AS
Uploaded byAndre Septian
287 views

Configure ssh cell

Secure Shell (SSH) is a protocol that provides secure remote access to devices. This document provides instructions for configuring SSH on Cisco switches including generating SSH keys, configuring the SSH server, and monitoring the SSH configuration. Key steps include generating an RSA key pair, configuring the SSH version, setting timeout values, and limiting network access to SSH-only connections.

Download to read offline
Configuring Secure Shell (SSH) • Finding Feature Information, page 1 • Prerequisites for Configuring Secure Shell, page 1 • Restrictions for Configuring Secure Shell, page 2 • Information about SSH, page 2 • How to Configure SSH, page 5 • Monitoring the SSH Configuration and Status, page 9 • Additional References, page 9 Finding Feature Information Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module. Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required. Prerequisites for Configuring Secure Shell The following are the prerequisites for configuring the switch for secure shell (SSH): • For SSH to work, the switch needs an Rivest, Shamir, and Adleman (RSA) public/private key pair. This is the same with Secure Copy Protocol (SCP), which relies on SSH for its secure transport. • Before enabling SCP, you must correctly configure SSH, authentication, and authorization on the switch. • Because SCP relies on SSH for its secure transport, the router must have an Rivest, Shamir, and Adelman (RSA) key pair. • SCP relies on SSH for security. Cisco 2960-X Switch Series Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29640-01 1
• SCP requires that authentication, authorization, and accounting (AAA) authorization be configured so the router can determine whether the user has the correct privilege level. • A user must have appropriate authorization to use SCP. • A user who has appropriate authorization can use SCP to copy any file in the Cisco IOS File System (IFS) to and from a switch by using the copy command. An authorized administrator can also do this from a workstation. • The Secure Shell (SSH) server requires an IPsec (Data Encryption Standard [DES] or 3DES) encryption software image; the SSH client requires an IPsec (DES or 3DES) encryption software image.) • Configure a hostname and host domain for your device by using the hostname and ip domain-name commands in global configuration mode. Related Topics Secure Copy Protocol, on page 4 Restrictions for Configuring Secure Shell The following are restrictions for configuring the Switch for secure shell. • The switch supports Rivest, Shamir, and Adelman (RSA) authentication. • SSH supports only the execution-shell application. • The SSH server and the SSH client are supported only on Data Encryption Standard (DES) (56-bit) and 3DES (168-bit) data encryption software. In DES software images, DES is the only encryption algorithm available. In 3DES software images, both DES and 3DES encryption algorithms are available. • The Switch supports the Advanced Encryption Standard (AES) encryption algorithm with a 128-bit key, 192-bit key, or 256-bit key. However, symmetric cipher AES to encrypt the keys is not supported. • This software release does not support IP Security (IPSec). • When using SCP, you cannot enter the password into the copy command. You must enter the password when prompted. • The login banner is not supported in Secure Shell Version 1. It is supported in Secure Shell Version 2. • The -l keyword and userid :{number} {ip-address} delimiter and arguments are mandatory when configuring the alternative method of Reverse SSH for console access. Related Topics Secure Copy Protocol, on page 4 Information about SSH Secure Shell (SSH) is a protocol that provides a secure, remote connection to a device. SSH provides more security for remote connections than Telnet does by providing strong encryption when a device is authenticated. This software release supports SSH Version 1 (SSHv1) and SSH Version 2 (SSHv2). Cisco 2960-X Switch Series Configuration Guide, Cisco IOS Release 15.0(2)EX 2 OL-29640-01 Configuring Secure Shell (SSH) Restrictions for Configuring Secure Shell
SSH and Switch Access Secure Shell (SSH) is a protocol that provides a secure, remote connection to a device. SSH provides more security for remote connections than Telnet does by providing strong encryption when a device is authenticated. This software release supports SSH Version 1 (SSHv1) and SSH Version 2 (SSHv2). SSH functions the same in IPv6 as in IPv4. For IPv6, SSH supports IPv6 addresses and enables secure, encrypted connections with remote IPv6 nodes over an IPv6 transport. SSH Servers, Integrated Clients, and Supported Versions The Secure Shell (SSH) Integrated Client feature is an application that runs over the SSH protocol to provide device authentication and encryption. The SSH client enables a Cisco device to make a secure, encrypted connection to another Cisco device or to any other device running the SSH server. This connection provides functionality similar to that of an outbound Telnet connection except that the connection is encrypted. With authentication and encryption, the SSH client allows for secure communication over an unsecured network. The SSH server and SSH integrated client are applications that run on the switch. The SSH server works with the SSH client supported in this release and with non-Cisco SSH clients. The SSH client works with publicly and commercially available SSH servers. The SSH client supports the ciphers of Data