0% found this document useful (0 votes)

29 views108 pages

Sec Usr SSH 15 MT Book

ssh

Uploaded by

thato69

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

29 views108 pages

Sec Usr SSH 15 MT Book

ssh

Uploaded by

thato69

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 108

Secure Shell Configuration Guide, Cisco IOS Release 15M&T

Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS,
INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH
THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY,
CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB's public domain version
of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.

NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS" WITH ALL FAULTS.
CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT
LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS
HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network
topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional
and coincidental.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: http://
www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership
relationship between Cisco and any other company. (1110R)

© 2015 Cisco Systems, Inc. All rights reserved.

CONTENTS

CHAPTER 1 Configuring Secure Shell 1

Finding Feature Information 1
Prerequisites for Configuring SSH 2
Restrictions for Configuring SSH 2
Information About Secure Shell (SSH) 3
SSH Server 3
SSH Integrated Client 3
RSA Authentication Support 3
How to Configure SSH 4
Configuring an SSH Server 4
Invoking an SSH Client 5
Troubleshooting Tips 6
Configuration Examples for SSH 6
Example SSH on a Cisco 7200 Series Router 6
Example SSH on a Cisco 7500 Series Router 7
Example SSH on a Cisco 12000 Series Router 9
Example: Verifying SSH 10
Additional References 11
Feature Information for Configuring Secure Shell 12

CHAPTER 2 Reverse SSH Enhancements 13

Finding Feature Information 13
Prerequisites for Reverse SSH Enhancements 13
Restrictions for Reverse SSH Enhancements 14
Information About Reverse SSH Enhancements 14
Reverse Telnet 14
Reverse SSH 14
How to Configure Reverse SSH Enhancements 14

Secure Shell Configuration Guide, Cisco IOS Release 15M&T

iii
Contents

Configuring Reverse SSH for Console Access 14

Configuring Reverse SSH for Modem Access 16
Troubleshooting Reverse SSH on the Client 18
Troubleshooting Reverse SSH on the Server 19
Configuration Examples for Reverse SSH Enhancements 20
Example Reverse SSH Console Access 20
Example Reverse SSH Modem Access 20
Additional References 21
Related Documents 21
Technical Assistance 21
Feature Information for Reverse SSH Enhancements 21

CHAPTER 3 Secure Copy 23

Finding Feature Information 23
Prerequisites for Secure Copy 23
Information About Secure Copy 24
How Secure Copy Works 24
How to Configure Secure Copy 24
Configuring Secure Copy 24
Configuration Examples for Secure Copy 26
Example: Secure Copy Configuration Using Local Authentication 26
Example: Secure Copy Configuration Using Network-Based Authentication 26
Additional References 27
Feature Information for Secure Copy 27
Glossary 28

CHAPTER 4 Secure Shell Version 2 Support 29

Finding Feature Information 29
Prerequisites for Secure Shell Version 2 Support 30
Restrictions for Secure Shell Version 2 Support 30
Information About Secure Shell Version 2 Support 30
Secure Shell Version 2 30
Secure Shell Version 2 Enhancements 31
Secure Shell Version 2 Enhancements for RSA Keys 31
SNMP Trap Generation 32

Secure Shell Configuration Guide, Cisco IOS Release 15M&T

iv
Contents

SSH Keyboard Interactive Authentication 33

How to Configure Secure Shell Version 2 Support 33
Configuring a Device for SSH Version 2 Using a Hostname and Domain Name 33
Configuring a Device for SSH Version 2 Using RSA Key Pairs 35
Configuring the Cisco SSH Server to Perform RSA-Based User Authentication 36
Configuring the Cisco IOS SSH Client to Perform RSA-Based Server Authentication 38
Starting an Encrypted Session with a Remote Device 40
Troubleshooting Tips 41
Enabling Secure Copy Protocol on the SSH Server 41
Troubleshooting Tips 43
Verifying the Status of the Secure Shell Connection 44
Verifying the Secure Shell Status 45
Monitoring and Maintaining Secure Shell Version 2 46
Configuration Examples for Secure Shell Version 2 Support 49
Example: Configuring Secure Shell Version 1 49
Example: Configuring Secure Shell Version 2 49
Example: Configuring Secure Shell Versions 1 and 2 49
Example: Starting an Encrypted Session with a Remote Device 50
Example: Configuring Server-Side SCP 50
Example: Setting an SNMP Trap 50
Examples: SSH Keyboard Interactive Authentication 50
Example: Enabling Client-Side Debugs 50
Example: Enabling ChPass with a Blank Password Change 51
Example: Enabling ChPass and Changing the Password on First Login 51
Example: Enabling ChPass and Expiring the Password After Three Logins 52
Example: SNMP Debugging 52
Examples: SSH Debugging Enhancements 53
Where to Go Next 54
Additional References for Secure Shell Version 2 Support 54
Feature Information for Secure Shell Version 2 Support 55

CHAPTER 5 SSH Terminal-Line Access 57

Finding Feature Information 57
Prerequisites for SSH Terminal-Line Access 57
Restrictions for SSH Terminal-Line Access 58

Secure Shell Configuration Guide, Cisco IOS Release 15M&T

v
Contents

Information About SSH Terminal-Line Access 58

Overview of SSH Terminal-Line Access 58
How to Configure SSH Terminal-Line Access 59
Configuring SSH Terminal-Line Access 59
Verifying SSH Terminal-Line Access 61
Configuration Examples for SSH Terminal-Line Access 61
Example SSH Terminal-Line Access Configuration 61
Example SSH Terminal-Line Access for a Console Serial Line Ports Configuration 61
Additional References 62
Feature Information for SSH Terminal-Line Access 63

CHAPTER 6 Secure Shell—Configuring User Authentication Methods 65

Finding Feature Information 65
Restrictions for Secure Shell—Configuring User Authentication Methods 65
Information About Secure Shell—Configuring User Authentication Methods 66
Secure Shell User Authentication Overview 66
How to Configure Secure Shell—Configuring User Authentication Methods 66
Configuring User Authentication for the SSH Server 66
Troubleshooting Tips 68
Verifying User Authentication for the SSH Server 68
Configuration Examples for Secure Shell—Configuring User Authentication Methods 69
Example: Disabling User Authentication Methods 69
Example: Enabling User Authentication Methods 69
Example: Configuring Default User Authentication Methods 70
Additional References for Secure Shell—Configuring User Authentication Methods 70
Feature Information for Secure Shell—Configuring User Authentication Methods 71

CHAPTER 7 AES-CTR Support for SSHv2 73

Finding Feature Information 73
Prerequisites for AES-CTR Support for SSHv2 73
Restrictions for AES-CTR Support for SSHv2 74
Information About AES-CTR Support for SSHv2 74
Secure Shell Version 2 Encryption Modes 74
How to Configure AES-CTR Support for SSHv2 74
Starting an Encrypted Session from the SSH Client 74

Secure Shell Configuration Guide, Cisco IOS Release 15M&T

vi
Contents

Verifying the Encryption Mode Used in the SSH Server or Client 75

Configuration Examples for AES-CTR Support for SSHv2 77
Example: Starting an Encrypted Session from the SSH Client 77
Additional References for AES-CTR Support for SSHv2 77
Feature Information for AES-CTR Support for SSHv2 78

CHAPTER 8 X.509v3 Certificates for SSH Authentication 79

Finding Feature Information 79
Prerequisites for X.509v3 Certificates for SSH Authentication 80
Restrictions for X.509v3 Certificates for SSH Authentication 80
Information About X.509v3 Certificates for SSH Authentication 80
Digital certificates 80
Server and user authentication using X.509v3 80
How to Configure X.509v3 Certificates for SSH Authentication 81
Configuring IOS SSH Server to Use Digital Certificates for Sever Authentication 81
Configuring IOS SSH Server to Verify User's Digital Certificate for User Authentication 82
Verifying Configuration for Server and User Authentication Using Digital Certificates 84
Configuration Examples for X.509v3 Certificates for SSH Authentication 85
Example: Configuring IOS SSH Server to Use Digital Certificates for Sever Authentication
85

Example: Configuring IOS SSH Server to Verify User's Digital Certificate for User
Authentication 85
Additional References for X.509v3 Certificates for SSH Authentication 85
Feature Information for X.509v3 Certificates for SSH Authentication 86

CHAPTER 9 SSH Algorithms for Common Criteria Certification 89

Finding Feature Information 89
Information About SSH Algorithms for Common Criteria Certification 90
SSH Algorithms for Common Criteria Certification 90
Cisco IOS SSH Server Algorithms 90
Cisco IOS SSH Client Algorithms 90
How to Configure SSH Algorithms for Common Criteria Certification 91
Configuring an Encryption Key Algorithm for a Cisco IOS SSH Server and Client 91
Troubleshooting Tips 92
Configuring a MAC Algorithm for a Cisco IOS SSH Server and Client 92

Secure Shell Configuration Guide, Cisco IOS Release 15M&T

vii
Contents

Troubleshooting Tips 93
Configuring a Host Key Algorithm for a Cisco IOS SSH Server 94
Troubleshooting Tips 95
Verifying SSH Algorithms for Common Criteria Certification 95
Configuration Examples For SSH Algorithms for Common Criteria Certification 96
Example: Configuring Encryption Key Algorithms for a Cisco IOS SSH Server 96
Example: Configuring Encryption Key Algorithms for a Cisco IOS SSH Client 96
Example: Configuring MAC Algorithms for a Cisco IOS SSH Server 96
Example: Configuring MAC Algorithms for a Cisco IOS SSH Client 96
Example: Configuring Host Key Algorithms for a Cisco IOS SSH Server 97
Additional References for SSH Algorithms for Common Criteria Certification 97
Feature Information for SSH Algorithms for Common Criteria Certification 98

Secure Shell Configuration Guide, Cisco IOS Release 15M&T

viii
CHAPTER 1
Configuring Secure Shell
The Secure Shell (SSH) feature is an application and a protocol that provides a secure replacement to the
Berkeley r-tools. The protocol secures sessions using standard cryptographic mechanisms, and the application
can be used similarly to the Berkeley rexec and rsh tools. Two versions of SSH are available: SSH Version
1 and SSH Version 2. Unless otherwise noted, the term “SSH” denotes “SSH Version 1” only. For information
about SSH Version 2, see the “ Secure Shell Version 2 Support” feature module.

