The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This chapter contains the following sections:
Information About SSH
You can use the Secure Shell (SSH) server to enable an SSH client to make a secure, encrypted connection. SSH uses strong encryption for authentication. The SSH server can operate with publicly and commercially available SSH clients.
TACACS+ user authentication and locally stored usernames and passwords are supported for SSH.
The SSH client feature is an application that runs over the SSH protocol to provide device authentication and encryption. The SSH client enables a secure, encrypted connection to any device that runs the SSH server. This connection provides an encrypted outbound connection. With authentication and encryption, the SSH client produces secure communication over an insecure network.
The SSH client works with publicly and commercially available SSH servers.
SSH requires server keys for secure communication. You can use SSH server keys for the following SSH options:
SSH version 2 using Rivest, Shamir, and Adelman (RSA) public-key cryptography
SSH version 2 using the Digital System Algrorithm (DSA)
Be sure to have an SSH server key-pair with the correct version before enabling the SSH service. Generate the SSH server key-pair according to the SSH client version used. The SSH service accepts two types of key-pairs for use by SSH version 2:
The dsa option generates the DSA key-pair for the SSH version 2 protocol.
The rsa option generates the RSA key-pair for the SSH version 2 protocol.
By default, an RSA key that uses 1024 bits is generated.
SSH supports the following public key formats
Caution | If you delete all of the SSH keys, you cannot start the SSH services. |
Parameters |
Default |
---|---|
SSH server |
Enabled |
SSH server key |
RSA key generated with 2048 bits |
RSA key bits for generation |
1024 |
Configuring SSH
You can generate an SSH server key based on your security requirements.
The default SSH server key is an RSA key that is generated using 1024 bits.
Log in to the CLI in EXEC mode.
1. switch# configure terminal
2. switch(config)# no feature ssh
3. switch(config)# ssh key {dsa [force] | rsa [bits [force]]}
4. switch(config)# feature ssh
5. (Optional) switch# show ssh key
6. (Optional) switch# copy running-config startup-config
The following example generates SSH server keys:
switch# configure terminal switch(config)# no feature ssh XML interface to system may become unavailable since ssh is disabled switch(config)# ssh key dsa force generating dsa key(1024 bits)..... . generated dsa key n1000v(config)# feature ssh n1000v(config)# show ssh key ************************************** rsa Keys generated:Sun Jul 27 15:18:46 2008 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAyKcb7Nv9Ki1OOId9/tdHHa/ngQujlvK5mXyL/n+DeOXK fVhHbX2a+V0cm7CCLUkBh+BvZRmpmOVTmU/5awfVhVxMKXMiPOPBc+A6/n3FVroyRwupMki6mWoM6Uwa GID5gsVPqFjFNSgMWtbhjo97XVKhgjFW+wOVt8QoAcrEtnwEfsnQk1EIr/0XIP1mqTsrqTsmjZ2vLk+f FzTGYAxMvYZI+BrN47aoH2ywS7CpnODjCDXJuDYSPbc3PA8t0ghU/60m9R+s6AZPuljVQbGfxPrahEu4 GVc6sMJNU1JxmqDJkodhMArObB4Umzj7E3Rdby/ZWx/clTYiXQR1X1VfhQ== bitcount:2048 fingerprint: fd:ca:48:73:b9:ee:e7:86:9e:1e:40:46:f1:50:1d:44 ************************************** dsa Keys generated:Sun Jul 27 15:20:12 2008 ssh-dss AAAAB3NzaC1kc3MAAACBALpdxLjXNS/jcCNY+F1QZV9HegxBEb0DMUmq9bSq2N+KAcvHllEh GnaiHhqarOlcEKqhLbIbuqtKTCvfa+Y1hBIAhWVjg1UR3/M22jqxnfhnxL5YRc1Q7fcesFax0myayAIU nXrkO5iwv9XHTu+EInRc4kJ0XrG9SxtLmDe/fi2ZAAAAFQDbRabAjZa6GfDpwjXw5smRhrElJwAAAIEA r50yi3hHawNnb5qgYLXhN+KA8XJF753eCWHtMw7NR8fz6fjQ1R2J97UjjGuQ8DvwpGeNQ5S+AuIo0rGq svdg7TTecBcbgBOnR7Fs2+W5HiSVEGbvj1xaeK8fkNE6kaJumBB343b8Rgj0G97MP/os1GfkEqmX9glB 0IOM2mgHHyoAAACAfRir27hHy+fw8CxPlsK0R6cFhxYyd/qYYogXFKYIOPxpLoYrjqODeOFThU7TJuBz aS97eXiruzbffHwzUGfXgmQT5o9IMZRTClWPA/5Ju4O9YABYHccUghf0W+QtgGOT6FOSvBh8uOV0kcHC GMJAP8omphauZJlc+wgFxhnkyh4= bitcount:1024 fingerprint: 44:91:32:1f:7a:d1:83:3c:f3:5e:db:53:0a:2d:ce:69 **************************************
You configure an SSH public key to log in using the SSH client without being prompted for a password. You can specify the SSH public key in one of three different formats:
You can specify the SSH public keys in OpenSSH format for user accounts.