Encryption Standard (DES), 3DES, and password authentication. The switch supports an SSHv1 or an SSHv2 server. The switch supports an SSHv1 client. The SSH client functionality is available only when the SSH server is enabled.Note User authentication is performed like that in the Telnet session to the device. SSH also supports the following user authentication methods: • TACACS+ • RADIUS • Local authentication and authorization Related Topics Configuring the Switch for Local Authentication and Authorization TACACS+ and Switch Access RADIUS and Switch Access SSH Configuration Guidelines Follow these guidelines when configuring the switch as an SSH server or SSH client: • An RSA key pair generated by a SSHv1 server can be used by an SSHv2 server, and the reverse. • If the SSH server is running on a stack master and the stack master fails, the new stack master uses the RSA key pair generated by the previous stack master. Cisco 2960-X Switch Series Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29640-01 3 Configuring Secure Shell (SSH) SSH and Switch Access
• If you get CLI error messages after entering the crypto key generate rsa global configuration command, an RSA key pair has not been generated. Reconfigure the hostname and domain, and then enter the crypto key generate rsa command. For more information, see Related Topics below. • When generating the RSA key pair, the message No host name specified might appear. If it does, you must configure a hostname by using the hostname global configuration command. • When generating the RSA key pair, the message No domain specified might appear. If it does, you must configure an IP domain name by using the ip domain-name global configuration command. • When configuring the local authentication and authorization authentication method, make sure that AAA is disabled on the console. Related Topics Setting Up the Switch to Run SSH, on page 5 Configuring the Switch for Local Authentication and Authorization Secure Copy Protocol Overview The Secure Copy Protocol (SCP) feature provides a secure and authenticated method for copying switch configurations or switch image files. SCP relies on Secure Shell (SSH), an application and a protocol that provides a secure replacement for the Berkeley r-tools. For SSH to work, the switch needs an RSA public/private key pair. This is the same with SCP, which relies on SSH for its secure transport. Because SSH also relies on AAA authentication, and SCP relies further on AAA authorization, correct configuration is necessary. • Before enabling SCP, you must correctly configure SSH, authentication, and authorization on the switch. • Because SCP relies on SSH for its secure transport, the router must have an Rivest, Shamir, and Adelman (RSA) key pair. When using SCP, you cannot enter the password into the copy command. You must enter the password when prompted. Note Secure Copy Protocol The Secure Copy Protocol (SCP) feature provides a secure and authenticated method for copying switch configurations or switch image files. The behavior of SCP is similar to that of remote copy (rcp), which comes from the Berkeley r-tools suite, except that SCP relies on SSH for security. SCP also requires that authentication, authorization, and accounting (AAA) authorization be configured so the switch can determine whether the user has the correct privilege level. To configure the Secure Copy feature, you should understand the SCP concepts. Related Topics Prerequisites for Configuring Secure Shell, on page 1 Cisco 2960-X Switch Series Configuration Guide, Cisco IOS Release 15.0(2)EX 4 OL-29640-01 Configuring Secure Shell (SSH) Secure Copy Protocol Overview
Restrictions for Configuring Secure Shell, on page 2 How to Configure SSH Setting Up the Switch to Run SSH Follow these steps to set up your Switch to run SSH: Before You Begin Configure user authentication for local or remote access. This step is required. For more information, see Related Topics below. SUMMARY STEPS 1. enable 2. configure terminal 3. hostname hostname 4. ip domain-name domain_name 5. crypto key generate rsa 6. end 7. show running-config 8. copy running-config startup-config DETAILED STEPS PurposeCommand or Action Enables privileged EXEC mode. Enter your password if prompted.enableStep 1 Example: Switch> enable Enters the global configuration mode.configure terminal Example: Switch# configure terminal Step 2 Configures a hostname and IP domain name for your Switch.hostname hostnameStep 3 Example: Switch(config)# hostname your_hostname Follow this procedure only if you are configuring the Switch as an SSH server. Note Cisco 2960-X Switch Series Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29640-01 5 Configuring Secure Shell (SSH) How to Configure SSH
PurposeCommand or Action Configures a host domain for your Switch.ip domain-name domain_name Example: Switch(config)# ip domain-name Step 4 your_domain Enables the SSH server for local and remote authentication on the Switch and generates an RSA key pair. Generating an RSA key pair for the Switch automatically enables SSH. crypto key generate rsa Example: Switch(config)# crypto key generate rsa Step 5 We recommend that a minimum modulus size of 1024 bits. When you generate RSA keys, you are prompted to enter a modulus length. A longer modulus length might be more secure, but it takes longer to generate and to use. Follow this procedure only if you are configuring the Switch as an SSH server. Note Returns to privileged EXEC mode.end Example: Switch(config)# end Step 6 Verifies your entries.show running-config Example: Switch# show running-config Step 7 (Optional) Saves your entries in the configuration file.copy running-config startup-config Example: Switch# copy running-config Step 8 startup-config Related Topics SSH Configuration Guidelines, on page 3 Configuring the Switch for Local Authentication and Authorization Configuring the SSH Server Follow these steps to configure the SSH server: Cisco 2960-X Switch Series Configuration Guide, Cisco IOS Release 15.0(2)EX 6 OL-29640-01 Configuring Secure Shell (SSH) Configuring the SSH Server