• Finding Feature Information, page 1

• Prerequisites for Configuring SSH, page 2
• Restrictions for Configuring SSH, page 2
• Information About Secure Shell (SSH), page 3
• How to Configure SSH, page 4
• Configuration Examples for SSH, page 6
• Additional References, page 11
• Feature Information for Configuring Secure Shell, page 12

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and
feature information, see Bug Search Tool and the release notes for your platform and software release. To
find information about the features documented in this module, and to see a list of the releases in which each
feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

Secure Shell Configuration Guide, Cisco IOS Release 15M&T

1
Configuring Secure Shell
Prerequisites for Configuring SSH

Prerequisites for Configuring SSH

Note Unless otherwise noted, the term “SSH” denotes “SSH Version 1” only.

• Download the required image on the device. The Secure Shell (SSH) server requires an IPsec (Data
Encryption Standard [DES] or 3DES) encryption software image; the SSH client requires an IPsec (DES
or 3DES) encryption software image.) For information about downloading a software image, see the
Loading and Managing System Images Configuration Guide.
• Configure a hostname and host domain for your device by using the hostname and ip domain-name
commands in global configuration mode.
• Generate a Rivest, Shamir, and Adleman (RSA) key pair for your device. This key pair automatically
enables SSH and remote authentication when the crypto key generate rsa command is entered in global
configuration mode.

Note To delete the RSA key pair, use the crypto key zeroize rsa global configuration command. Once you
delete the RSA key pair, you automatically disable the SSH server.

• Configure user authentication for local or remote access. You can configure authentication with or
without authentication, authorization, and accounting (AAA). For more information, see the
Authentication, Authorization, and Accounting Configuration Guide.

Restrictions for Configuring SSH

Note Unless otherwise noted, the term “SSH” denotes “SSH Version 1” only.

• The Secure Shell (SSH) server and SSH client are supported on Data Encryption Standard (DES) (56-bit)
and 3DES (168-bit) data encryption software images only. In DES software images, DES is the only
encryption algorithm available. In 3DES software images, both DES and 3DES encryption algorithms
are available.
• Execution shell is the only application supported.
• The login banner is not supported in Secure Shell Version 1. It is supported in Secure Shell Version 2.

Secure Shell Configuration Guide, Cisco IOS Release 15M&T

2
Configuring Secure Shell
Information About Secure Shell (SSH)

Information About Secure Shell (SSH)

Note Unless otherwise noted, the term “SSH” denotes “SSH Version 1” only.

SSH Server

Note Unless otherwise noted, the term “SSH” denotes “SSH Version 1” only.

The Secure Shell (SSH) Server feature enables an SSH client to make a secure, encrypted connection to a
Cisco device. This connection provides functionality that is similar to that of an inbound Telnet connection.
Before SSH, security was limited to Telnet security. SSH allows a strong encryption to be used with the Cisco
software authentication. The SSH server in Cisco software works with publicly and commercially available
SSH clients.

SSH Integrated Client

Note Unless otherwise noted, the term “SSH” denotes “SSH Version 1” only.

The Secure Shell (SSH) Integrated Client feature is an application that runs over the SSH protocol to provide
device authentication and encryption. The SSH client enables a Cisco device to make a secure, encrypted
connection to another Cisco device or to any other device running the SSH server. This connection provides
functionality similar to that of an outbound Telnet connection except that the connection is encrypted. With
authentication and encryption, the SSH client allows for secure communication over an unsecured network.
The SSH client in Cisco software works with publicly and commercially available SSH servers. The SSH
client supports the ciphers of Data Encryption Standard (DES), 3DES, and password authentication. User
authentication is performed like that in the Telnet session to the device. The user authentication mechanisms
supported for SSH are RADIUS, TACACS+, and the use of locally stored usernames and passwords.

Note The SSH client functionality is available only when the SSH server is enabled.

RSA Authentication Support

Rivest, Shamir, and Adleman (RSA) authentication available in Secure Shell (SSH) clients is not supported
on the SSH server for Cisco software by default. For more information about RSA authentication support,
see the “Configuring a Router for SSH Version 2 Using RSA Pairs” section of the “Secure Shell Version 2
Support” module.

Secure Shell Configuration Guide, Cisco IOS Release 15M&T

3
Configuring Secure Shell
How to Configure SSH

How to Configure SSH

Configuring an SSH Server

Note Unless otherwise noted, the term “SSH” denotes “SSH Version 1” only.

SUMMARY STEPS

1. enable
2. configure terminal
3. ip ssh {timeout seconds | authentication-retries integer}
4. ip ssh rekey {time time | volume volume}
5. exit
6. show ip ssh

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode.
• Enter your password if prompted.
Example:
Device> enable

Step 2 configure terminal Enters global configuration mode.

Example:
Device# configure terminal

Step 3 ip ssh {timeout seconds | Configures Secure Shell (SSH) control parameters.
authentication-retries integer} Note This command can also be used to establish the number of
password prompts provided to the user. The number is the
Example: lower of the following two values:
Device(config)# ip ssh timeout 30 • Value proposed by the client using the ssh -o
numberofpasswordprompt command.
• Value configured on the device using the ip ssh
authentication-retries integercommand, plus one.

Secure Shell Configuration Guide, Cisco IOS Release 15M&T

4
Configuring Secure Shell
Invoking an SSH Client

Command or Action Purpose

Step 4 ip ssh rekey {time time | volume volume} (Optional) Configures a time-based rekey or a volume-based rekey
for SSH.
Example:
Device(config)# ip ssh rekey time 108

Step 5 exit Returns to privileged EXEC mode.

Example:
Device(config)# exit

Step 6 show ip ssh (Optional) Verifies that the SSH server is enabled and displays the
version and configuration data for the SSH connection.
Example:
Device# show ip ssh

Invoking an SSH Client

Note Unless otherwise noted, the term “SSH” denotes “SSH Version 1” only.

Perform this task to invoke the Secure Shell (SSH) client. The SSH client runs in user EXEC mode and has
no specific configuration tasks.

SUMMARY STEPS

1. enable
2. ssh -l username -vrf vrf-name ip-address

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode.
• Enter your password if prompted.
Example:
Device> enable

Step 2 ssh -l username -vrf vrf-name ip-address Invokes the SSH client to connect to an IP host or address in
the specified virtual routing and forwarding (VRF) instance.
Example:
Device# ssh -l user1 -vrf vrf1 192.0.2.1

Secure Shell Configuration Guide, Cisco IOS Release 15M&T

5
Configuring Secure Shell
Configuration Examples for SSH

Troubleshooting Tips

Note Unless otherwise noted, the term “SSH” denotes “SSH Version 1” only.

• If your Secure Shell (SSH) configuration commands are rejected as illegal commands, you have not
successfully generated an Rivest, Shamir, and Adleman (RSA) key pair for your device. Make sure that
you have specified a hostname and domain. Then use the crypto key generate rsa command to generate
an RSA key pair and enable the SSH server.

• When configuring the RSA key pair, you might encounter the following error messages:
• No hostname specified.
You must configure a hostname for the device using the hostname global configuration command.
See the “IPsec and Quality of Service” module for more information.
• No domain specified.
You must configure a host domain for the device using the ip domain-name global configuration
command. See the “IPsec and Quality of Service” module for more information

• The number of allowable SSH connections is limited to the maximum number of vtys configured for
the device. Each SSH connection uses a vty resource.
• SSH uses either local security or the security protocol that is configured through AAA on your device
for user authentication. When configuring Authentication, Authorization, and Accounting ( AAA), you
must ensure that AAA is disabled on the console for user authentication. AAA authorization is disabled
on the console by default. If AAA authorization is enabled on the console, disable it by configuring the
no aaa authorization console command during the AAA configuration stage.

Configuration Examples for SSH

Example SSH on a Cisco 7200 Series Router

In the following example, SSH is configured on a Cisco 7200 with a timeout that is not to exceed 60 seconds
and no more than 2 authentication retries. Before the SSH server feature is configured on the router, TACACS+
is specified as the method of authentication.

hostname Router72K
aaa new-model
aaa authentication login default tacacs+
aaa authentication login aaa7200kw none
enable password password
username username1 password 0 password1
username username2 password 0 password2
ip subnet-zero
no ip domain-lookup

Secure Shell Configuration Guide, Cisco IOS Release 15M&T

6
Configuring Secure Shell
Example SSH on a Cisco 7500 Series Router

ip domain-name cisco.com
! Enter the ssh commands.
ip ssh timeout 60
ip ssh authentication-retries 2
controller E1 2/0
controller E1 2/1
interface Ethernet1/0
ip address 192.168.110.2 255.255.255.0 secondary
ip address 192.168.109.2 255.255.255.0
no ip directed-broadcast
no ip route-cache
no ip mroute-cache
no keepalive
no cdp enable
interface Ethernet1/1
no ip address
no ip directed-broadcast
no ip route-cache
no ip mroute-cache
shutdown
no cdp enable
interface Ethernet1/2
no ip address
no ip directed-broadcast
no ip route-cache
no ip mroute-cache
shutdown
no cdp enable
no ip classless
ip route 192.168.1.0 255.255.255.0 10.1.10.1
ip route 192.168.9.0 255.255.255.0 10.1.1.1
ip route 192.168.10.0 255.255.255.0 10.1.1.1
map-list atm
ip 10.1.10.1 atm-vc 7 broadcast
no cdp run
tacacs-server host 192.168.109.216 port 9000
tacacs-server key cisco
radius-server host 192.168.109.216 auth-port 1650 acct-port 1651
radius-server key cisco
line con 0
exec-timeout 0 0
login authentication aaa7200kw
transport input none
line aux 0
line vty 0 4
password password
end

Example SSH on a Cisco 7500 Series Router

In the following example, SSH is configured on a Cisco 7500 with a timeout that is not to exceed 60 seconds
and no more than 5 authentication retries. Before the SSH server feature is configured on the router, RADIUS
is specified as the method of authentication.

hostname Router75K
aaa new-model
aaa authentication login default radius
aaa authentication login aaa7500kw none
enable password password

username username1 password 0 password1

username username2 password 0 password2
ip subnet-zero
no ip cef
no ip domain-lookup
ip domain-name cisco.com
! Enter ssh commands.
ip ssh timeout 60