1. switch# configure terminal
2. switch(config)# username username sshkey ssh-key
3. switch(config)# exit
4. (Optional) switch# show user-account
5. (Optional) switch# copy running-config startup-config
The following example configures an OpenSSH key.
switch# configure terminal switch(config)# username user1 sshkey ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAyK cb7Nv9Ki1OOId9/tdHHa/ngQujlvK5mXyL/n+DeOXKfVhHbX2a+V0cm7CCLUkBh+BvZRmpmOVTmU/5aw fVhVxMKXMiPOPBc+A6/n3FVroyRwupMki6mWoM6UwaGID5gsVPqFjFNSgMWtbhjo97XVKhgjFW+wOVt8 QoAcrEtnwEfsnQk1EIr/0XIP1mqTsrqTsmjZ2vLk+fFzTGYAxMvYZI+BrN47aoH2ywS7CpnODjCDXJuD YSPbc3PA8t0ghU/60m9R+s6AZPuljVQbGfxPrahEu4GVc6sMJNU1JxmqDJkodhMArObB4Umzj7E3Rdby /ZWx/clTYiXQR1X1VfhQ== switch(config)# exit switch# show user-account user:admin this user account has no expiry date roles:network-admin user:user1 this user account has no expiry date roles:network-operator ssh public key: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAyKcb7Nv9Ki1OOId9/tdH Ha/ngQujlvK5mXyL/n+DeOXKfVhHbX2a+V0cm7CCLUkBh+BvZRmpmOVTmU/5awfVhVxMKXMiPOPBc+A6 /n3FVroyRwupMki6mWoM6UwaGID5gsVPqFjFNSgMWtbhjo97XVKhgjFW+wOVt8QoAcrEtnwEfsnQk1EI r/0XIP1mqTsrqTsmjZ2vLk+fFzTGYAxMvYZI+BrN47aoH2ywS7CpnODjCDXJuDYSPbc3PA8t0ghU/60m 9R+s6AZPuljVQbGfxPrahEu4GVc6sMJNU1JxmqDJkodhMArObB4Umzj7E3Rdby/ZWx/clTYiXQR1X1Vf hQ== switch# copy running-config startup-config
You can specify the SSH public keys in IETF SECSH or PEM format for user accounts.
1. switch# copy server-file bootflash:filename
2. switch# configure terminal
3. switch(config)# username username sshkey file bootflash:filename
4. switch(config)# exit
5. (Optional) switch# show user-account
6. (Optional) switch# copy running-config startup-config
The following example configures an SSH key to use when logging in with the specified user account:
switch# copy tftp://10.78.1.10/secsh_file.pub bootflash:secsh_file.pub vrf management Trying to connect to tftp server...... Connection to server Established. | TFTP get operation was successful switch# configure terminal switch(config)# username User1 sshkey file bootflash:secsh_file.pub switch(config)# exit switch# show user-account user:admin this user account has no expiry date roles:network-admin user:user2 this user account has no expiry date roles:network-operator ssh public key: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAyKcb7Nv9Ki1OOId9/tdHHa/ ngQujlvK5mXyL/n+DeOXKfVhHbX2a+V0cm7CCLUkBh+BvZRmpmOVTmU/5awfVhVxMKXMiPOPBc+A6/n3FVroyRwupMki6 mWoM6UwaGID5gsVPqFjFNSgMWtbhjo97XVKhgjFW+wOVt8QoAcrEtnwEfsnQk1EIr/0XIP1mqTsrqTsmjZ2vLk+ fFzTGYAxMvYZI+BrN47aoH2ywS7CpnODjCDXJuDYSPbc3PA8t0ghU/60m9R+s6AZPuljVQbGfxPrahEu4GVc6sMJN U1JxmqDJkodhMArObB4Umzj7E3Rdby/ZWx/clTYiXQR1X1VfhQ== switch# copy running-config startup-config
You can start SSH sessions using IP to connect to remote devices.