This procedure is only required if you are configuring the Switch as an SSH server.Note SUMMARY STEPS 1. enable 2. configure terminal 3. ip ssh version [1 | 2] 4. ip ssh {timeout seconds | authentication-retries number} 5. Use one or both of the following: • line vtyline_number[ ending_line_number ] • transport input ssh 6. end 7. show running-config 8. copy running-config startup-config DETAILED STEPS PurposeCommand or Action Enables privileged EXEC mode. Enter your password if prompted.enableStep 1 Example: Switch> enable Enters the global configuration mode.configure terminal Example: Switch# configure terminal Step 2 (Optional) Configures the Switch to run SSH Version 1 or SSH Version 2. ip ssh version [1 | 2] Example: Switch(config)# ip ssh version 1 Step 3 • 1—Configure the Switch to run SSH Version 1. • 2—Configure the Switch to run SSH Version 2. If you do not enter this command or do not specify a keyword, the SSH server selects the latest SSH version supported by the SSH client. For example, if the SSH client supports SSHv1 and SSHv2, the SSH server selects SSHv2. Configures the SSH control parameters:ip ssh {timeout seconds | authentication-retries number} Step 4 Cisco 2960-X Switch Series Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29640-01 7 Configuring Secure Shell (SSH) Configuring the SSH Server
PurposeCommand or Action • Specify the time-out value in seconds; the default is 120 seconds. The range is 0 to 120 seconds. This parameter applies to the SSHExample: Switch(config)# ip ssh timeout 90 negotiation phase. After the connection is established, the Switch uses the default time-out values of the CLI-based sessions. authentication-retries 2 By default, up to five simultaneous, encrypted SSH connections for multiple CLI-based sessions over the network are available (session 0 to session 4). After the execution shell starts, the CLI-based session time-out value returns to the default of 10 minutes. • Specify the number of times that a client can re-authenticate to the server. The default is 3; the range is 0 to 5. Repeat this step when configuring both parameters. (Optional) Configures the virtual terminal line settings.Use one or both of the following:Step 5 • line vtyline_number[ ending_line_number ] • Enters line configuration mode to configure the virtual terminal line settings. For line_number and ending_line_number, specify a pair of lines. The range is 0 to 15. • transport input ssh • Specifies that the Switch prevent non-SSH Telnet connections. This limits the router to only SSH connections. Example: Switch(config)# line vty 1 10 or Switch(config-line)# transport input ssh Returns to privileged EXEC mode.end Example: Switch(config-line)# end Step 6 Verifies your entries.show running-config Example: Switch# show running-config Step 7 (Optional) Saves your entries in the configuration file.copy running-config startup-config Example: Switch# copy running-config Step 8 startup-config Cisco 2960-X Switch Series Configuration Guide, Cisco IOS Release 15.0(2)EX 8 OL-29640-01 Configuring Secure Shell (SSH) Configuring the SSH Server
Monitoring the SSH Configuration and Status This table displays the SSH server configuration and status. Table 1: Commands for Displaying the SSH Server Configuration and Status PurposeCommand Shows the version and configuration information for the SSH server. show ip ssh Shows the status of the SSH server.show ssh Additional References Related Documents Document TitleRelated Topic Session Aware Networking Configuration Guide, Cisco IOS XE Release 3SE (Catalyst 3850 Switches) http://www.cisco.com/en/US/docs/ios-xml/ios/san/ configuration/xe-3se/3850/san-xe-3se-3850-book.html Configuring Identity Control policies and Identity Service templates for Session Aware networking. Securing User Services Configuration Guide Library, Cisco IOS XE Release 3SE (Catalyst 3850 Switches) http://www.cisco.com/en/US/docs/ios-xml/ios/ security/config_library/xe-3se/3850/ secuser-xe-3se-3850-library.html Configuring RADIUS, TACACS+, Secure Shell, 802.1X and AAA. Error Message Decoder LinkDescription https://www.cisco.com/cgi-bin/Support/Errordecoder/ index.cgi To help you research and resolve system error messages in this release, use the Error Message Decoder tool. Cisco 2960-X Switch Series Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29640-01 9 Configuring Secure Shell (SSH) Monitoring the SSH Configuration and Status
MIBs MIBs LinkMIB To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL: http://www.cisco.com/go/mibs All supported MIBs for this release. Technical Assistance LinkDescription http://www.cisco.com/supportThe Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies. To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds. Access to most tools on the Cisco Support website requires a Cisco.com user ID and password. Cisco 2960-X Switch Series Configuration Guide, Cisco IOS Release 15.0(2)EX 10 OL-29640-01 Configuring Secure Shell (SSH) Additional References

