Contents
- Configuring SSH and Telnet
- Configuring SSH and Telnet
- SSH Server
- SSH Client
- SSH Server Keys
- Telnet Server
- Guidelines and Limitations for SSH
- Generating SSH Server Keys
- Specifying the SSH Public Keys for User Accounts
- Specifying the SSH Public Keys in Open SSH Format
- Specifying the SSH Public Keys in IETF SECSH Format
- Specifying the SSH Public Keys in PEM-Formatted Public Key Certificate Form
- Starting SSH Sessions to Remote Devices
- Clearing SSH Hosts
- Disabling the SSH Server
- Deleting SSH Server Keys
- Clearing SSH Sessions
- SSH Example Configuration
- Enabling the Telnet Server
- Reenabling the Telnet Server
- Starting Telnet Sessions to Remote Devices
- Clearing Telnet Sessions
- Verifying the SSH and Telnet Configuration
- Default SSH Settings
Configuring SSH and Telnet
This chapter describes how to configure Secure Shell Protocol (SSH) and Telnet on Cisco NX-OS devices.
Configuring SSH and Telnet
Information About SSH and Telnet
SSH Server
The Secure Shell Protocol (SSH) server feature enables a SSH client to make a secure, encrypted connection to a Cisco Nexus 3000 Series switch. SSH uses strong encryption for authentication. The SSH server in the Cisco Nexus 3000 Series switch will interoperate with publicly and commercially available SSH clients.
The user authentication mechanisms supported for SSH are RADIUS, TACACS+, and the use of locally stored user names and passwords.
SSH Client
The SSH client feature is an application running over the SSH protocol to provide device authentication and encryption. The SSH client enables a Cisco Nexus 3000 Series switch to make a secure, encrypted connection to another Cisco Nexus 3000 Series switch or to any other device running an SSH server. This connection provides an outbound connection that is encrypted. With authentication and encryption, the SSH client allows for a secure communication over an insecure network.
The SSH client in the Cisco Nexus 3000 Series switch works with publicly and commercially available SSH servers.
SSH Server Keys
SSH requires server keys for secure communications to the Cisco Nexus 3000 Series switch. You can use SSH keys for the following SSH options:
- SSH version 2 using Rivest, Shamir, and Adelman (RSA) public-key cryptography
- SSH version 2 using the Digital System Algrorithm (DSA)
Be sure to have an SSH server key-pair with the appropriate version before enabling the SSH service. You can generate the SSH server key-pair according to the SSH client version used. The SSH service accepts three types of key-pairs for use by SSH version 2:
- The dsa option generates the DSA key-pair for the SSH version 2 protocol.
- The rsa option generates the RSA key-pair for the SSH version 2 protocol.
By default, the Cisco Nexus 3000 Series switch generates an RSA key using 1024 bits.
SSH supports the following public key formats:
Caution
If you delete all of the SSH keys, you cannot start the SSH services.
Telnet Server
The Telnet protocol enables TCP/IP connections to a host. Telnet allows a user at one site to establish a TCP connection to a login server at another site, and then passes the keystrokes from one system to the other. Telnet can accept either an IP address or a domain name as the remote system address.
The Telnet server is enabled by default on the Cisco Nexus 3000 Series switch.
Configuring SSH
Generating SSH Server Keys
SUMMARY STEPSYou can generate an SSH server key based on your security requirements. The default SSH server key is an RSA key generated using 1024 bits. To generate SSH server keys, perform this task:
1. switch# configure terminal
2. switch(config)# ssh key {dsa [force] | rsa [bits [force]]}
3. switch(config)# exit
4. (Optional) switch# show ssh key
5. (Optional) switch# copy running-config startup-config
DETAILED STEPS
Specifying the SSH Public Keys for User Accounts
- Specifying the SSH Public Keys in Open SSH Format
- Specifying the SSH Public Keys in IETF SECSH Format
- Specifying the SSH Public Keys in PEM-Formatted Public Key Certificate Form
Specifying the SSH Public Keys in Open SSH Format
SUMMARY STEPSYou can specify the SSH public keys in SSH format for user accounts.
To specify the SSH public keys in open SSH format, generate an SSH public key in open SSH format and perform this task:
1. switch# configure terminal
2. switch(config)# username username sshkey ssh-key
3. switch(config)# exit
4. (Optional) switch# show user-account
5. (Optional) switch# copy running-config startup-config
DETAILED STEPS
The following example shows how to specify an SSH public keys in open SSH format:
switch# configure terminalswitch(config)# username User1 sshkey ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAri3mQy4W1AV9Y2t2hrEWgbUEYzCfTPO5B8LRkedn56BEy2N9ZcdpqE6aqJLZwfZcTFEzaAAZp9AS86dgBAjsKGs7UxnhGySr8ZELv+DQBsDQH6rZt0KR+2Da8hJD4ZXIeccWk0gS1DQUNZ300xstQsYZUtqnx1bvm5Ninn0McNinn0Mc=switch(config)# exitswitch# show user-accountswitch# copy running-config startup-config
Note
The username command example above is a single line that has been broken for legibility.
