can be an IPv4, IPv6 or IPv6z address. See IPv6z Address Conventions.

Default Configuration

None

Command Mode

Privileged EXEC mode

User Guidelines

If a specific SSH server is specified, only the fingerprint of this SSH server is displayed. Otherwise, all known servers are displayed.