More Related Content

DOC
Configuring Secure Shell on Routers and Switches Running Cisco IO
byHoàng Hải Nguyễn
 
PDF
Configuring Secure Shell on Routers and Switches Running Cisco IOS - Cisco Sy...
byHoàng Hải Nguyễn
 
PPTX
Ssh (The Secure Shell)
byMehedi Farazi
 
PDF
Multi-signed Kernel Module
bySUSE Labs Taipei
 
ODP
Looking into trusted and encrypted keys
bySUSE Labs Taipei
 
PPT
SSH.ppt
byjoekr1
 
PDF
EFI Secure Key
bySUSE Labs Taipei
 
PDF
Configuring Ip Sec Between A Router And A Pix
byangelitoh11
 
Configuring Secure Shell on Routers and Switches Running Cisco IO
byHoàng Hải Nguyễn
 
Configuring Secure Shell on Routers and Switches Running Cisco IOS - Cisco Sy...
byHoàng Hải Nguyễn
 
Ssh (The Secure Shell)
byMehedi Farazi
 
Multi-signed Kernel Module
bySUSE Labs Taipei
 
Looking into trusted and encrypted keys
bySUSE Labs Taipei
 
SSH.ppt
byjoekr1
 
EFI Secure Key
bySUSE Labs Taipei
 
Configuring Ip Sec Between A Router And A Pix
byangelitoh11
 

What's hot

ODP
Signature verification of kernel module and kexec
byjoeylikernel
 
PDF
Hardening Linux and introducing Securix Linux
bySecurity Session
 
PDF
CCNA Security Lab 9 - Enabling SSH and HTTPS access to Cisco IOS Routers - CLI
byHoàng Hải Nguyễn
 
PPTX
Introducing bastion hosts for oracle cloud infrastructure v1.0
bymaaz khan
 
PDF
Cisco Router and Switch Security Hardening Guide
byHarris Andrea
 
PDF
Cisco iso based CA (certificate authority)
byNetwax Lab
 
PPT
第6讲 操作与配置Cisco Ios
byF.l. Yu
 
PPT
CCNA Security 05- securing the management plane
byAhmed Habib
 
PDF
Linux Hardening - nullhyd
byn|u - The Open Security Community
 
PDF
XPDDS17: EFI Secure Boot, Shim and Xen: Current Status and Developments - Da...
byThe Linux Foundation
 
PPTX
Server hardening
byTeja Babu
 
PPTX
Cisco Ios Suneet
byguest575e9c
 
PDF
Acs 52 rn
byelgraini
 
PDF
Crypt tech technical-presales
byMustafa Kuğu
 
PPTX
Asterisk: dongled !
byFrancesco Prior
 
PPTX
[OpenStack 하반기 스터디] Interoperability with ML2: LinuxBridge, OVS and SDN
byOpenStack Korea Community
 
PPTX
10 Tips for AIX Security
byHelpSystems
 
PDF
Building Security Acсess to Remote Devices
byGlobalLogic Ukraine
 
PPT
Brief summary-standard-password-hashes-Aix-FreeBSD-Linux-Solaris-HP-UX-May-20...
byCircling Cycle
 
PDF
Managing SSH Acccess Without Managing SSH Keys
byNiall Sheridan
 
Signature verification of kernel module and kexec
byjoeylikernel
 
Hardening Linux and introducing Securix Linux
bySecurity Session
 
CCNA Security Lab 9 - Enabling SSH and HTTPS access to Cisco IOS Routers - CLI
byHoàng Hải Nguyễn
 
Introducing bastion hosts for oracle cloud infrastructure v1.0
bymaaz khan
 
Cisco Router and Switch Security Hardening Guide
byHarris Andrea
 
Cisco iso based CA (certificate authority)
byNetwax Lab
 
第6讲 操作与配置Cisco Ios
byF.l. Yu
 
CCNA Security 05- securing the management plane
byAhmed Habib
 
Linux Hardening - nullhyd
byn|u - The Open Security Community
 
XPDDS17: EFI Secure Boot, Shim and Xen: Current Status and Developments - Da...
byThe Linux Foundation
 
Server hardening
byTeja Babu
 
Cisco Ios Suneet
byguest575e9c
 
Acs 52 rn
byelgraini
 
Crypt tech technical-presales
byMustafa Kuğu
 
Asterisk: dongled !
byFrancesco Prior
 
[OpenStack 하반기 스터디] Interoperability with ML2: LinuxBridge, OVS and SDN
byOpenStack Korea Community
 
10 Tips for AIX Security
byHelpSystems
 
Building Security Acсess to Remote Devices
byGlobalLogic Ukraine
 
Brief summary-standard-password-hashes-Aix-FreeBSD-Linux-Solaris-HP-UX-May-20...
byCircling Cycle
 
Managing SSH Acccess Without Managing SSH Keys
byNiall Sheridan
 

Similar to Configure ssh cell

PPTX
CCNA_RSE_Chp5 Switch Configuration For Network
byMonchaiPhaichitchan1
 
PPTX
PC LEESOON 6.pptx
byMLG College of Learning, Inc
 
PPTX
CCNA2 Verson6 Chapter5
byChaing Ravuth
 
PPTX
CCNA (R & S) Module 03 - Routing & Switching Essentials - Chapter 5
byWaqas Ahmed Nawaz
 
PPTX
Chapter 4. using the command line interface
byVishnu Vardhan
 
PPTX
Setting up SSH
byNetProtocol Xpert
 
DOC
Configuring the cisco switch with the cli based setup program
by3Anetwork com
 
