Contents

• Configuring SSH and Telnet
• Configuring SSH and Telnet
• SSH Server
• SSH Client
• SSH Server Keys
• Telnet Server
• Guidelines and Limitations for SSH
• Generating SSH Server Keys
• Specifying the SSH Public Keys for User Accounts
• Specifying the SSH Public Keys in Open SSH Format
• Specifying the SSH Public Keys in IETF SECSH Format
• Specifying the SSH Public Keys in PEM-Formatted Public Key Certificate Form
• Starting SSH Sessions to Remote Devices
• Clearing SSH Hosts
• Disabling the SSH Server
• Deleting SSH Server Keys
• Clearing SSH Sessions
• SSH Example Configuration
• Enabling the Telnet Server
• Reenabling the Telnet Server
• Starting Telnet Sessions to Remote Devices
• Clearing Telnet Sessions
• Verifying the SSH and Telnet Configuration
• Default SSH Settings

Configuring SSH and Telnet

---

This chapter describes how to configure Secure Shell Protocol (SSH) and Telnet on Cisco NX-OS devices.

• Configuring SSH and Telnet

Configuring SSH and Telnet

Information About SSH and Telnet

SSH Server

The Secure Shell Protocol (SSH) server feature enables a SSH client to make a secure, encrypted connection to a Cisco Nexus 3000 Series switch. SSH uses strong encryption for authentication. The SSH server in the Cisco Nexus 3000 Series switch will interoperate with publicly and commercially available SSH clients.

The user authentication mechanisms supported for SSH are RADIUS, TACACS+, and the use of locally stored user names and passwords.

SSH Client

The SSH client feature is an application running over the SSH protocol to provide device authentication and encryption. The SSH client enables a Cisco Nexus 3000 Series switch to make a secure, encrypted connection to another Cisco Nexus 3000 Series switch or to any other device running an SSH server. This connection provides an outbound connection that is encrypted. With authentication and encryption, the SSH client allows for a secure communication over an insecure network.

The SSH client in the Cisco Nexus 3000 Series switch works with publicly and commercially available SSH servers.

SSH Server Keys

SSH requires server keys for secure communications to the Cisco Nexus 3000 Series switch. You can use SSH keys for the following SSH options:

• SSH version 2 using Rivest, Shamir, and Adelman (RSA) public-key cryptography
• SSH version 2 using the Digital System Algrorithm (DSA)

Be sure to have an SSH server key-pair with the appropriate version before enabling the SSH service. You can generate the SSH server key-pair according to the SSH client version used. The SSH service accepts three types of key-pairs for use by SSH version 2:

• The dsa option generates the DSA key-pair for the SSH version 2 protocol.
• The rsa option generates the RSA key-pair for the SSH version 2 protocol.

By default, the Cisco Nexus 3000 Series switch generates an RSA key using 1024 bits.

SSH supports the following public key formats:

• OpenSSH
• IETF Secure Shell (SECSH)

Caution

If you delete all of the SSH keys, you cannot start the SSH services.

Telnet Server

The Telnet protocol enables TCP/IP connections to a host. Telnet allows a user at one site to establish a TCP connection to a login server at another site, and then passes the keystrokes from one system to the other. Telnet can accept either an IP address or a domain name as the remote system address.

The Telnet server is enabled by default on the Cisco Nexus 3000 Series switch.

Guidelines and Limitations for SSH

SSH has the following configuration guidelines and limitations:

• The Cisco Nexus 3000 Series switch supports only SSH version 2 (SSHv2).

Configuring SSH

Generating SSH Server Keys

You can generate an SSH server key based on your security requirements. The default SSH server key is an RSA key generated using 1024 bits. To generate SSH server keys, perform this task:

SUMMARY STEPS

1.    switch# configure terminal


2.    switch(config)# ssh key {dsa [force] | rsa [bits [force]]}


3.    switch(config)# exit


4.    (Optional) switch# show ssh key


5.    (Optional) switch# copy running-config startup-config

DETAILED STEPS

	Command or Action	Purpose
Step 1	switch# configure terminal	Enters configuration mode.
Step 2	switch(config)# ssh key {dsa [force] | rsa [bits [force]]}	Generates the SSH server key. The bits argument is the number of bits used to generate the key. The range is 768 to 2048 and the default value is 1024. Use the force keyword to replace an existing key.
Step 3	switch(config)# exit	Exits global configuration mode.
Step 4	switch# show ssh key	(Optional) Displays the SSH server keys.
Step 5	switch# copy running-config startup-config	(Optional) Copies the running configuration to the startup configuration.