Secure Shell Configuration Guide, Cisco IOS Release 15M&T

7
Configuring Secure Shell
Example SSH on a Cisco 7500 Series Router

ip ssh authentication-retries 5
controller E1 3/0
channel-group 0 timeslots 1

controller E1 3/1
channel-group 0 timeslots 1
channel-group 1 timeslots 2
interface Ethernet0/0/0
no ip address
no ip directed-broadcast
no ip route-cache distributed
shutdown

interface Ethernet0/0/1
no ip address
no ip directed-broadcast
no ip route-cache distributed
shutdown
interface Ethernet0/0/2
no ip address
no ip directed-broadcast
no ip route-cache distributed
shutdown

interface Ethernet0/0/3
no ip address
no ip directed-broadcast
no ip route-cache distributed
shutdown

interface Ethernet1/0
ip address 192.168.110.2 255.255.255.0 secondary
ip address 192.168.109.2 255.255.255.0
no ip directed-broadcast
no ip route-cache
no ip mroute-cache

interface Ethernet1/1
ip address 192.168.109.2 255.255.255.0
no ip directed-broadcast
no ip route-cache
no ip mroute-cache
shutdown

interface Ethernet1/2
no ip address
no ip directed-broadcast
no ip route-cache
no ip mroute-cache

interface Ethernet1/3
no ip address
no ip directed-broadcast
no ip route-cache
no ip mroute-cache
shutdown

interface Ethernet1/4
no ip address
no ip directed-broadcast
no ip route-cache
no ip mroute-cache
shutdown
interface Ethernet1/5
no ip address
no ip directed-broadcast
no ip route-cache
no ip mroute-cache
shutdown

interface Serial2/0
ip address 10.1.1.2 255.0.0.0
no ip directed-broadcast

Secure Shell Configuration Guide, Cisco IOS Release 15M&T

8
Configuring Secure Shell
Example SSH on a Cisco 12000 Series Router

encapsulation ppp
no ip route-cache
no ip mroute-cache
ip classless
ip route 192.168.9.0 255.255.255.0 10.1.1.1
ip route 192.168.10.0 255.255.255.0 10.1.1.1
tacacs-server host 192.168.109.216 port 9000
tacacs-server key cisco
radius-server host 192.168.109.216 auth-port 1650 acct-port 1651
radius-server key cisco
line con 0
exec-timeout 0 0
login authentication aaa7500kw
transport input none
line aux 0
transport input all
line vty 0 4

end

Example SSH on a Cisco 12000 Series Router

In the following example, SSH is configured on a Cisco 12000 with a timeout that is not to exceed 60 seconds
and no more than two authentication retries. Before the SSH server feature is configured on the router,
TACACS+ is specified as the method of authentication.

hostname Router12K
aaa new-model
aaa authentication login default tacacs+ local
aaa authentication login aaa12000kw local
enable password password

username username1 password 0 password1

username username2 password 0 password2
redundancy
main-cpu
auto-sync startup-config
ip subnet-zero
no ip domain-lookup
ip domain-name cisco.com
! Enter ssh commands.
ip ssh timeout 60
ip ssh authentication-retries 2
interface ATM0/0
no ip address
no ip directed-broadcast
no ip route-cache cef
shutdown
interface POS1/0
ip address 10.100.100.2 255.255.255.0
no ip directed-broadcast
encapsulation ppp
no ip route-cache cef
no keepalive
crc 16
no cdp enable

interface POS1/1
no ip address
no ip directed-broadcast
no ip route-cache cef
shutdown
crc 32

interface POS1/2
no ip address
no ip directed-broadcast
no ip route-cache cef

Secure Shell Configuration Guide, Cisco IOS Release 15M&T

9
Configuring Secure Shell
Example: Verifying SSH

shutdown
crc 32

interface POS1/3
no ip address
no ip directed-broadcast
no ip route-cache cef
shutdown
crc 32

interface POS2/0
ip address 10.1.1.1 255.255.255.0
no ip directed-broadcast
encapsulation ppp
no ip route-cache cef
crc 16

interface Ethernet0
ip address 172.17.110.91 255.255.255.224
no ip directed-broadcast

router ospf 1
network 0.0.0.0 255.255.255.255 area 0.0.0.0
ip classless
ip route 0.0.0.0 0.0.0.0 172.17.110.65

logging trap debugging

tacacs-server host 172.17.116.138
tacacs-server key cisco

radius-server host 172.17.116.138 auth-port 1650 acct-port 1651

radius-server key cisco

line con 0
exec-timeout 0 0
login authentication aaa12000kw
transport input none
line aux 0
line vty 0 4

no scheduler max-task-time
no exception linecard slot 0 sqe-registers
no exception linecard slot 1 sqe-registers
no exception linecard slot 2 sqe-registers
no exception linecard slot 3 sqe-registers
no exception linecard slot 4 sqe-registers
no exception linecard slot 5 sqe-registers
no exception linecard slot 6 sqe-registers
end

Example: Verifying SSH

Note Unless otherwise noted, the term “SSH” denotes “SSH Version 1” only.

To verify that the Secure Shell (SSH) server is enabled and to display the version and configuration data for
your SSH connection, use the show ip ssh command. The following example shows that SSH is enabled:

Device# show ip ssh

SSH Enabled - version 1.5

Authentication timeout: 120 secs; Authentication retries: 3
The following example shows that SSH is disabled:

Device# show ip ssh

Secure Shell Configuration Guide, Cisco IOS Release 15M&T

10
Configuring Secure Shell
Additional References

%SSH has not been enabled

To verify the status of your SSH server connections, use the show ssh command. The following example
shows the SSH server connections on the device when SSH is enabled:

Device# show ssh

Connection Version Encryption State Username

0 1.5 3DES Session Started guest
The following example shows that SSH is disabled:

Device# show ssh

%No SSH server connections running.

Additional References
Related Documents

Authentication, authorization, and accounting (AAA) Authentication, Authorization, and Accounting

Configuration Guide

IPsec “IPsec and Quality of Service” module

SSH Version 2 “Secure Shell Version 2 Support” module

Downloading a software image Loading and Managing System Images Configuration

Guide

Technical Assistance

Description Link
The Cisco Support and Documentation website http://www.cisco.com/cisco/web/support/index.html
provides online resources to download documentation,
software, and tools. Use these resources to install and
configure the software and to troubleshoot and resolve
technical issues with Cisco products and technologies.
Access to most tools on the Cisco Support and
Documentation website requires a Cisco.com user ID
and password.

Secure Shell Configuration Guide, Cisco IOS Release 15M&T

11
Configuring Secure Shell
Feature Information for Configuring Secure Shell

Feature Information for Configuring Secure Shell

The following table provides release information about the feature or features described in this module. This
table lists only the software release that introduced support for a given feature in a given software release
train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

Table 1: Feature Information for Configuring Secure Shell

Feature Name Releases Feature Information

Secure Shell Cisco IOS 12.0(5)S The Secure Shell (SSH) feature is
an application and a protocol that
Cisco IOS 12.1(1)T
provides a secure replacement to
Cisco IOS 15.1(1)SY the Berkeley r-tools. The protocol
secures sessions using standard
cryptographic mechanisms, and the
application can be used similarly
to the Berkeley rexec and rsh tools.
Two versions of SSH are available:
SSH Version 1 and SSH Version
2. This document describes SSH
Version 1.
This document also includes
information about the Secure Shell
SSH Version 1 Integrated Client
feature and the Secure Shell SSH
Version 1 Server Support feature.
Both features are part of the Secure
Shell functionality.

Secure Shell Configuration Guide, Cisco IOS Release 15M&T

12
CHAPTER 2
Reverse SSH Enhancements
The Reverse SSH Enhancements feature, which is supported for SSH Version 1 and 2, provides an alternative
way to configure reverse Secure Shell (SSH) so that separate lines do not need to be configured for every
terminal or auxiliary line on which SSH must be enabled. This feature also eliminates the rotary-group
limitation.

• Finding Feature Information, page 13

• Prerequisites for Reverse SSH Enhancements, page 13
• Restrictions for Reverse SSH Enhancements, page 14
• Information About Reverse SSH Enhancements, page 14
• How to Configure Reverse SSH Enhancements, page 14
• Configuration Examples for Reverse SSH Enhancements, page 20
• Additional References, page 21
• Feature Information for Reverse SSH Enhancements, page 21

Finding Feature Information

Prerequisites for Reverse SSH Enhancements

• SSH must be enabled.
• The SSH client and server must be running the same version of SSH.

Secure Shell Configuration Guide, Cisco IOS Release 15M&T

13
Reverse SSH Enhancements
Restrictions for Reverse SSH Enhancements

Restrictions for Reverse SSH Enhancements

• The -l keyword and userid :{number} {ip-address} delimiter and arguments are mandatory when
configuring the alternative method of Reverse SSH for console access.

Information About Reverse SSH Enhancements

Reverse Telnet
Reverse telnet allows you to telnet to a certain port range and connect to terminal or auxiliary lines. Reverse
telnet has often been used to connect a Cisco device that has many terminal lines to the consoles of other
Cisco devices. Telnet makes it easy to reach the device console from anywhere simply by telnet to the terminal
server on a specific line. This telnet approach can be used to configure a device even if all network connectivity
to that device is disconnected. Reverse telnet also allows modems that are attached to Cisco devices to be
used for dial-out (usually with a rotary device).

Reverse SSH
Reverse telnet can be accomplished using SSH. Unlike reverse telnet, SSH provides for secure connections.
The Reverse SSH Enhancements feature provides you with a simplified method of configuring SSH. Using
this feature, you no longer have to configure a separate line for every terminal or auxiliary line on which you
want to enable SSH. The previous method of configuring reverse SSH limited the number of ports that can
be accessed to 100. The Reverse SSH Enhancements feature removes the port number limitation. For
information on the alternative method of configuring reverse SSH, see How to Configure Reverse SSH
Enhancements, on page 14.”

How to Configure Reverse SSH Enhancements

Configuring Reverse SSH for Console Access

To configure reverse SSH console access on the SSH server, perform the following steps.

Secure Shell Configuration Guide, Cisco IOS Release 15M&T

14
Reverse SSH Enhancements
Configuring Reverse SSH for Console Access

SUMMARY STEPS

1. enable
2. configure terminal
3. line line-number ending-line-number
4. no exec
5. login authentication listname
6. transport input ssh
7. exit
8. exit
9. ssh -l userid : {number} {ip-address}

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode.
• Enter your password if prompted.
Example:
Device> enable

Step 2 configure terminal Enters global configuration mode.