PPT
CCNA Icnd110 s02l06
bycomputerlenguyen
 
PPT
Introduction to Cisco configuration and network
byAngieloBecenia1
 
PPTX
1627478708347_Chapter 1.pptx
byTesfaMinuyelet
 
DOCX
TitleABC123 Version X1Film ListPSYCH650 Version 2.docx
byjuliennehar
 
PPT
Chapter 2 overview
byali raza
 
PPTX
Ccna sv2 instructor_ppt_ch2
bySalmenHAJJI1
 
PPTX
ITN_Module_2.pptx
byargost1003
 
PPTX
Basic Switch & End Device Configuration_Module 2_ITNv7.pptx
byFauziaNingrum
 
DOCX
How to configure port security in cisco switch
byIT Tech
 
PDF
2. Basic Switch and End Device.pdf xxxxxx
byNgcThnh71
 
PDF
CCNAv5 - S1: Chapter 2 - Configuring a network operating system
byVuz Dở Hơi
 
PPTX
Chapter 2 : Configuring a network operating system
byteknetir
 
PDF
Ch2 - Securing Network Devices - CCNA Security.pdf
byOhmRon
 
CCNA_RSE_Chp5 Switch Configuration For Network
byMonchaiPhaichitchan1
 
PC LEESOON 6.pptx
byMLG College of Learning, Inc
 
CCNA2 Verson6 Chapter5
byChaing Ravuth
 
CCNA (R & S) Module 03 - Routing & Switching Essentials - Chapter 5
byWaqas Ahmed Nawaz
 
Chapter 4. using the command line interface
byVishnu Vardhan
 
Setting up SSH
byNetProtocol Xpert
 
Configuring the cisco switch with the cli based setup program
by3Anetwork com
 
CCNA Icnd110 s02l06
bycomputerlenguyen
 
Introduction to Cisco configuration and network
byAngieloBecenia1
 
1627478708347_Chapter 1.pptx
byTesfaMinuyelet
 
TitleABC123 Version X1Film ListPSYCH650 Version 2.docx
byjuliennehar
 
Chapter 2 overview
byali raza
 
Ccna sv2 instructor_ppt_ch2
bySalmenHAJJI1
 
ITN_Module_2.pptx
byargost1003
 
Basic Switch & End Device Configuration_Module 2_ITNv7.pptx
byFauziaNingrum
 
How to configure port security in cisco switch
byIT Tech
 
2. Basic Switch and End Device.pdf xxxxxx
byNgcThnh71
 
CCNAv5 - S1: Chapter 2 - Configuring a network operating system
byVuz Dở Hơi
 
Chapter 2 : Configuring a network operating system
byteknetir
 
Ch2 - Securing Network Devices - CCNA Security.pdf
byOhmRon
 

Recently uploaded

PPTX
Unit 6- Heme Catabolism.pptx............
byAkanksha Kotangale
 
PDF
ARS Nematology Syllabus | Complete Unit-wise Topics, Booklist & Preparation S...
bySatyam Sharma
 
PPTX
Everything You Need to Know About Actions in Odoo 18
byCeline George
 
PDF
Projects_for_Ministries,_Departments_&_Agencies2123341679.pdf
bynservice241
 
PDF
2025 Caribbean Examinations Council CCSLC Merit List
byCaribbean Examinations Council
 
PPT
Layers of the Earth crust and Lithosphere.ppt
bybonpat1954
 
PDF
JRF Plant Science Preparation Strategy by Experts | Complete Syllabus Discuss...
bySatyam Sharma
 
PPTX
Gender, School and Society - B.Ed Course
byRejoshaRajendran
 
PDF
BP303T PHARMACEUTICALMICROBIOLOGY UNIT 3
byRushiMandali
 
PDF
Introduction to Genetics: The Foundation of Heredity and Variation- Understan...
bySatyam Sharma
 
PPTX
NURSING PROCESS.....................pptx
byAneetaSharma15
 
PPTX
Improved ui_ux in Odoo 18.2 Purchase in Odoo 19
byCeline George
 
PPTX
Emminent personalities from agriculture sciences.pptx
byconvey2vivek
 
PPTX
What are Forecast Reports in Odoo 18 CRM
byCeline George
 
PDF
Political conditions of India during 6th cent BCE: Janpadas and Republics
byPrachiSontakke5
 
PPTX
LESSON 1.pptx///////////////////////////////
byRoseAnnUsana
 
PPTX
History in your Hands Class 2 November 2025.pptx
byEilsONeill
 
PPTX
GROWTH AND DEVELOPMENT..............pptx
byAneetaSharma15
 
PPTX
How to Get Ahead in Marketing: Insights for University Students
byCareLineLive
 
PPTX
An inclusive AI - Supporting students with special education needs by Andreas...
byEduSkills OECD
 
Unit 6- Heme Catabolism.pptx............
byAkanksha Kotangale
 
ARS Nematology Syllabus | Complete Unit-wise Topics, Booklist & Preparation S...
bySatyam Sharma
 
Everything You Need to Know About Actions in Odoo 18
byCeline George
 
Projects_for_Ministries,_Departments_&_Agencies2123341679.pdf
bynservice241
 
2025 Caribbean Examinations Council CCSLC Merit List
byCaribbean Examinations Council
 
Layers of the Earth crust and Lithosphere.ppt
bybonpat1954
 
JRF Plant Science Preparation Strategy by Experts | Complete Syllabus Discuss...
bySatyam Sharma
 