1. switch# ssh [root@] {ip-address | hostname } [vrf vrf-name]
The following example starts an SSH session:
switch# ssh root@172.28.30.77 root@172.28.30.77's password: Last login: Sat Dec 4 11:07:23 2013 from 171.70.209.64
You can clear from your account the list of trusted SSH servers that were added when you downloaded a file from a server using SCP or SFTP, or when you started an SSH session to a remote host.
1. switch# clear ssh hosts
Command or Action | Purpose |
---|
You can disable the SSH server to prevent SSH access to the switch. By default, the SSH server is enabled.
If you disable SSH, you must first generate an SSH server key before you can enable it again.
Log in to the CLI in EXEC mode.
1. switch# configure terminal
2. switch(config)# no feature ssh
3. (Optional) switch(config)# show ssh server
4. (Optional) switch(config)# copy running-config startup-config
The following example disables the SSH server:
switch# configure terminal switch(config)# no feature ssh XML interface to system may become unavailable since ssh is disabled switch(config)# show ssh server ssh is not enabled switch(config)# copy running-config startup-config
You can delete SSH server keys after you disable the SSH server.
If you disable SSH, you must first generate an SSH server key before you can enable it again.
Log in to the CLI in EXEC mode.
1. switch# configure terminal
2. switch(config)# no feature ssh
3. switch(config)# no ssh key [dsa | rsa]
4. (Optional) switch(config)# show ssh key
5. (Optional) switch(config)# copy running-config startup-config
The following example deletes the SSH server keys:
switch# configure terminal switch(config)# no feature ssh switch(config)# no ssh key rsa switch(config)# show ssh key ************************************** rsa Keys generated:Sun Jul 27 15:18:46 2008 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAyKcb7Nv9Ki1OOId9/tdHHa/ngQujlvK5mXyL/n+DeOXK fVhHbX2a+V0cm7CCLUkBh+BvZRmpmOVTmU/5awfVhVxMKXMiPOPBc+A6/n3FVroyRwupMki6mWoM6Uwa GID5gsVPqFjFNSgMWtbhjo97XVKhgjFW+wOVt8QoAcrEtnwEfsnQk1EIr/0XIP1mqTsrqTsmjZ2vLk+f FzTGYAxMvYZI+BrN47aoH2ywS7CpnODjCDXJuDYSPbc3PA8t0ghU/60m9R+s6AZPuljVQbGfxPrahEu4 GVc6sMJNU1JxmqDJkodhMArObB4Umzj7E3Rdby/ZWx/clTYiXQR1X1VfhQ== bitcount:2048 fingerprint: fd:ca:48:73:b9:ee:e7:86:9e:1e:40:46:f1:50:1d:44 ************************************** dsa Keys generated:Sun Jul 27 15:20:12 2008 ssh-dss AAAAB3NzaC1kc3MAAACBALpdxLjXNS/jcCNY+F1QZV9HegxBEb0DMUmq9bSq2N+KAcvHllEh GnaiHhqarOlcEKqhLbIbuqtKTCvfa+Y1hBIAhWVjg1UR3/M22jqxnfhnxL5YRc1Q7fcesFax0myayAIU nXrkO5iwv9XHTu+EInRc4kJ0XrG9SxtLmDe/fi2ZAAAAFQDbRabAjZa6GfDpwjXw5smRhrElJwAAAIEA r50yi3hHawNnb5qgYLXhN+KA8XJF753eCWHtMw7NR8fz6fjQ1R2J97UjjGuQ8DvwpGeNQ5S+AuIo0rGq svdg7TTecBcbgBOnR7Fs2+W5HiSVEGbvj1xaeK8fkNE6kaJumBB343b8Rgj0G97MP/os1GfkEqmX9glB 0IOM2mgHHyoAAACAfRir27hHy+fw8CxPlsK0R6cFhxYyd/qYYogXFKYIOPxpLoYrjqODeOFThU7TJuBz aS97eXiruzbffHwzUGfXgmQT5o9IMZRTClWPA/5Ju4O9YABYHccUghf0W+QtgGOT6FOSvBh8uOV0kcHC GMJAP8omphauZJlc+wgFxhnkyh4= bitcount:1024 fingerprint: 44:91:32:1f:7a:d1:83:3c:f3:5e:db:53:0a:2d:ce:69 ************************************** mcs-srvr43(config)# no ssh key rsa mcs-srvr43(config)# show ssh key ************************************** could not retrieve rsa key information ************************************** dsa Keys generated:Sun Jul 27 15:20:12 2008 ssh-dss AAAAB3NzaC1kc3MAAACBALpdxLjXNS/jcCNY+F1QZV9HegxBEb0DMUmq9bSq2N+KAcvHllEh GnaiHhqarOlcEKqhLbIbuqtKTCvfa+Y1hBIAhWVjg1UR3/M22jqxnfhnxL5YRc1Q7fcesFax0myayAIU