Example:
Device# configure terminal

Step 3 line line-number ending-line-number Identifies a line for configuration and enters line configuration mode.

Example:
Device# line 1 3

Step 4 no exec Disables EXEC processing on a line.

Example:
Device(config-line)# no exec

Step 5 login authentication listname Defines a login authentication mechanism for the lines.
Note The authentication method must use a username and
Example: password.
Device(config-line)# login
authentication default

Secure Shell Configuration Guide, Cisco IOS Release 15M&T

15
Reverse SSH Enhancements
Configuring Reverse SSH for Modem Access

Command or Action Purpose

Step 6 transport input ssh Defines which protocols to use to connect to a specific line of the
device.
Example: • The ssh keyword must be used for the Reverse SSH
Device(config-line)# transport input ssh Enhancements feature.

Step 7 exit Exits line configuration mode.

Example:
Device(config-line)# exit

Step 8 exit Exits global configuration mode.

Example:
Device(config)# exit

Step 9 ssh -l userid : {number} {ip-address} Specifies the user ID to use when logging in on the remote
networking device that is running the SSH server.
Example: • userid --User ID.
Device# ssh -l lab:1 router.example.com
• : --Signifies that a port number and terminal IP address will
follow the userid argument.
• number --Terminal or auxiliary line number.
• ip-address --Terminal server IP address.

Note The userid argument and :rotary{number}{ip-address}

delimiter and arguments are mandatory when configuring
the alternative method of Reverse SSH for modem access.

Configuring Reverse SSH for Modem Access

To configure Reverse SSH for modem access, perform the steps shown in the “SUMMARY STEPS” section
below.
In this configuration, reverse SSH is being configured on a modem used for dial-out lines. To get any of the
dial-out modems, you can use any SSH client and start a SSH session as shown (in Step 10) to get to the next
available modem from the rotary device.

Secure Shell Configuration Guide, Cisco IOS Release 15M&T

16
Reverse SSH Enhancements
Configuring Reverse SSH for Modem Access

SUMMARY STEPS

1. enable
2. configure terminal
3. line line-number ending-line-number
4. no exec
5. login authentication listname
6. rotary group
7. transport input ssh
8. exit
9. exit
10. ssh -l userid :rotary {number} {ip-address}

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode.
• Enter your password if prompted.
Example:
Device> enable

Step 2 configure terminal Enters global configuration mode.

Example:
Device# configure terminal

Step 3 line line-number ending-line-number Identifies a line for configuration and enters line configuration mode.

Example:
Device# line 1 200

Step 4 no exec Disables EXEC processing on a line.

Example:
Device(config-line)# no exec

Secure Shell Configuration Guide, Cisco IOS Release 15M&T

17
Reverse SSH Enhancements
Troubleshooting Reverse SSH on the Client

Command or Action Purpose

Step 6 rotary group Defines a group of lines consisting of one or more virtual terminal
lines or one auxiliary port line.
Example:
Device(config-line)# rotary 1

Step 7 transport input ssh Defines which protocols to use to connect to a specific line of the
device.
Example: • The ssh keyword must be used for the Reverse SSH
Device(config-line)# transport input ssh Enhancements feature.

Step 8 exit Exits line configuration mode.

Example:
Device(config-line)# exit

Step 9 exit Exits global configuration mode.

Example:
Device(config)# exit

Step 10 ssh -l userid :rotary {number} {ip-address} Specifies the user ID to use when logging in on the remote
networking device that is running the SSH server.
Example: • userid --User ID.
Device# ssh -l lab:rotary1
router.example.com • : --Signifies that a port number and terminal IP address will
follow the userid argument.
• number --Terminal or auxiliary line number.
• ip-address --Terminal server IP address.

Note The userid argument and :rotary{number}{ip-address}

delimiter and arguments are mandatory when configuring
the alternative method of Reverse SSH for modem access.

Troubleshooting Reverse SSH on the Client

To troubleshoot the reverse SSH configuration on the client (remote device), perform the following steps.

SUMMARY STEPS

1. enable
2. debug ip ssh client

Secure Shell Configuration Guide, Cisco IOS Release 15M&T

18
Reverse SSH Enhancements
Troubleshooting Reverse SSH on the Server

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode.
• Enter your password if prompted.
Example:
Device> enable

Step 2 debug ip ssh client Displays debugging messages for the SSH client.

Example:
Device# debug ip ssh client

Troubleshooting Reverse SSH on the Server

To troubleshoot the reverse SSH configuration on the terminal server, perform the following steps. The steps
may be configured in any order or independent of one another.

SUMMARY STEPS

1. enable
2. debug ip ssh
3. show ssh
4. show line

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode.
• Enter your password if prompted.
Example:
Device> enable

Step 2 debug ip ssh Displays debugging messages for the SSH server.

Example:
Device# debug ip ssh

Secure Shell Configuration Guide, Cisco IOS Release 15M&T

19
Reverse SSH Enhancements
Configuration Examples for Reverse SSH Enhancements

Command or Action Purpose

Step 3 show ssh Displays the status of the SSH server connections.

Example:
Device# show ssh

Step 4 show line Displays parameters of a terminal line.

Example:
Device# show line

Configuration Examples for Reverse SSH Enhancements

Example Reverse SSH Console Access

The following configuration example shows that reverse SSH has been configured for console access for
terminal lines 1 through 3:

Terminal Server Configuration

line 1 3
no exec
login authentication default
transport input ssh

Client Configuration
The following commands configured on the SSH client will form the reverse SSH session with lines 1, 2, and
3, respectively:

ssh -l lab:1 router.example.com

ssh -l lab:2 router.example.com
ssh -l lab:3 router.example.com

Example Reverse SSH Modem Access

The following configuration example shows that dial-out lines 1 through 200 have been grouped under rotary
group 1 for modem access:

line 1 200
no exec
login authentication default
rotary 1
transport input ssh
exit

Secure Shell Configuration Guide, Cisco IOS Release 15M&T

20
Reverse SSH Enhancements
Additional References

The following command shows that reverse SSH will connect to the first free line in the rotary group:

ssh -l lab:rotary1 router.example.com

Additional References

Related Documents
Related Topic Document Title
Cisco IOS commands Cisco IOS Master Commands List, All Releases

Configuring Secure Shell Secure Shell Configuration Guide

Security commands Cisco IOS Security Command Reference

Technical Assistance
Description Link
The Cisco Support and Documentation website http://www.cisco.com/cisco/web/support/index.html
provides online resources to download documentation,
software, and tools. Use these resources to install and
configure the software and to troubleshoot and resolve
technical issues with Cisco products and technologies.
Access to most tools on the Cisco Support and
Documentation website requires a Cisco.com user ID
and password.

Feature Information for Reverse SSH Enhancements

Secure Shell Configuration Guide, Cisco IOS Release 15M&T

21
Reverse SSH Enhancements
Feature Information for Reverse SSH Enhancements

Table 2: Feature Information for Reverse SSH Enhancements

Feature Name Releases Feature Information

Reverse SSH Enhancements Cisco IOS 12.2(33)SRD The Reverse SSH Enhancements
feature, which is supported for SSH
Cisco IOS 12.2(33)SXI
Version 1 and 2, provides an
Cisco IOS 12.3(11)T alternative way to configure
reverse Secure Shell (SSH) so that
separate lines do not need to be
configured for every terminal or
auxiliary line on which SSH must
be enabled. This feature also
eliminates the rotary-group
limitation.
The following command was
introduced: ssh.

Secure Shell Configuration Guide, Cisco IOS Release 15M&T

22
CHAPTER 3
Secure Copy
The Secure Copy (SCP) feature provides a secure and authenticated method for copying device configurations
or device image files. SCP relies on Secure Shell (SSH), an application and protocol that provide a secure
replacement for the Berkeley r-tools suite (Berkeley university’s own set of networking applications). This
document provides the procedure to configure a Cisco device for SCP server-side functionality.

• Finding Feature Information, page 23

• Prerequisites for Secure Copy, page 23
• Information About Secure Copy, page 24
• How to Configure Secure Copy, page 24
• Configuration Examples for Secure Copy, page 26
• Additional References, page 27
• Feature Information for Secure Copy, page 27
• Glossary, page 28

Finding Feature Information

Prerequisites for Secure Copy

• Before enabling Secure Copy (SCP), you must correctly configure Secure Shell (SSH), authentication,
and authorization on the device.

Secure Shell Configuration Guide, Cisco IOS Release 15M&T

23
Secure Copy
Information About Secure Copy

• Because SCP relies on SSH for its secure transport, the device must have a Rivest, Shamir, and Adelman
(RSA) key pair.

Information About Secure Copy

How Secure Copy Works

The behavior of Secure Copy (SCP) is similar to that of remote copy (RCP), which comes from the Berkeley
r-tools suite (Berkeley university’s own set of networking applications), except that SCP relies on Secure
Shell (SSH) for security. In addition, SCP requires that authentication, authorization, and accounting (AAA)
authorization be configured so that the device can determine whether the user has the correct privilege level.
SCP allows a user with appropriate authorization to copy any file that exists in the Cisco IOS File System
(IFS) to and from a device by using the copy command. An authorized administrator may also perform this
action from a workstation.

Note Enable the SCP option while using the pscp.exe file with the Cisco software.

How to Configure Secure Copy

Configuring Secure Copy

To configure a Cisco device for Secure Copy (SCP) server-side functionality, perform the following steps.

SUMMARY STEPS

1. enable
2. configure terminal
3. aaa new-model
4. aaa authentication login {default | list-name} method1 [ method2... ]
5. aaa authorization {network | exec | commands level | reverse-access | configuration} {default |
list-name} [method1 [ method2... ]]
6. username name [privilege level] password encryption-type encrypted-password
7. ip scp server enable
8. exit
9. show running-config
10. debug ip scp

Secure Shell Configuration Guide, Cisco IOS Release 15M&T

24
Secure Copy
Configuring Secure Copy

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode.
• Enter your password if prompted.
Example:
Device> enable

Step 2 configure terminal Enters global configuration mode.

Example:
Device# configure terminal

Step 3 aaa new-model Sets AAA authentication at login.