Gender, School and Society - B.Ed Course
byRejoshaRajendran
 
BP303T PHARMACEUTICALMICROBIOLOGY UNIT 3
byRushiMandali
 
Introduction to Genetics: The Foundation of Heredity and Variation- Understan...
bySatyam Sharma
 
NURSING PROCESS.....................pptx
byAneetaSharma15
 
Improved ui_ux in Odoo 18.2 Purchase in Odoo 19
byCeline George
 
Emminent personalities from agriculture sciences.pptx
byconvey2vivek
 
What are Forecast Reports in Odoo 18 CRM
byCeline George
 
Political conditions of India during 6th cent BCE: Janpadas and Republics
byPrachiSontakke5
 
LESSON 1.pptx///////////////////////////////
byRoseAnnUsana
 
History in your Hands Class 2 November 2025.pptx
byEilsONeill
 
GROWTH AND DEVELOPMENT..............pptx
byAneetaSharma15
 
How to Get Ahead in Marketing: Insights for University Students
byCareLineLive
 
An inclusive AI - Supporting students with special education needs by Andreas...
byEduSkills OECD
 

Configure ssh cell

  • 1.
    Configuring Secure Shell(SSH) • Finding Feature Information, page 1 • Prerequisites for Configuring Secure Shell, page 1 • Restrictions for Configuring Secure Shell, page 2 • Information about SSH, page 2 • How to Configure SSH, page 5 • Monitoring the SSH Configuration and Status, page 9 • Additional References, page 9 Finding Feature Information Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module. Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required. Prerequisites for Configuring Secure Shell The following are the prerequisites for configuring the switch for secure shell (SSH): • For SSH to work, the switch needs an Rivest, Shamir, and Adleman (RSA) public/private key pair. This is the same with Secure Copy Protocol (SCP), which relies on SSH for its secure transport. • Before enabling SCP, you must correctly configure SSH, authentication, and authorization on the switch. • Because SCP relies on SSH for its secure transport, the router must have an Rivest, Shamir, and Adelman (RSA) key pair. • SCP relies on SSH for security. Cisco 2960-X Switch Series Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29640-01 1
  • 2.
    • SCP requiresthat authentication, authorization, and accounting (AAA) authorization be configured so the router can determine whether the user has the correct privilege level. • A user must have appropriate authorization to use SCP. • A user who has appropriate authorization can use SCP to copy any file in the Cisco IOS File System (IFS) to and from a switch by using the copy command. An authorized administrator can also do this from a workstation. • The Secure Shell (SSH) server requires an IPsec (Data Encryption Standard [DES] or 3DES) encryption software image; the SSH client requires an IPsec (DES or 3DES) encryption software image.) • Configure a hostname and host domain for your device by using the hostname and ip domain-name commands in global configuration mode. Related Topics Secure Copy Protocol, on page 4 Restrictions for Configuring Secure Shell The following are restrictions for configuring the Switch for secure shell. • The switch supports Rivest, Shamir, and Adelman (RSA) authentication. • SSH supports only the execution-shell application. • The SSH server and the SSH client are supported only on Data Encryption Standard (DES) (56-bit) and 3DES (168-bit) data encryption software. In DES software images, DES is the only encryption algorithm available. In 3DES software images, both DES and 3DES encryption algorithms are available. • The Switch supports the Advanced Encryption Standard (AES) encryption algorithm with a 128-bit key, 192-bit key, or 256-bit key. However, symmetric cipher AES to encrypt the keys is not supported. • This software release does not support IP Security (IPSec). • When using SCP, you cannot enter the password into the copy command. You must enter the password when prompted. • The login banner is not supported in Secure Shell Version 1. It is supported in Secure Shell Version 2. • The -l keyword and userid :{number} {ip-address} delimiter and arguments are mandatory when configuring the alternative method of Reverse SSH for console access. Related Topics Secure Copy Protocol, on page 4 Information about SSH Secure Shell (SSH) is a protocol that provides a secure, remote connection to a device. SSH provides more security for remote connections than Telnet does by providing strong encryption when a device is authenticated. This software release supports SSH Version 1 (SSHv1) and SSH Version 2 (SSHv2). Cisco 2960-X Switch Series Configuration Guide, Cisco IOS Release 15.0(2)EX 2 OL-29640-01 Configuring Secure Shell (SSH) Restrictions for Configuring Secure Shell
  • 3.
    SSH and SwitchAccess Secure Shell (SSH) is a protocol that provides a secure, remote connection to a device. SSH provides more security for remote connections than Telnet does by providing strong encryption when a device is authenticated. This software release supports SSH Version 1 (SSHv1) and SSH Version 2 (SSHv2). SSH functions the same in IPv6 as in IPv4. For IPv6, SSH supports IPv6 addresses and enables secure, encrypted connections with remote IPv6 nodes over an IPv6 transport. SSH Servers, Integrated Clients, and Supported Versions The Secure Shell (SSH) Integrated Client feature is an application that runs over the SSH protocol to provide device authentication and encryption. The SSH client enables a Cisco device to make a secure, encrypted connection to another Cisco device or to any other device running the SSH server. This connection provides functionality similar to that of an outbound Telnet connection except that the connection is encrypted. With authentication and encryption, the SSH client allows for secure communication over an unsecured network. The