The following example shows how to generate an SSH server key:

switch# configure terminal

switch(config)# ssh key rsa 2048

switch(config)# exit

switch# show ssh key

switch# copy running-config startup-config

Specifying the SSH Public Keys for User Accounts

You can configure an SSH public key to log in using an SSH client without being prompted for a password. You can specify the SSH public key in one of three different formats:

• Open SSH format
• IETF SECSH format
• Public Key Certificate in PEM format

• Specifying the SSH Public Keys in Open SSH Format
• Specifying the SSH Public Keys in IETF SECSH Format
• Specifying the SSH Public Keys in PEM-Formatted Public Key Certificate Form

Specifying the SSH Public Keys in Open SSH Format

You can specify the SSH public keys in SSH format for user accounts.

To specify the SSH public keys in open SSH format, generate an SSH public key in open SSH format and perform this task:

SUMMARY STEPS

1.    switch# configure terminal


2.    switch(config)# username username sshkey ssh-key


3.    switch(config)# exit


4.    (Optional) switch# show user-account


5.    (Optional) switch# copy running-config startup-config

DETAILED STEPS

	Command or Action	Purpose
Step 1	switch# configure terminal	Enters configuration mode.
Step 2	switch(config)# username username sshkey ssh-key	Configures the SSH public key in SSH format.
Step 3	switch(config)# exit	Exits global configuration mode.
Step 4	switch# show user-account	(Optional) Displays the user account configuration.
Step 5	switch# copy running-config startup-config	(Optional) Copies the running configuration to the startup configuration.

The following example shows how to specify an SSH public keys in open SSH format:

switch# configure terminal

switch(config)# username User1 sshkey ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAri3mQy4W1AV9Y2t2hrEWgbUEYz

CfTPO5B8LRkedn56BEy2N9ZcdpqE6aqJLZwfZcTFEzaAAZp9AS86dgBAjsKGs7UxnhGySr8ZELv+DQBsDQH6rZt0KR+2Da8hJD4Z

XIeccWk0gS1DQUNZ300xstQsYZUtqnx1bvm5Ninn0McNinn0Mc=

switch(config)# exit

switch# show user-account

switch# copy running-config startup-config

Note	The username command example above is a single line that has been broken for legibility.

Specifying the SSH Public Keys in IETF SECSH Format

You can specify the SSH public keys in IETF SECSH format for user accounts.

To specify the SSH public keys in IETF SECSH format, generate an SSH public key in IETF SCHSH format, and perform this task:

SUMMARY STEPS

1.    switch# copy server-file bootflash: filename


2.    switch# configure terminal


3.    switch(config)# username username sshkey file filename


4.    switch(config)# exit


5.    (Optional) switch# show user-account


6.    (Optional) switch# copy running-config startup-config

DETAILED STEPS

	Command or Action	Purpose
Step 1	switch# copy server-file bootflash: filename	Downloads the file containing the SSH key in IETF SECSH format from a server. The server can be FTP, SCP, SFTP, or TFTP.
Step 2	switch# configure terminal	Enters configuration mode.
Step 3	switch(config)# username username sshkey file filename	Configures the SSH public key in SSH format.
Step 4	switch(config)# exit	Exits global configuration mode.
Step 5	switch# show user-account	(Optional) Displays the user account configuration.
Step 6	switch# copy running-config startup-config	(Optional) Copies the running configuration to the startup configuration.

The following example shows how to specify the SSH public keys in the IETF SECSH format:

switch#copy tftp://10.10.1.1/secsh_file.pub bootflash:secsh_file.pub

switch# configure terminal

switch(config)# username User1 sshkey file bootflash:secsh_file.pub

switch(config)# exit

switch# show user-account

switch# copy running-config startup-config

Specifying the SSH Public Keys in PEM-Formatted Public Key Certificate Form

You can specify the SSH public keys in PEM-formatted Public Key Certificate form for user accounts.