Example:
Device(config)# aaa new-model

Step 4 aaa authentication login {default | list-name} method1 Enables the AAA access control system.
[ method2... ]

Example:
Device(config)# aaa authentication login default
group tacacs+

Step 5 aaa authorization {network | exec | commands level | Sets parameters that restrict user access to a network.
reverse-access | configuration} {default | list-name} Note The exec keyword runs authorization to
[method1 [ method2... ]] determine if the user is allowed to run an EXEC
shell; therefore, you must use the exec keyword
Example: when you configure SCP.
Device(config)# aaa authorization exec default
group tacacs+

Step 6 username name [privilege level] password Establishes a username-based authentication system.
encryption-type encrypted-password Note You may omit this step if a network-based
authentication mechanism, such as TACACS+
Example: or RADIUS, has been configured.
Device(config)# username superuser privilege 2
password 0 superpassword

Step 7 ip scp server enable Enables SCP server-side functionality.

Example:
Device(config)# ip scp server enable

Secure Shell Configuration Guide, Cisco IOS Release 15M&T

25
Secure Copy
Configuration Examples for Secure Copy

Command or Action Purpose

Step 8 exit Exits global configuration mode and returns to privileged
EXEC mode.
Example:
Device(config)# exit

Step 9 show running-config (Optional) Displays the SCP server-side functionality.

Example:
Device# show running-config

Step 10 debug ip scp (Optional) Troubleshoots SCP authentication problems.

Example:
Device# debug ip scp

Configuration Examples for Secure Copy

Example: Secure Copy Configuration Using Local Authentication

The following example shows how to configure the server-side functionality of Secure Copy (SCP). This
example uses a locally defined username and password.

! AAA authentication and authorization must be configured properly in order for SCP to work.
aaa new-model
aaa authentication login default local
aaa authorization exec default local
username user1 privilege 15 password 0 lab
! SSH must be configured and functioning properly.
ip scp server enable

Example: Secure Copy Configuration Using Network-Based Authentication

The following example shows how to configure the server-side functionality of Secure Copy (SCP) using a
network-based authentication mechanism:

! AAA authentication and authorization must be configured properly in order for SCP to work.

aaa new-model
aaa authentication login default group tacacs+
aaa authorization exec default group tacacs+
! SSH must be configured and functioning properly.
ip scp server enable

Secure Shell Configuration Guide, Cisco IOS Release 15M&T

26
Secure Copy
Additional References

Additional References
Related Documents

Secure Shell Version 1 and 2 support Secure Shell Configuration Guide

Authentication and authorization commands Cisco IOS Security Command Reference: Commands
A to C

Configuring authentication and authorization Authentication, Authorization, and Accounting

Configuration Guide

Technical Assistance

Feature Information for Secure Copy

Secure Shell Configuration Guide, Cisco IOS Release 15M&T

27
Secure Copy
Glossary

Table 3: Feature Information for Secure Copy

Feature Name Releases Feature Information

Secure Copy Cisco IOS 12.0(21)S The Secure Copy (SCP) feature
provides a secure and authenticated
Cisco IOS 12.2(2)T
method for copying device
Cisco IOS 12.2(25)S configurations or device image
files. SCP relies on Secure Shell
(SSH), an application and protocol
that provide a secure replacement
for the Berkeley r-tools suite.
The following commands were
introduced or modified: debug ip
scp, ip scp server enable.

Glossary
AAA—authentication, authorization, and accounting. A framework of security services that provide the
method for identifying users (authentication), for remote access control (authorization), and for collecting and
sending security server information used for billing, auditing, and reporting (accounting).
RCP—remote copy. Relies on Remote Shell (Berkeley r-tools suite) for security; RCP copies files such as
device images and startup configurations to and from devices.
SCP—secure copy. Relies on SSH for security; SCP support allows secure and authenticated copying of
anything that exists in the Cisco IOS File System (IFS). SCP is derived from RCP.
SSH—Secure Shell. An application and protocol that provide a secure replacement for the Berkeley r-tools
suite. The protocol secures the sessions using standard cryptographic mechanisms, and the application can
be used similar to the Berkeley rexec and rsh tools. SSH Version 1 is implemented in the Cisco software.

Secure Shell Configuration Guide, Cisco IOS Release 15M&T

28
CHAPTER 4
Secure Shell Version 2 Support
The Secure Shell Version 2 Support feature allows you to configure Secure Shell (SSH) Version 2. (SSH
Version 1 support was implemented in an earlier Cisco software release.) SSH runs on top of a reliable
transport layer and provides strong authentication and encryption capabilities. The only reliable transport
that is defined for SSH is TCP. SSH provides a means to securely access and securely execute commands
on another computer over a network. The Secure Copy Protocol (SCP) feature that is provided with SSH
allows for the secure transfer of files.

• Finding Feature Information, page 29

• Prerequisites for Secure Shell Version 2 Support, page 30
• Restrictions for Secure Shell Version 2 Support, page 30
• Information About Secure Shell Version 2 Support, page 30
• How to Configure Secure Shell Version 2 Support, page 33
• Configuration Examples for Secure Shell Version 2 Support, page 49
• Where to Go Next, page 54
• Additional References for Secure Shell Version 2 Support, page 54
• Feature Information for Secure Shell Version 2 Support, page 55

Finding Feature Information

Secure Shell Configuration Guide, Cisco IOS Release 15M&T

29
Secure Shell Version 2 Support
Prerequisites for Secure Shell Version 2 Support

Prerequisites for Secure Shell Version 2 Support

• Before configuring SSH, ensure that the required image is loaded on your device. The SSH server
requires you to have a k9 (Triple Data Encryption Standard [3DES]) software image depending on your
release.
• You have to use a SSH remote device that supports SSH Version 2 and connect to a Cisco device.
• SCP relies on authentication, authorization, and accounting (AAA) to function correctly. Therefore,
AAA must be configured on the device to enable the secure copy protocol on the SSH Server.

Note The SSH Version 2 server and the SSH Version 2 client are supported on your Cisco software, depending
on your release. (The SSH client runs both the SSH Version 1 protocol and the SSH Version 2 protocol.
The SSH client is supported in both k8 and k9 images depending on your release.)

For more information about downloading a software image, refer to the Configuration Fundamentals
Configuration Guide.

Restrictions for Secure Shell Version 2 Support

• Secure Shell (SSH) servers and SSH clients are supported in Triple Data Encryption Standard (3DES)
software images.
• Execution Shell, remote command execution, and Secure Copy Protocol (SCP) are the only applications
supported.
• Rivest, Shamir, and Adleman (RSA) key generation is an SSH server-side requirement. Devices that
act as SSH clients need not generate RSA keys.
• The RSA key pair size must be greater than or equal to 768 bits.
• The following features are not supported:
• Port forwarding
• Compression

Information About Secure Shell Version 2 Support

Secure Shell Version 2

The Secure Shell Version 2 Support feature allows you to configure SSH Version 2.
The configuration for the SSH Version 2 server is similar to the configuration for SSH Version 1. The ip ssh
version command defines the SSH version to be configured. If you do not configure this command, SSH by
default runs in compatibility mode; that is, both SSH Version 1 and SSH Version 2 connections are honored.

Secure Shell Configuration Guide, Cisco IOS Release 15M&T

30
Secure Shell Version 2 Support
Secure Shell Version 2 Enhancements

Note SSH Version 1 is a protocol that has never been defined in a standard. If you do not want your device to
fall back to the undefined protocol (Version 1), you should use the ip ssh version command and specify
Version 2.

The ip ssh rsa keypair-name command enables an SSH connection using the Rivest, Shamir, and Adleman
(RSA) keys that you have configured. Previously, SSH was linked to the first RSA keys that were generated
(that is, SSH was enabled when the first RSA key pair was generated). This behavior still exists, but by using
the ip ssh rsa keypair-name command, you can overcome this behavior. If you configure the ip ssh rsa
keypair-name command with a key pair name, SSH is enabled if the key pair exists or SSH will be enabled
if the key pair is generated later. If you use this command to enable SSH, you are not forced to configure a
hostname and a domain name, which was required in SSH Version 1 of the Cisco software.

Note The login banner is supported in SSH Version 2, but it is not supported in Secure Shell Version 1.

Secure Shell Version 2 Enhancements

The SSH Version 2 Enhancements feature includes a number of additional capabilities such as supporting
Virtual Routing and Forwarding (VRF)-Aware SSH, SSH debug enhancements, and Diffie-Hellman (DH)
group exchange support.

Note The VRF-Aware SSH feature is supported depending on your release.

The Cisco SSH implementation has traditionally used 768-bit modulus, but with an increasing need for higher
key sizes to accommodate DH Group 14 (2048 bits) and Group 16 (4096 bits) cryptographic applications, a
message exchange between the client and the server to establish the favored DH group becomes necessary.
The ip ssh dh min size command configures the modulus size on the SSH server. In addition to this, the ssh
command was extended to add VRF awareness to the SSH client-side functionality through which the VRF
instance name in the client is provided with the IP address to look up the correct routing table and establish
a connection.
Debugging was enhanced by modifying SSH debug commands. The debug ip ssh command was extended
to simplify the debugging process. Before the simplification of the debugging process, this command printed
all debug messages related to SSH regardless of what was specifically required. The behavior still exists, but
if you configure the debug ip ssh command with a keyword, messages are limited to information specified
by the keyword.

Secure Shell Version 2 Enhancements for RSA Keys

Cisco SSH Version 2 supports keyboard-interactive and password-based authentication methods. The SSH
Version 2 Enhancements for RSA Keys feature also supports RSA-based public key authentication for the
client and the server.
User authentication—RSA-based user authentication uses a private/public key pair associated with each user
for authentication. The user must generate a private/public key pair on the client and configure a public key
on the Cisco SSH server to complete the authentication.