SSH server and SSH integrated client are applications that run on the switch. The SSH server works with the SSH client supported in this release and with non-Cisco SSH clients. The SSH client works with publicly and commercially available SSH servers. The SSH client supports the ciphers of Data Encryption Standard (DES), 3DES, and password authentication. The switch supports an SSHv1 or an SSHv2 server. The switch supports an SSHv1 client. The SSH client functionality is available only when the SSH server is enabled.Note User authentication is performed like that in the Telnet session to the device. SSH also supports the following user authentication methods: • TACACS+ • RADIUS • Local authentication and authorization Related Topics Configuring the Switch for Local Authentication and Authorization TACACS+ and Switch Access RADIUS and Switch Access SSH Configuration Guidelines Follow these guidelines when configuring the switch as an SSH server or SSH client: • An RSA key pair generated by a SSHv1 server can be used by an SSHv2 server, and the reverse. • If the SSH server is running on a stack master and the stack master fails, the new stack master uses the RSA key pair generated by the previous stack master. Cisco 2960-X Switch Series Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29640-01 3 Configuring Secure Shell (SSH) SSH and Switch Access
  • 4.
    • If youget CLI error messages after entering the crypto key generate rsa global configuration command, an RSA key pair has not been generated. Reconfigure the hostname and domain, and then enter the crypto key generate rsa command. For more information, see Related Topics below. • When generating the RSA key pair, the message No host name specified might appear. If it does, you must configure a hostname by using the hostname global configuration command. • When generating the RSA key pair, the message No domain specified might appear. If it does, you must configure an IP domain name by using the ip domain-name global configuration command. • When configuring the local authentication and authorization authentication method, make sure that AAA is disabled on the console. Related Topics Setting Up the Switch to Run SSH, on page 5 Configuring the Switch for Local Authentication and Authorization Secure Copy Protocol Overview The Secure Copy Protocol (SCP) feature provides a secure and authenticated method for copying switch configurations or switch image files. SCP relies on Secure Shell (SSH), an application and a protocol that provides a secure replacement for the Berkeley r-tools. For SSH to work, the switch needs an RSA public/private key pair. This is the same with SCP, which relies on SSH for its secure transport. Because SSH also relies on AAA authentication, and SCP relies further on AAA authorization, correct configuration is necessary. • Before enabling SCP, you must correctly configure SSH, authentication, and authorization on the switch. • Because SCP relies on SSH for its secure transport, the router must have an Rivest, Shamir, and Adelman (RSA) key pair. When using SCP, you cannot enter the password into the copy command. You must enter the password when prompted. Note Secure Copy Protocol The Secure Copy Protocol (SCP) feature provides a secure and authenticated method for copying switch configurations or switch image files. The behavior of SCP is similar to that of remote copy (rcp), which comes from the Berkeley r-tools suite, except that SCP relies on SSH for security. SCP also requires that authentication, authorization, and accounting (AAA) authorization be configured so the switch can determine whether the user has the correct privilege level. To configure the Secure Copy feature, you should understand the SCP concepts. Related Topics Prerequisites for Configuring Secure Shell, on page 1 Cisco 2960-X Switch Series Configuration Guide, Cisco IOS Release 15.0(2)EX 4 OL-29640-01 Configuring Secure Shell (SSH) Secure Copy Protocol Overview
  • 5.
    Restrictions for ConfiguringSecure Shell, on page 2 How to Configure SSH Setting Up the Switch to Run SSH Follow these steps to set up your Switch to run SSH: Before You Begin Configure user authentication for local or remote access. This step is required. For more information, see Related Topics below. SUMMARY STEPS 1. enable 2. configure terminal 3. hostname hostname 4. ip domain-name domain_name 5. crypto key generate rsa 6. end 7. show running-config 8. copy running-config startup-config DETAILED STEPS PurposeCommand or Action Enables privileged EXEC mode. Enter your password if prompted.enableStep 1 Example: Switch> enable Enters the global configuration mode.configure terminal Example: Switch# configure terminal Step 2 Configures a hostname and IP domain name for your Switch.hostname hostnameStep 3 Example: Switch(config)# hostname your_hostname Follow this procedure only if you are configuring the Switch as an SSH server. Note Cisco 2960-X Switch Series Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29640-01 5 Configuring Secure Shell (SSH) How to Configure SSH
  • 6.