To specify the SSH public keys in PEM-formatted Public Key Certificate form, generate an SSH public key in PEM-Formatted Public Key Certificate form and perform this task:

SUMMARY STEPS

1.    switch# copy server-file bootflash: filename


2.    switch# configure terminal


3.    (Optional) switch# show user-account


4.    (Optional) switch# copy running-config startup-config

DETAILED STEPS

	Command or Action	Purpose
Step 1	switch# copy server-file bootflash: filename	Downloads the file containing the SSH key in PEM-formatted Public Key Certificate form from a server. The server can be FTP, SCP, SFTP, or TFTP
Step 2	switch# configure terminal	Enters configuration mode.
Step 3	switch# show user-account	(Optional) Displays the user account configuration.
Step 4	switch# copy running-config startup-config	(Optional) Copies the running configuration to the startup configuration.

The following example shows how to specify the SSH public keys in PEM-formatted public key certificate form:

switch# copy tftp://10.10.1.1/cert.pem bootflash:cert.pem

switch# configure terminal

switch# show user-account

switch# copy running-config startup-config

Starting SSH Sessions to Remote Devices

To start SSH sessions to connect to remote devices from your Cisco Nexus 3000 Series switch, perform this task:

SUMMARY STEPS

1.    switch# ssh {hostname | username@hostname} [vrf vrf-name]

DETAILED STEPS

	Command or Action	Purpose
Step 1	switch# ssh {hostname | username@hostname} [vrf vrf-name]	Creates an SSH session to a remote device. The hostname argument can be an IPv4 address or a host name.

Clearing SSH Hosts

When you download a file from a server using SCP or SFTP, you establish a trusted SSH relationship with that server. To clear the list of trusted SSH servers for your user account, perform this task:

SUMMARY STEPS

1.    switch# clear ssh hosts

DETAILED STEPS

	Command or Action	Purpose
Step 1	switch# clear ssh hosts	Clears the SSH host sessions.

Disabling the SSH Server

By default, the SSH server is enabled on the Cisco Nexus 3000 Series switch.

To disable the SSH server to prevent SSH access to the switch, perform this task:

SUMMARY STEPS

1.    switch# configure terminal


2.    switch(config)# no feature ssh


3.    switch(config)# exit


4.    (Optional) switch# show ssh server


5.    (Optional) switch# copy running-config startup-config

DETAILED STEPS

	Command or Action	Purpose
Step 1	switch# configure terminal	Enters configuration mode.
Step 2	switch(config)# no feature ssh	Disables the SSH server. The default is enabled.
Step 3	switch(config)# exit	Exits global configuration mode.
Step 4	switch# show ssh server	(Optional) Displays the SSH server configuration.
Step 5	switch# copy running-config startup-config	(Optional) Copies the running configuration to the startup configuration.

Deleting SSH Server Keys

You can delete SSH server keys after you disable the SSH server.

Note	To reenable SSH, you must first generate an SSH server key.

To delete the SSH server keys, perform this task:

SUMMARY STEPS

1.    switch# configure terminal


2.    switch(config)# no feature ssh


3.    switch(config)# no ssh key [dsa | rsa]


4.    switch(config)# exit


5.    (Optional) switch# show ssh key


6.    (Optional) switch# copy running-config startup-config

DETAILED STEPS

	Command or Action	Purpose
Step 1	switch# configure terminal	Enters configuration mode.
Step 2	switch(config)# no feature ssh	Disables the SSH server.
Step 3	switch(config)# no ssh key [dsa | rsa]	Deletes the SSH server key. The default is to delete all the SSH keys.
Step 4	switch(config)# exit	Exits global configuration mode.
Step 5	switch# show ssh key	(Optional) Displays the SSH server configuration.
Step 6	switch# copy running-config startup-config	(Optional) Copies the running configuration to the startup configuration.

Clearing SSH Sessions

To clear SSH sessions from the Cisco Nexus 3000 Series switch, perform this task:

SUMMARY STEPS

1.    switch# show users


2.    switch# clear line vty-line

DETAILED STEPS

	Command or Action	Purpose
Step 1	switch# show users	Displays user session information.
Step 2	switch# clear line vty-line	Clears a user SSH session.