Secure Shell Configuration Guide, Cisco IOS Release 15M&T

31
Secure Shell Version 2 Support
SNMP Trap Generation

An SSH user trying to establish credentials provides an encrypted signature using the private key. The signature
and the user’s public key are sent to the SSH server for authentication. The SSH server computes a hash over
the public key provided by the user. The hash is used to determine if the server has a matching entry. If a
match is found, an RSA-based message verification is performed using the public key. Hence, the user is
authenticated or denied access based on the encrypted signature.
Server authentication—While establishing an SSH session, the Cisco SSH client authenticates the SSH server
by using the server host keys available during the key exchange phase. SSH server keys are used to identify
the SSH server. These keys are created at the time of enabling SSH and must be configured on the client.
For server authentication, the Cisco SSH client must assign a host key for each server. When the client tries
to establish an SSH session with a server, the client receives the signature of the server as part of the key
exchange message. If the strict host key checking flag is enabled on the client, the client checks if it has the
host key entry corresponding to the server. If a match is found, the client tries to validate the signature by
using the server host key. If the server is successfully authenticated, the session establishment continues;
otherwise, it is terminated and displays a “Server Authentication Failed” message.

Note Storing public keys on a server uses memory; therefore, the number of public keys configurable on an
SSH server is restricted to ten users, with a maximum of two public keys per user.

Note RSA-based user authentication is supported by the Cisco server, but Cisco clients cannot propose public
key as an authentication method. If the Cisco server receives a request from an open SSH client for
RSA-based authentication, the server accepts the authentication request.

Note For server authentication, configure the RSA public key of the server manually and configure the ip ssh
stricthostkeycheck command on the Cisco SSH client.

SNMP Trap Generation

Depending on your release, Simple Network Management Protocol (SNMP) traps are generated automatically
when an SSH session terminates if the traps have been enabled and SNMP debugging has been enabled. For
information about enabling SNMP traps, see the “Configuring SNMP Support” module in the SNMP
Configuration Guide.

Note When you configure the snmp-server host command, the IP address must be the address of the PC that
has the SSH (telnet) client and that has IP connectivity to the SSH server. For an example of an SNMP
trap generation configuration, see the “Example: Setting an SNMP Trap section.

You must also enable SNMP debugging using the debug snmp packet command to display the traps. The
trap information includes information such as the number of bytes sent and the protocol that was used for the
SSH session. For an example of SNMP debugging, see the “ Example: SNMP Debugging section.

Secure Shell Configuration Guide, Cisco IOS Release 15M&T

32
Secure Shell Version 2 Support
SSH Keyboard Interactive Authentication

SSH Keyboard Interactive Authentication

The SSH Keyboard Interactive Authentication feature, also known as Generic Message Authentication for
SSH, is a method that can be used to implement different types of authentication mechanisms. Basically, any
currently supported authentication method that requires only user input can be performed with this feature.
The feature is automatically enabled.
The following methods are supported:
• Password
• SecurID and hardware tokens printing a number or a string in response to a challenge sent by the server
• Pluggable Authentication Module (PAM)
• S/KEY (and other One-Time-Pads)

For examples of various scenarios in which the SSH Keyboard Interactive Authentication feature has been
automatically enabled, see the “Examples: SSH Keyboard Interactive Authentication, on page 50” section.

How to Configure Secure Shell Version 2 Support

Configuring a Device for SSH Version 2 Using a Hostname and Domain Name
SUMMARY STEPS

1. enable
2. configure terminal
3. hostname name
4. ip domain-name name
5. crypto key generate rsa
6. ip ssh [time-out seconds | authentication-retries integer]
7. ip ssh version [1 | 2]
8. exit

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode.
• Enter your password if prompted.
Example:
Device> enable

Secure Shell Configuration Guide, Cisco IOS Release 15M&T

33
Secure Shell Version 2 Support
Configuring a Device for SSH Version 2 Using a Hostname and Domain Name

Command or Action Purpose

Step 2 configure terminal Enters global configuration mode.

Example:
Device# configure terminal

Step 3 hostname name Configures a hostname for your device.

Example:
Device(config)# hostname cisco7200

Step 4 ip domain-name name Configures a domain name for your device.

Example:
cisco7200(config)# ip domain-name example.com

Step 5 crypto key generate rsa Enables the SSH server for local and remote
authentication.
Example:
cisco7200(config)# crypto key generate rsa

Step 6 ip ssh [time-out seconds | authentication-retries (Optional) Configures SSH control variables on your
integer] device.

Example:
cisco7200(config)# ip ssh time-out 120

Step 7 ip ssh version [1 | 2] (Optional) Specifies the version of SSH to be run on your
device.
Example:
cisco7200(config)# ip ssh version 1

Step 8 exit Exits global configuration mode and enters privileged

EXEC mode.
Example: • Use no hostname command to return to the default
cisco7200(config)# exit host.

Secure Shell Configuration Guide, Cisco IOS Release 15M&T

34
Secure Shell Version 2 Support
Configuring a Device for SSH Version 2 Using RSA Key Pairs

Configuring a Device for SSH Version 2 Using RSA Key Pairs

SUMMARY STEPS

1. enable
2. configure terminal
3. ip ssh rsa keypair-name keypair-name
4. crypto key generate rsa usage-keys label key-label modulus modulus-size
5. ip ssh [time-out seconds | authentication-retries integer]
6. ip ssh version 2
7. exit

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode.
• Enter your password if prompted.
Example:
Device> enable

Step 2 configure terminal Enters global configuration mode.

Example:
Device# configure terminal

Step 3 ip ssh rsa keypair-name keypair-name Specifies the RSA key pair to be used for SSH.
Note A Cisco device can have many RSA key
Example: pairs.
Device(config)# ip ssh rsa keypair-name
sshkeys

Step 4 crypto key generate rsa usage-keys label Enables the SSH server for local and remote authentication
key-label modulus modulus-size on the device.
• For SSH Version 2, the modulus size must be at least
Example: 768 bits.
Device(config)# crypto key generate rsa
usage-keys label sshkeys modulus 768 Note To delete the RSA key pair, use the crypto key
zeroize rsa command. When you delete the RSA
key pair, you automatically disable the SSH server.
Step 5 ip ssh [time-out seconds | authentication-retries Configures SSH control variables on your device.
integer]

Secure Shell Configuration Guide, Cisco IOS Release 15M&T

35
Secure Shell Version 2 Support
Configuring the Cisco SSH Server to Perform RSA-Based User Authentication

Command or Action Purpose

Example:
Device(config)# ip ssh time-out 12

Step 6 ip ssh version 2 Specifies the version of SSH to be run on the device.

Example:
Device(config)# ip ssh version 2

Step 7 exit Exits global configuration mode and enters privileged EXEC
mode.
Example:
Device(config)# exit

Configuring the Cisco SSH Server to Perform RSA-Based User Authentication

SUMMARY STEPS

1. enable
2. configure terminal
3. hostname name
4. ip domain-name name
5. crypto key generate rsa
6. ip ssh pubkey-chain
7. username username
8. key-string
9. key-hash key-type key-name
10. end

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode.
• Enter your password if prompted.
Example:
Device> enable

Secure Shell Configuration Guide, Cisco IOS Release 15M&T

36
Secure Shell Version 2 Support
Configuring the Cisco SSH Server to Perform RSA-Based User Authentication

Command or Action Purpose

Step 2 configure terminal Enters global configuration mode.

Example:
Device# configure terminal

Step 3 hostname name Specifies the hostname.

Example:
Device(config)# hostname host1

Step 4 ip domain-name name Defines a default domain name that the Cisco software uses to complete
unqualified hostnames.
Example:
host1(config)# ip domain-name name1

Step 5 crypto key generate rsa Generates RSA key pairs.

Example:
host1(config)# crypto key generate rsa

Step 6 ip ssh pubkey-chain Configures SSH-RSA keys for user and server authentication on the
SSH server and enters public-key configuration mode.
Example: • The user authentication is successful if the RSA public key stored
host1(config)# ip ssh pubkey-chain on the server is verified with the public or the private key pair
stored on the client.

Step 7 username username Configures the SSH username and enters public-key user configuration
mode.
Example:
host1(conf-ssh-pubkey)# username user1

Step 8 key-string Specifies the RSA public key of the remote peer and enters public-key
data configuration mode.
Example: Note You can obtain the public key value from an open SSH client;
host1(conf-ssh-pubkey-user)# that is, from the .ssh/id_rsa.pub file.
key-string

Step 9 key-hash key-type key-name (Optional) Specifies the SSH key type and version.
• The key type must be ssh-rsa for the configuration of private public
Example: key pairs.
host1(conf-ssh-pubkey-data)# key-hash
ssh-rsa key1 • This step is optional only if the key-string command is configured.
• You must configure either the key-string command or the
key-hash command.

Secure Shell Configuration Guide, Cisco IOS Release 15M&T

37
Secure Shell Version 2 Support
Configuring the Cisco IOS SSH Client to Perform RSA-Based Server Authentication

Command or Action Purpose

Note You can use a hashing software to compute the hash of the
public key string, or you can also copy the hash value from
another Cisco device. Entering the public key data using the
key-string command is the preferred way to enter the public
key data for the first time.
Step 10 end Exits public-key data configuration mode and returns to privileged
EXEC mode.
Example: • Use no hostname command to return to the default host.
host1(conf-ssh-pubkey-data)# end

Configuring the Cisco IOS SSH Client to Perform RSA-Based Server

Authentication
SUMMARY STEPS

1. enable
2. configure terminal
3. hostname name
4. ip domain-name name
5. crypto key generate rsa
6. ip ssh pubkey-chain
7. server server-name
8. key-string
9. exit
10. key-hash key-type key-name
11. end
12. configure terminal
13. ip ssh stricthostkeycheck

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode.
• Enter your password if prompted.
Example:
Device> enable

Secure Shell Configuration Guide, Cisco IOS Release 15M&T

38
Secure Shell Version 2 Support
Configuring the Cisco IOS SSH Client to Perform RSA-Based Server Authentication

Command or Action Purpose

Step 2 configure terminal Enters global configuration mode.

Example:
Device# configure terminal

Step 3 hostname name Specifies the hostname.

Example:
Device(config)# hostname host1

Step 4 ip domain-name name Defines a default domain name that the Cisco software uses to
complete unqualified hostnames.
Example:
host1(config)# ip domain-name name1

Step 5 crypto key generate rsa Generates RSA key pairs.