    PurposeCommand or Action Configuresa host domain for your Switch.ip domain-name domain_name Example: Switch(config)# ip domain-name Step 4 your_domain Enables the SSH server for local and remote authentication on the Switch and generates an RSA key pair. Generating an RSA key pair for the Switch automatically enables SSH. crypto key generate rsa Example: Switch(config)# crypto key generate rsa Step 5 We recommend that a minimum modulus size of 1024 bits. When you generate RSA keys, you are prompted to enter a modulus length. A longer modulus length might be more secure, but it takes longer to generate and to use. Follow this procedure only if you are configuring the Switch as an SSH server. Note Returns to privileged EXEC mode.end Example: Switch(config)# end Step 6 Verifies your entries.show running-config Example: Switch# show running-config Step 7 (Optional) Saves your entries in the configuration file.copy running-config startup-config Example: Switch# copy running-config Step 8 startup-config Related Topics SSH Configuration Guidelines, on page 3 Configuring the Switch for Local Authentication and Authorization Configuring the SSH Server Follow these steps to configure the SSH server: Cisco 2960-X Switch Series Configuration Guide, Cisco IOS Release 15.0(2)EX 6 OL-29640-01 Configuring Secure Shell (SSH) Configuring the SSH Server
  • 7.
    This procedure isonly required if you are configuring the Switch as an SSH server.Note SUMMARY STEPS 1. enable 2. configure terminal 3. ip ssh version [1 | 2] 4. ip ssh {timeout seconds | authentication-retries number} 5. Use one or both of the following: • line vtyline_number[ ending_line_number ] • transport input ssh 6. end 7. show running-config 8. copy running-config startup-config DETAILED STEPS PurposeCommand or Action Enables privileged EXEC mode. Enter your password if prompted.enableStep 1 Example: Switch> enable Enters the global configuration mode.configure terminal Example: Switch# configure terminal Step 2 (Optional) Configures the Switch to run SSH Version 1 or SSH Version 2. ip ssh version [1 | 2] Example: Switch(config)# ip ssh version 1 Step 3 • 1—Configure the Switch to run SSH Version 1. • 2—Configure the Switch to run SSH Version 2. If you do not enter this command or do not specify a keyword, the SSH server selects the latest SSH version supported by the SSH client. For example, if the SSH client supports SSHv1 and SSHv2, the SSH server selects SSHv2. Configures the SSH control parameters:ip ssh {timeout seconds | authentication-retries number} Step 4 Cisco 2960-X Switch Series Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29640-01 7 Configuring Secure Shell (SSH) Configuring the SSH Server
  • 8.
    PurposeCommand or Action •Specify the time-out value in seconds; the default is 120 seconds. The range is 0 to 120 seconds. This parameter applies to the SSHExample: Switch(config)# ip ssh timeout 90 negotiation phase. After the connection is established, the Switch uses the default time-out values of the CLI-based sessions. authentication-retries 2 By default, up to five simultaneous, encrypted SSH connections for multiple CLI-based sessions over the network are available (session 0 to session 4). After the execution shell starts, the CLI-based session time-out value returns to the default of 10 minutes. • Specify the number of times that a client can re-authenticate to the server. The default is 3; the range is 0 to 5. Repeat this step when configuring both parameters. (Optional) Configures the virtual terminal line settings.Use one or both of the following:Step 5 • line vtyline_number[ ending_line_number ] • Enters line configuration mode to configure the virtual terminal line settings. For line_number and ending_line_number, specify a pair of lines. The range is 0 to 15. • transport input ssh • Specifies that the Switch prevent non-SSH Telnet connections. This limits the router to only SSH connections. Example: Switch(config)# line vty 1 10 or Switch(config-line)# transport input ssh Returns to privileged EXEC mode.end Example: Switch(config-line)# end Step 6 Verifies your entries.show running-config Example: Switch# show running-config Step 7 (Optional) Saves your entries in the configuration file.copy running-config startup-config Example: Switch# copy running-config Step 8 startup-config Cisco 2960-X Switch Series Configuration Guide, Cisco IOS Release 15.0(2)EX 8 OL-29640-01 Configuring Secure Shell (SSH) Configuring the SSH Server
  • 9.
    Monitoring the SSHConfiguration and Status This table displays the SSH server configuration and status. Table 1: Commands for Displaying the SSH Server Configuration and Status PurposeCommand Shows the version and configuration information for the SSH server. show ip ssh Shows the status of the SSH server.show ssh Additional References Related Documents Document TitleRelated Topic Session Aware Networking Configuration Guide, Cisco IOS XE Release 3SE (Catalyst 3850 Switches) http://www.cisco.com/en/US/docs/ios-xml/ios/san/ configuration/xe-3se/3850/san-xe-3se-3850-book.html Configuring Identity Control policies and Identity Service templates for Session Aware networking. Securing User Services Configuration Guide Library, Cisco IOS XE Release 3SE (Catalyst 3850 Switches) http://www.cisco.com/en/US/docs/ios-xml/ios/ security/config_library/xe-3se/3850/ secuser-xe-3se-3850-library.html Configuring RADIUS, TACACS+, Secure Shell, 802.1X and AAA. Error Message Decoder LinkDescription https://www.cisco.com/cgi-bin/Support/Errordecoder/ index.cgi To help you research and resolve system error messages in this release, use the Error Message Decoder tool. Cisco 2960-X Switch Series Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29640-01 9 Configuring Secure Shell (SSH) Monitoring the SSH Configuration and Status
  • 10.
    MIBs MIBs LinkMIB To locateand download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL: http://www.cisco.com/go/mibs All supported MIBs for this release. Technical Assistance LinkDescription http://www.cisco.com/supportThe Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies. To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds. Access to most tools on the Cisco Support website requires a Cisco.com user ID and password. Cisco 2960-X Switch Series Configuration Guide, Cisco IOS Release 15.0(2)EX 10 OL-29640-01 Configuring Secure Shell (SSH) Additional References