SSH Example Configuration

The following example shows how to configure SSH:

SUMMARY STEPS

1.    Generate an SSH server key.

2.    Enable the SSH server.

3.    Display the SSH server key.

4.    Specify the SSH public key in Open SSH format.

5.    Save the configuration.

DETAILED STEPS

---

Step 1	Generate an SSH server key. switch(config)# ssh key rsa generating rsa key(1024 bits)..... . generated rsa key
Step 2	Enable the SSH server. switch# configure terminal switch(config)# feature ssh Note    This step should not be required as the SSH server is enabled by default.
Step 3	Display the SSH server key. switch(config)# show ssh key rsa Keys generated:Fri May 8 22:09:47 2009 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAri3mQy4W1AV9Y2t2hrEWgbUEYzCfTPO5B8LRkedn56BEy2N9ZcdpqE6aqJLZwfZ/ cTFEzaAAZp9AS86dgBAjsKGs7UxnhGySr8ZELv+DQBsDQH6rZt0KR+2Da8hJD4ZXIeccWk0gS1DQUNZ300xstQsYZUtqnx1bvm5/ Ninn0Mc= bitcount:1024 fingerprint: 4b:4d:f6:b9:42:e9:d9:71:3c:bd:09:94:4a:93:ac:ca ************************************** could not retrieve dsa key information **************************************
Step 4	Specify the SSH public key in Open SSH format. switch(config)# username User1 sshkey ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAri3mQy4W1AV9Y2t2hrEWgbUEYz CfTPO5B8LRkedn56BEy2N9ZcdpqE6aqJLZwfZcTFEzaAAZp9AS86dgBAjsKGs7UxnhGySr8ZELv+DQBsDQH6rZt0KR+2Da8hJD4Z XIeccWk0gS1DQUNZ300xstQsYZUtqnx1bvm5Ninn0McNinn0Mc=
Step 5	Save the configuration. switch(config)# copy running-config startup-config

---

Configuring Telnet

Enabling the Telnet Server

By default, the Telnet server is enabled. You can disable the Telnet server on your Cisco Nexus 3000 Series switch.

SUMMARY STEPS

1.    switch# configure terminal


2.    switch(config)# feature telnet

DETAILED STEPS

	Command or Action	Purpose
Step 1	switch# configure terminal	Enters configuration mode.
Step 2	switch(config)# feature telnet	Disables the Telnet server. The default is enabled.

Reenabling the Telnet Server

If the Telnet server on your Cisco Nexus 3000 Series switch has been disabled, you can reenable it.

SUMMARY STEPS

1.    switch(config)# feature telnet

DETAILED STEPS

	Command or Action	Purpose
Step 1	switch(config)# feature telnet	Reenables the Telnet server.

Starting Telnet Sessions to Remote Devices

Before you start a Telnet session to connect to remote devices, you should do the following:

• Obtain the hostname for the remote device and, if needed, the user name on the remote device.
• Enable the Telnet server on the Cisco Nexus 3000 Series switch.
• Enable the Telnet server on the remote device.

To start Telnet sessions to connect to remote devices from your Cisco Nexus 3000 Series switch, perform this task:

SUMMARY STEPS

1.    switch# telnet hostname

DETAILED STEPS

	Command or Action	Purpose
Step 1	switch# telnet hostname	Creates a Telnet session to a remote device. The hostname argument can be an IPv4 address, an IPv6 address, or a device name.

The following example shows starting a Telnet session to connect to a remote device:

switch# telnet 10.10.1.1

Trying 10.10.1.1...

Connected to 10.10.1.1.

Escape character is '^]'.

switch login:

Clearing Telnet Sessions

To clear Telnet sessions from the Cisco Nexus 3000 Series switch, perform this task:

SUMMARY STEPS

1.    switch# show users


2.    switch# clear line vty-line

DETAILED STEPS

	Command or Action	Purpose
Step 1	switch# show users	Displays user session information.
Step 2	switch# clear line vty-line	Clears a user Telnet session.

Verifying the SSH and Telnet Configuration

To display the SSH configuration information, perform one of the following tasks:

SUMMARY STEPS

1.    switch# show ssh key [dsa | rsa]


2.    switch# show running-config security [all]


3.    switch# show ssh server


4.    switch# show user-account

DETAILED STEPS

	Command or Action	Purpose
Step 1	switch# show ssh key [dsa | rsa]	Displays SSH server key-pair information.
Step 2	switch# show running-config security [all]	Displays the SSH and user account configuration in the running configuration. The all keyword displays the default values for the SSH and user accounts.
Step 3	switch# show ssh server	Displays the SSH server configuration.
Step 4	switch# show user-account	Displays user account information.

Default SSH Settings

The following table lists the default settings for SSH parameters.

Table 1  Default SSH Parameters

Parameters	Default
SSH server	Enabled
SSH server key	RSA key generated with 1024 bits
RSA key bits for generation	1024
Telnet server	Enabled