Example:
host1(config)# crypto key generate rsa

Step 6 ip ssh pubkey-chain Configures SSH-RSA keys for user and server authentication on the
SSH server and enters public-key configuration mode.
Example:
host1(config)# ip ssh pubkey-chain

Step 7 server server-name Enables the SSH server for public-key authentication on the device
and enters public-key server configuration mode.
Example:
host1(conf-ssh-pubkey)# server server1

Step 8 key-string Specifies the RSA public-key of the remote peer and enters public
key data configuration mode.
Example: Note You can obtain the public key value from an open SSH
host1(conf-ssh-pubkey-server)# client; that is, from the .ssh/id_rsa.pub file.
key-string

Step 9 exit Exits public-key data configuration mode and enters public-key server
configuration mode.
Example:
host1(conf-ssh-pubkey-data)# exit

Step 10 key-hash key-type key-name (Optional) Specifies the SSH key type and version.

Secure Shell Configuration Guide, Cisco IOS Release 15M&T

39
Secure Shell Version 2 Support
Starting an Encrypted Session with a Remote Device

Command or Action Purpose

• The key type must be ssh-rsa for the configuration of
Example: private/public key pairs.

host1(conf-ssh-pubkey-server)# key-hash • This step is optional only if the key-string command is

ssh-rsa key1 configured.
• You must configure either the key-string command or the
key-hash command.

Note You can use a hashing software to compute the hash of the
public key string, or you can copy the hash value from
another Cisco device. Entering the public key data using the
key-string command is the preferred way to enter the public
key data for the first time.
Step 11 end Exits public-key server configuration mode and returns to privileged
EXEC mode.
Example:
host1(conf-ssh-pubkey-server)# end

Step 12 configure terminal Enters global configuration mode.

Example:
host1# configure terminal

Step 13 ip ssh stricthostkeycheck Ensures that server authentication takes place.

• The connection is terminated in case of a failure.
Example:
host1(config)# ip ssh stricthostkeycheck • Use no hostname command to return to the default host.

Starting an Encrypted Session with a Remote Device

Note The device with which you want to connect must support a Secure Shell (SSH) server that has an encryption
algorithm that is supported in Cisco software. Also, you need not enable your device. SSH can be run in
disabled mode.

Secure Shell Configuration Guide, Cisco IOS Release 15M&T

40
Secure Shell Version 2 Support
Enabling Secure Copy Protocol on the SSH Server

SUMMARY STEPS

1. ssh [-v {1 | 2} | -c {aes128-ctr | aes192-ctr | aes256-ctr | aes128-cbc | 3des | aes192-cbc | aes256-cbc} |

-l user-id | -l user-id:vrf-name number ip-address ip-address | -l user-id:rotary number ip-address | -m
{hmac-md5-128 | hmac-md5-96 | hmac-sha1-160 | hmac-sha1-96} | -o numberofpasswordprompts
n | -p port-num] {ip-addr | hostname} [command | -vrf]

DETAILED STEPS

Command or Action Purpose

Step 1 ssh [-v {1 | 2} | -c {aes128-ctr | aes192-ctr | aes256-ctr | aes128-cbc | 3des | aes192-cbc Starts an encrypted session with a
| aes256-cbc} | -l user-id | -l user-id:vrf-name number ip-address ip-address | -l remote networking device.
user-id:rotary number ip-address | -m {hmac-md5-128 | hmac-md5-96 |
hmac-sha1-160 | hmac-sha1-96} | -o numberofpasswordprompts n | -p port-num]
{ip-addr | hostname} [command | -vrf]

Example:
Device# ssh -v 2 -c aes256-ctr -m hmac-sha1-96 -l user2 10.76.82.24

Troubleshooting Tips
The ip ssh version command can be used for troubleshooting your SSH configuration. By changing versions,
you can determine the SSH version that has a problem.

Enabling Secure Copy Protocol on the SSH Server

Note The following task configures the server-side functionality for SCP. This task shows a typical configuration
that allows the device to securely copy files from a remote workstation.

Secure Shell Configuration Guide, Cisco IOS Release 15M&T

41
Secure Shell Version 2 Support
Enabling Secure Copy Protocol on the SSH Server

SUMMARY STEPS

1. enable
2. configure terminal
3. aaa new-model
4. aaa authentication login default local
5. aaa authorization exec defaultlocal
6. usernamename privilege privilege-level password password
7. ip ssh time-outseconds
8. ip ssh authentication-retries integer
9. ip scpserverenable
10. exit
11. debug ip scp

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode.
• Enter your password if prompted.
Example:
Device> enable

Step 2 configure terminal Enters global configuration mode.

Example:
Device# configure terminal

Step 3 aaa new-model Enables the AAA access control model.

Example:
Device(config)# aaa new-model

Step 4 aaa authentication login default local Sets AAA authentication at login to use the local username
database for authentication.
Example:
Device(config)# aaa authentication login
default local

Step 5 aaa authorization exec defaultlocal Sets the parameters that restrict user access to a network, runs
the authorization to determine if the user ID is allowed to run
Example: an EXEC shell, and specifies that the system must use the local
database for authorization.
Device(config)# aaa authorization exec
default local

Secure Shell Configuration Guide, Cisco IOS Release 15M&T

42
Secure Shell Version 2 Support
Enabling Secure Copy Protocol on the SSH Server

Command or Action Purpose

Step 6 usernamename privilege privilege-level password Establishes a username-based authentication system, and
password specifies the username, privilege level, and an unencrypted
password.
Example: Note The minimum value for the privilege-level argument
Device(config)# username samplename is 15. A privilege level of less than 15 results in the
privilege 15 password password1 connection closing.

Step 7 ip ssh time-outseconds Sets the time interval (in seconds) that the device waits for the
SSH client to respond.
Example:
Device(config)# ip ssh time-out 120

Step 8 ip ssh authentication-retries integer Sets the number of authentication attempts after which the
interface is reset.
Example:
Device(config)# ip ssh
authentication-retries 3

Step 9 ip scpserverenable Enables the device to securely copy files from a remote
workstation.
Example:
Device(config)# ip scp server enable

Step 10 exit Exits global configuration mode and returns to privileged EXEC
mode.
Example:
Device(config)# exit

Step 11 debug ip scp (Optional) Provides diagnostic information about SCP

authentication problems.
Example:
Device# debug ip scp

Troubleshooting Tips
To troubleshoot SCP authentication problems, use the debug ip scpcommand.

Secure Shell Configuration Guide, Cisco IOS Release 15M&T

43
Secure Shell Version 2 Support
Verifying the Status of the Secure Shell Connection

Verifying the Status of the Secure Shell Connection

SUMMARY STEPS

1. enable
2. show ssh
3. exit

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode.
• Enter your password if prompted.
Example:
Device> enable

Step 2 show ssh Displays the status of SSH server connections.

Example:
Device# show ssh

Step 3 exit Exits privileged EXEC mode and returns to user EXEC mode.

Example:
Device# exit

Examples
The following sample output from the show ssh command displays status of various SSH Version 1 and
Version 2 connections for Version 1 and Version 2 connections:

-----------------------------------------------------------------------
Device# show ssh

Connection Version Encryption State Username

0 1.5 3DES Session started lab
Connection Version Mode Encryption Hmac State
Username
1 2.0 IN aes128-cbc hmac-md5 Session started lab
1 2.0 OUT aes128-cbc hmac-md5 Session started lab
-------------------------------------------------------------------------
The following sample output from the show ssh command displays status of various SSH Version 1 and
Version 2 connections for a Version 2 connection with no Version 1 connection:

-------------------------------------------------------------------------
Device# show ssh

Secure Shell Configuration Guide, Cisco IOS Release 15M&T

44
Secure Shell Version 2 Support
Verifying the Secure Shell Status

Connection Version Mode Encryption Hmac State

Username
1 2.0 IN aes128-cbc hmac-md5 Session started lab
1 2.0 OUT aes128-cbc hmac-md5 Session started lab
%No SSHv1 server connections running.
-------------------------------------------------------------------------
The following sample output from the show ssh command displays status of various SSH Version 1 and
Version 2 connections for a Version 1 connection with no Version 2 connection:

-------------------------------------------------------------------------
Device# show ssh

Connection Version Encryption State Username

0 1.5 3DES Session started lab
%No SSHv2 server connections running.
-------------------------------------------------------------------------

Verifying the Secure Shell Status

SUMMARY STEPS

1. enable
2. show ip ssh
3. exit

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode.
• Enter your password if prompted.
Example:
Device> enable

Step 2 show ip ssh Displays the version and configuration data for SSH.

Example:
Device# show ip ssh

Step 3 exit Exits privileged EXEC mode and returns to user EXEC mode.

Example:
Device# exit

Secure Shell Configuration Guide, Cisco IOS Release 15M&T

45
Secure Shell Version 2 Support
Monitoring and Maintaining Secure Shell Version 2

Examples
The following sample output from the show ip ssh command displays the version of SSH that is enabled, the
authentication timeout values, and the number of authentication retries for Version 1 and Version 2 connections:

-----------------------------------------------------------------------
Device# show ip ssh

SSH Enabled - version 1.99

Authentication timeout: 120 secs; Authentication retries: 3
-----------------------------------------------------------------------
The following sample output from the show ip ssh command displays the version of SSH that is enabled, the
authentication timeout values, and the number of authentication retries for a Version 2 connection with no
Version 1 connection:

------------------------------------------------------------------------
Device# show ip ssh

SSH Enabled - version 2.0

Authentication timeout: 120 secs; Authentication retries: 3
------------------------------------------------------------------------
The following sample output from the show ip ssh command displays the version of SSH that is enabled, the
authentication timeout values, and the number of authentication retries for a Version 1 connection with no
Version 2 connection:

------------------------------------------------------------------------
Device# show ip ssh

3d06h: %SYS-5-CONFIG_I: Configured from console by console

SSH Enabled - version 1.5
Authentication timeout: 120 secs; Authentication retries: 3
------------------------------------------------------------------------

Monitoring and Maintaining Secure Shell Version 2

SUMMARY STEPS

1. enable
2. debug ip ssh
3. debug snmp packet

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode.
• Enter your password if prompted.
Example:
Device> enable

Secure Shell Configuration Guide, Cisco IOS Release 15M&T

46
Secure Shell Version 2 Support
Monitoring and Maintaining Secure Shell Version 2

Command or Action Purpose

Step 2 debug ip ssh Enables debugging of SSH.

