The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This chapter contains the following sections:
Configuring SSH and Telnet
Information About SSH and Telnet
The Secure Shell Protocol (SSH) server feature enables a SSH client to make a secure, encrypted connection to a Cisco Nexus device. SSH uses strong encryption for authentication. The SSH server in the Cisco Nexus device switch interoperates with publicly and commercially available SSH clients.
The user authentication mechanisms supported for SSH are RADIUS, TACACS+, and the use of locally stored user names and passwords.
The SSH client feature is an application running over the SSH protocol to provide device authentication and encryption. The SSH client enables a switch to make a secure, encrypted connection to another Cisco Nexus device or to any other device running an SSH server. This connection provides an outbound connection that is encrypted. With authentication and encryption, the SSH client allows for a secure communication over an insecure network.
The SSH client in the Cisco Nexus device works with publicly and commercially available SSH servers.
SSH requires server keys for secure communications to the Cisco Nexus device. You can use SSH keys for the following SSH options:
Be sure to have an SSH server key-pair with the appropriate version before enabling the SSH service. You can generate the SSH server key-pair according to the SSH client version used. The SSH service accepts three types of key-pairs for use by SSH version 2:
By default, the Cisco Nexus device generates an RSA key using 1024 bits.
SSH supports the following public key formats:
Caution |
If you delete all of the SSH keys, you cannot start the SSH services. |
The Telnet protocol enables TCP/IP connections to a host. Telnet allows a user at one site to establish a TCP connection to a login server at another site, and then passes the keystrokes from one system to the other. Telnet can accept either an IP address or a domain name as the remote system address.
The Telnet server is enabled by default on the Cisco Nexus device.
SSH has the following configuration guidelines and limitations:
Configuring SSH
You can generate an SSH server key based on your security requirements. The default SSH server key is an RSA key that is generated using 1024 bits.
The following example shows how to generate an SSH server key:
switch# configure terminal
switch(config)# ssh key rsa 2048
switch(config)# exit
switch# show ssh key
switch# copy running-config startup-config
You can configure an SSH public key to log in using an SSH client without being prompted for a password. You can specify the SSH public key in one of three different formats:
You can specify the SSH public keys in SSH format for user accounts.
The following example shows how to specify an SSH public key in open SSH format:
switch# configure terminal
switch(config)# username User1 sshkey ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAri3mQy4W1AV9Y2t2hrEWgbUEYz
CfTPO5B8LRkedn56BEy2N9ZcdpqE6aqJLZwfZcTFEzaAAZp9AS86dgBAjsKGs7UxnhGySr8ZELv+DQBsDQH6rZt0KR+2Da8hJD4Z
XIeccWk0gS1DQUNZ300xstQsYZUtqnx1bvm5Ninn0McNinn0Mc=
switch(config)# exit
switch# show user-account
switch# copy running-config startup-config
Note |
The username command in the example above is a single line that has been broken for legibility. |
You can specify the SSH public keys in IETF SECSH format for user accounts.
The following example shows how to specify the SSH public key in the IETF SECSH format:
switch#copy tftp://10.10.1.1/secsh_file.pub bootflash:secsh_file.pub
switch# configure terminal
switch(config)# username User1 sshkey file bootflash:secsh_file.pub
switch(config)# exit
switch# show user-account
switch# copy running-config startup-config
You can specify the SSH public keys in PEM-formatted Public Key Certificate form for user accounts.
The following example shows how to specify the SSH public keys in PEM-formatted public key certificate form:
switch# copy tftp://10.10.1.1/cert.pem bootflash:cert.pem
switch# configure terminal
switch# show user-account
switch# copy running-config startup-config
You can start SSH sessions to connect to remote devices from your Cisco Nexus device.
Command or Action | Purpose | |
---|---|---|
Step 1 | switch# ssh {hostname | username@hostname} [vrf vrf-name] |
Creates an SSH session to a remote device. The hostname argument can be an IPv4 address or a hostname. |
When you download a file from a server using SCP or SFTP, you establish a trusted SSH relationship with that server.
Command or Action | Purpose | |
---|---|---|
Step 1 | switch# clear ssh hosts |
Clears the SSH host sessions. |
By default, the SSH server is enabled on the Cisco Nexus device.
You can delete SSH server keys after you disable the SSH server.
Note |
To reenable SSH, you must first generate an SSH server key. |
You can clear SSH sessions from the Cisco Nexus device.
Command or Action | Purpose | |
---|---|---|
Step 1 | switch# show users |
Displays user session information. |
Step 2 | switch# clear line vty-line |
Clears a user SSH session. |
The following example shows how to configure SSH:
Configuring Telnet
By default, the Telnet server is enabled. You can disable the Telnet server on your Cisco Nexus device.
Command or Action | Purpose | |
---|---|---|
Step 1 | switch# configure terminal |
Enters configuration mode. |
Step 2 | switch(config)# feature telnet |
Disables the Telnet server. The default is enabled. |
If the Telnet server on your Cisco Nexus device has been disabled, you can reenable it.
Command or Action | Purpose | |
---|---|---|
Step 1 | switch(config)# feature telnet |
Reenables the Telnet server. |
Before you start a Telnet session to connect to remote devices, you should do the following:
Command or Action | Purpose | |
---|---|---|
Step 1 | switch# telnet hostname |
Creates a Telnet session to a remote device. The hostname argument can be an IPv4 address or a device name. |
The following example shows how to start a Telnet session to connect to a remote device:
switch# telnet 10.10.1.1 Trying 10.10.1.1... Connected to 10.10.1.1. Escape character is '^]'. switch login:
You can clear Telnet sessions from the Cisco Nexus device.
Command or Action | Purpose | |
---|---|---|
Step 1 | switch# show users |
Displays user session information. |
Step 2 | switch# clear line vty-line |
Clears a user Telnet session. |
To display the SSH configuration information, perform one of the following tasks:
switch# show ssh key [dsa | rsa]
Displays SSH server key-pair information.
switch# show running-config security [all]
Displays the SSH and user account configuration in the running configuration. The all keyword displays the default values for the SSH and user accounts.
switch# show ssh server
Displays the SSH server configuration.
switch# show user-account
Displays user account information.
The following table lists the default settings for SSH parameters.
Parameters |
Default |
---|---|
SSH server |
Enabled |
SSH server key |
RSA key generated with 1024 bits |
RSA key bits for generation |
1024 |
Telnet server |
Enabled |