Specifying the SSH Public Keys in IETF SECSH Format
SUMMARY STEPSYou can specify the SSH public keys in IETF SECSH format for user accounts.
To specify the SSH public keys in IETF SECSH format, generate an SSH public key in IETF SCHSH format, and perform this task:
1. switch# copy server-file bootflash: filename
2. switch# configure terminal
3. switch(config)# username username sshkey file filename
4. switch(config)# exit
5. (Optional) switch# show user-account
6. (Optional) switch# copy running-config startup-config
DETAILED STEPS
The following example shows how to specify the SSH public keys in the IETF SECSH format:
switch#copy tftp://10.10.1.1/secsh_file.pub bootflash:secsh_file.pubswitch# configure terminalswitch(config)# username User1 sshkey file bootflash:secsh_file.pubswitch(config)# exitswitch# show user-accountswitch# copy running-config startup-configSpecifying the SSH Public Keys in PEM-Formatted Public Key Certificate Form
SUMMARY STEPSYou can specify the SSH public keys in PEM-formatted Public Key Certificate form for user accounts.
To specify the SSH public keys in PEM-formatted Public Key Certificate form, generate an SSH public key in PEM-Formatted Public Key Certificate form and perform this task:
1. switch# copy server-file bootflash: filename
2. switch# configure terminal
3. (Optional) switch# show user-account
4. (Optional) switch# copy running-config startup-config
DETAILED STEPS
Starting SSH Sessions to Remote Devices
SUMMARY STEPSTo start SSH sessions to connect to remote devices from your Cisco Nexus 3000 Series switch, perform this task:
1. switch# ssh {hostname | username@hostname} [vrf vrf-name]
DETAILED STEPS
Command or Action Purpose Step 1 switch# ssh {hostname | username@hostname} [vrf vrf-name]
Creates an SSH session to a remote device. The hostname argument can be an IPv4 address or a host name.
Clearing SSH Hosts
SUMMARY STEPSWhen you download a file from a server using SCP or SFTP, you establish a trusted SSH relationship with that server. To clear the list of trusted SSH servers for your user account, perform this task:
1. switch# clear ssh hosts
DETAILED STEPS
Command or Action Purpose Step 1 switch# clear ssh hosts
Clears the SSH host sessions.
Disabling the SSH Server
SUMMARY STEPSBy default, the SSH server is enabled on the Cisco Nexus 3000 Series switch.
To disable the SSH server to prevent SSH access to the switch, perform this task:
1. switch# configure terminal
2. switch(config)# no feature ssh
3. switch(config)# exit
4. (Optional) switch# show ssh server
5. (Optional) switch# copy running-config startup-config
DETAILED STEPS
Deleting SSH Server Keys
SUMMARY STEPSYou can delete SSH server keys after you disable the SSH server.
Note
To reenable SSH, you must first generate an SSH server key.
To delete the SSH server keys, perform this task:
1. switch# configure terminal
2. switch(config)# no feature ssh
3. switch(config)# no ssh key [dsa | rsa]
4. switch(config)# exit
5. (Optional) switch# show ssh key
6. (Optional) switch# copy running-config startup-config
DETAILED STEPS
Clearing SSH Sessions
SSH Example Configuration
SUMMARY STEPS
1. Generate an SSH server key.
2. Enable the SSH server.
3. Display the SSH server key.
4. Specify the SSH public key in Open SSH format.
5. Save the configuration.
DETAILED STEPS
Configuring Telnet
Enabling the Telnet Server
SUMMARY STEPSBy default, the Telnet server is enabled. You can disable the Telnet server on your Cisco Nexus 3000 Series switch.
1. switch# configure terminal
2. switch(config)# feature telnet
DETAILED STEPS
Command or Action Purpose Step 1 switch# configure terminal
Enters configuration mode.
Step 2 switch(config)# feature telnet
Disables the Telnet server. The default is enabled.
Starting Telnet Sessions to Remote Devices
SUMMARY STEPSBefore you start a Telnet session to connect to remote devices, you should do the following:
- Obtain the hostname for the remote device and, if needed, the user name on the remote device.
- Enable the Telnet server on the Cisco Nexus 3000 Series switch.
- Enable the Telnet server on the remote device.
To start Telnet sessions to connect to remote devices from your Cisco Nexus 3000 Series switch, perform this task:
1. switch# telnet hostname
DETAILED STEPS
Command or Action Purpose Step 1 switch# telnet hostname
Creates a Telnet session to a remote device. The hostname argument can be an IPv4 address, an IPv6 address, or a device name.
Clearing Telnet Sessions
Verifying the SSH and Telnet Configuration
SUMMARY STEPS
1. switch# show ssh key [dsa | rsa]
2. switch# show running-config security [all]
3. switch# show ssh server
4. switch# show user-account
DETAILED STEPS
Command or Action Purpose Step 1 switch# show ssh key [dsa | rsa]
Displays SSH server key-pair information.
Step 2 switch# show running-config security [all]
Displays the SSH and user account configuration in the running configuration. The all keyword displays the default values for the SSH and user accounts.
Step 3 switch# show ssh server
Displays the SSH server configuration.
Step 4 switch# show user-account
Displays user account information.