nXrkO5iwv9XHTu+EInRc4kJ0XrG9SxtLmDe/fi2ZAAAAFQDbRabAjZa6GfDpwjXw5smRhrElJwAAAIEA r50yi3hHawNnb5qgYLXhN+KA8XJF753eCWHtMw7NR8fz6fjQ1R2J97UjjGuQ8DvwpGeNQ5S+AuIo0rGq svdg7TTecBcbgBOnR7Fs2+W5HiSVEGbvj1xaeK8fkNE6kaJumBB343b8Rgj0G97MP/os1GfkEqmX9glB 0IOM2mgHHyoAAACAfRir27hHy+fw8CxPlsK0R6cFhxYyd/qYYogXFKYIOPxpLoYrjqODeOFThU7TJuBz aS97eXiruzbffHwzUGfXgmQT5o9IMZRTClWPA/5Ju4O9YABYHccUghf0W+QtgGOT6FOSvBh8uOV0kcHC GMJAP8omphauZJlc+wgFxhnkyh4= bitcount:1024 fingerprint: 44:91:32:1f:7a:d1:83:3c:f3:5e:db:53:0a:2d:ce:69 ************************************** mcs-srvr43(config)# no ssh key dsa mcs-srvr43(config)# show ssh key ************************************** could not retrieve rsa key information ************************************** could not retrieve dsa key information ************************************** no ssh keys present. you will have to generate them **************************************
You can clear SSH sessions from the device.
Log n to the CLI in EXEC mode.
1. switch# show users
2. switch# clear line vty-line
3. (Optional) switch# show users
Command or Action | Purpose |
---|
The following example clears the SSH sessions from the device:
switch# show users NAME LINE TIME IDLE PID COMMENT admin tty1 Jul 25 19:13 old 2867 admin pts/0 Jul 28 09:49 00:02 28556 (10.21.148.122) admin pts/1 Jul 28 09:46 . 28437 (::ffff:10.21.148.122)* switch# clear line 0 switch# show users NAME LINE TIME IDLE PID COMMENT admin tty1 Jul 25 19:13 old 2867 admin pts/1 Jul 28 09:46 . 28437 (::ffff:10.21.148.122)* mcs-srvr43(config)#
You can verify the configuration with the following commands:
Command |
Purpose |
---|---|
show ssh key [dsa | rsa] |
Displays SSH server key-pair information. dsa—If specified, displays the Digital Signature Algorithm (DSA) public key information. rsa—If specified, displays the Ron Rivest, Adi Shamir, and Leonard Adleman (RSA) public key information. The default is to display information for all of the SSH keys. |
show running-config security [all] |
Displays the SSH and user account configuration in the running configuration. all—Displays the default values for the SSH and user accounts. |
show ssh server |
Displays the SSH server configuration. |
The following example shows how to configure SSH with an OpenSSH key:
Disable the SSH server:
switch# configure terminal switch(config)# no feature ssh
Generate an SSH server key:
switch(config)# ssh key rsa generating rsa key(1024 bits)..... .generated rsa key
Enable the SSH server:
switch(config)# feature ssh
Display the SSH server key:
switch(config)# show ssh key rsa Keys generated:Sat Sep 29 00:10:39 2007 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAvWhEBsF55oaPHNDBnpXOTw6+/OdHoLJZKr+MZm99n2U0 ChzZG4svRWmHuJY4PeDWl0e5yE3g3EO3pjDDmt923siNiv5aSga60K36lr39HmXL6VgpRVn1XQFiBwn4 na+H1d3Q0hDt+uWEA0tka2uOtXlDhliEmn4HVXOjGhFhoNE= bitcount:1024 fingerprint: 51:6d:de:1c:c3:29:50:88:df:cc:95:f0:15:5d:9a:df ************************************** could not retrieve dsa key information **************************************
Specify the SSH public key in OpenSSH format:
switch(config)# username User1 sshkey ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAy19oF6QaZl9G+3f1XswK3OiW4H7YyUyuA50rv7gsEPjhOBYmsi6PAVKui1nIf/ DQhum+lJNqJP/eLowb7ubO+lVKRXFY/G+lJNIQW3g9igG30c6k6+XVn+NjnI1B7ihvpVh7dLddMOXwOnXHYshXmSiH 3UD/vKyziEh5S4Tplx8=
Save the configuration:
switch(config)# copy running-config startup-config
Feature Name |
Releases |
Feature Information |
---|---|---|
SSH |
Release 5.2(1)SK1(2.1) |
This feature was introduced. |