Example:
Device# debug ip ssh

Step 3 debug snmp packet Enables debugging of every SNMP packet sent or received
by the device.
Example:
Device# debug snmp packet

Example
The following sample output from the debug ip ssh command shows the connection is an SSH Version 2
connection:

Device# debug ip ssh

00:33:55: SSH1: starting SSH control process

00:33:55: SSH1: sent protocol version id SSH-1.99-Cisco-1.25
00:33:55: SSH1: protocol version id is - SSH-2.0-OpenSSH_2.5.2p2
00:33:55: SSH2 1: send: len 280 (includes padlen 4)
00:33:55: SSH2 1: SSH2_MSG_KEXINIT sent
00:33:55: SSH2 1: ssh_receive: 536 bytes received
00:33:55: SSH2 1: input: packet len 632
00:33:55: SSH2 1: partial packet 8, need 624, maclen 0
00:33:55: SSH2 1: ssh_receive: 96 bytes received
00:33:55: SSH2 1: partial packet 8, need 624, maclen 0
00:33:55: SSH2 1: input: padlen 11
00:33:55: SSH2 1: received packet type 20
00:33:55: SSH2 1: SSH2_MSG_KEXINIT received
00:33:55: SSH2: kex: client->server aes128-cbc hmac-md5 none
00:33:55: SSH2: kex: server->client aes128-cbc hmac-md5 none
00:33:55: SSH2 1: expecting SSH2_MSG_KEXDH_INIT
00:33:55: SSH2 1: ssh_receive: 144 bytes received
00:33:55: SSH2 1: input: packet len 144
00:33:55: SSH2 1: partial packet 8, need 136, maclen 0
00:33:55: SSH2 1: input: padlen 5
00:33:55: SSH2 1: received packet type 30
00:33:55: SSH2 1: SSH2_MSG_KEXDH_INIT received
00:33:55: SSH2 1: signature length 111
00:33:55: SSH2 1: send: len 384 (includes padlen 7)
00:33:55: SSH2: kex_derive_keys complete
00:33:55: SSH2 1: send: len 16 (includes padlen 10)
00:33:55: SSH2 1: newkeys: mode 1
00:33:55: SSH2 1: SSH2_MSG_NEWKEYS sent
00:33:55: SSH2 1: waiting for SSH2_MSG_NEWKEYS
00:33:55: SSH2 1: ssh_receive: 16 bytes received
00:33:55: SSH2 1: input: packet len 16
00:33:55: SSH2 1: partial packet 8, need 8, maclen 0
00:33:55: SSH2 1: input: padlen 10
00:33:55: SSH2 1: newkeys: mode 0
00:33:55: SSH2 1: received packet type 2100:33:55: SSH2 1: SSH2_MSG_NEWKEYS received
00:33:56: SSH2 1: ssh_receive: 48 bytes received
00:33:56: SSH2 1: input: packet len 32
00:33:56: SSH2 1: partial packet 16, need 16, maclen 16
00:33:56: SSH2 1: MAC #3 ok
00:33:56: SSH2 1: input: padlen 10

Secure Shell Configuration Guide, Cisco IOS Release 15M&T

47
Secure Shell Version 2 Support
Monitoring and Maintaining Secure Shell Version 2

00:33:56: SSH2 1: received packet type 5

00:33:56: SSH2 1: send: len 32 (includes padlen 10)
00:33:56: SSH2 1: done calc MAC out #3
00:33:56: SSH2 1: ssh_receive: 64 bytes received
00:33:56: SSH2 1: input: packet len 48
00:33:56: SSH2 1: partial packet 16, need 32, maclen 16
00:33:56: SSH2 1: MAC #4 ok
00:33:56: SSH2 1: input: padlen 9
00:33:56: SSH2 1: received packet type 50
00:33:56: SSH2 1: send: len 32 (includes padlen 13)
00:33:56: SSH2 1: done calc MAC out #4
00:34:04: SSH2 1: ssh_receive: 160 bytes received
00:34:04: SSH2 1: input: packet len 64
00:34:04: SSH2 1: partial packet 16, need 48, maclen 16
00:34:04: SSH2 1: MAC #5 ok
00:34:04: SSH2 1: input: padlen 13
00:34:04: SSH2 1: received packet type 50
00:34:04: SSH2 1: send: len 16 (includes padlen 10)
00:34:04: SSH2 1: done calc MAC out #5
00:34:04: SSH2 1: authentication successful for lab
00:34:04: SSH2 1: input: packet len 64
00:34:04: SSH2 1: partial packet 16, need 48, maclen 16
00:34:04: SSH2 1: MAC #6 ok
00:34:04: SSH2 1: input: padlen 6
00:34:04: SSH2 1: received packet type 2
00:34:04: SSH2 1: ssh_receive: 64 bytes received
00:34:04: SSH2 1: input: packet len 48
00:34:04: SSH2 1: partial packet 16, need 32, maclen 16
00:34:04: SSH2 1: MAC #7 ok
00:34:04: SSH2 1: input: padlen 19
00:34:04: SSH2 1: received packet type 90
00:34:04: SSH2 1: channel open request
00:34:04: SSH2 1: send: len 32 (includes padlen 10)
00:34:04: SSH2 1: done calc MAC out #6
00:34:04: SSH2 1: ssh_receive: 192 bytes received
00:34:04: SSH2 1: input: packet len 64
00:34:04: SSH2 1: partial packet 16, need 48, maclen 16
00:34:04: SSH2 1: MAC #8 ok
00:34:04: SSH2 1: input: padlen 13
00:34:04: SSH2 1: received packet type 98
00:34:04: SSH2 1: pty-req request
00:34:04: SSH2 1: setting TTY - requested: height 24, width 80; set: height 24,
width 80
00:34:04: SSH2 1: input: packet len 96
00:34:04: SSH2 1: partial packet 16, need 80, maclen 16
00:34:04: SSH2 1: MAC #9 ok
00:34:04: SSH2 1: input: padlen 11
00:34:04: SSH2 1: received packet type 98
00:34:04: SSH2 1: x11-req request
00:34:04: SSH2 1: ssh_receive: 48 bytes received
00:34:04: SSH2 1: input: packet len 32
00:34:04: SSH2 1: partial packet 16, need 16, maclen 16
00:34:04: SSH2 1: MAC #10 ok
00:34:04: SSH2 1: input: padlen 12
00:34:04: SSH2 1: received packet type 98
00:34:04: SSH2 1: shell request
00:34:04: SSH2 1: shell message received
00:34:04: SSH2 1: starting shell for vty
00:34:04: SSH2 1: send: len 48 (includes padlen 18)
00:34:04: SSH2 1: done calc MAC out #7
00:34:07: SSH2 1: ssh_receive: 48 bytes received
00:34:07: SSH2 1: input: packet len 32
00:34:07: SSH2 1: partial packet 16, need 16, maclen 16
00:34:07: SSH2 1: MAC #11 ok
00:34:07: SSH2 1: input: padlen 17
00:34:07: SSH2 1: received packet type 94
00:34:07: SSH2 1: send: len 32 (includes padlen 17)
00:34:07: SSH2 1: done calc MAC out #8
00:34:07: SSH2 1: ssh_receive: 48 bytes received
00:34:07: SSH2 1: input: packet len 32
00:34:07: SSH2 1: partial packet 16, need 16, maclen 16
00:34:07: SSH2 1: MAC #12 ok
00:34:07: SSH2 1: input: padlen 17

Secure Shell Configuration Guide, Cisco IOS Release 15M&T

48
Secure Shell Version 2 Support
Configuration Examples for Secure Shell Version 2 Support

00:34:07: SSH2 1: received packet type 94

00:34:07: SSH2 1: send: len 32 (includes padlen 17)
00:34:07: SSH2 1: done calc MAC out #9
00:34:07: SSH2 1: ssh_receive: 48 bytes received
00:34:07: SSH2 1: input: packet len 32
00:34:07: SSH2 1: partial packet 16, need 16, maclen 16
00:34:07: SSH2 1: MAC #13 ok
00:34:07: SSH2 1: input: padlen 17
00:34:07: SSH2 1: received packet type 94
00:34:07: SSH2 1: send: len 32 (includes padlen 17)
00:34:07: SSH2 1: done calc MAC out #10
00:34:08: SSH2 1: ssh_receive: 48 bytes received
00:34:08: SSH2 1: input: packet len 32
00:34:08: SSH2 1: partial packet 16, need 16, maclen 16
00:34:08: SSH2 1: MAC #14 ok
00:34:08: SSH2 1: input: padlen 17
00:34:08: SSH2 1: received packet type 94
00:34:08: SSH2 1: send: len 32 (includes padlen 17)
00:34:08: SSH2 1: done calc MAC out #11
00:34:08: SSH2 1: ssh_receive: 48 bytes received
00:34:08: SSH2 1: input: packet len 32
00:34:08: SSH2 1: partial packet 16, need 16, maclen 16
00:34:08: SSH2 1: MAC #15 ok
00:34:08: SSH2 1: input: padlen 17
00:34:08: SSH2 1: received packet type 94
00:34:08: SSH2 1: send: len 32 (includes padlen 16)
00:34:08: SSH2 1: done calc MAC out #12
00:34:08: SSH2 1: send: len 48 (includes padlen 18)
00:34:08: SSH2 1: done calc MAC out #13
00:34:08: SSH2 1: send: len 16 (includes padlen 6)
00:34:08: SSH2 1: done calc MAC out #14
00:34:08: SSH2 1: send: len 16 (includes padlen 6)
00:34:08: SSH2 1: done calc MAC out #15
00:34:08: SSH1: Session terminated normally

Configuration Examples for Secure Shell Version 2 Support

Example: Configuring Secure Shell Version 1

Device# configure terminal
Device(config)# ip ssh version 1

Example: Configuring Secure Shell Version 2

Device# configure terminal
Device(config)# ip ssh version 2

Example: Configuring Secure Shell Versions 1 and 2

Router# configure terminal
Router(config)# no ip ssh version

Secure Shell Configuration Guide, Cisco IOS Release 15M&T

49
Secure Shell Version 2 Support
Example: Starting an Encrypted Session with a Remote Device

Example: Starting an Encrypted Session with a Remote Device

Device# ssh -v 2 -c aes256-cbc -m hmac-sha1-160 -l shaship 10.76.82.24

Example: Configuring Server-Side SCP

The following example shows how to configure the server-side functionality for SCP. This example also
configures AAA authentication and authorization on the device. This example uses a locally defined username
and password.
Device# configure terminal
Device(config)# aaa new-model
Device(config)# aaa authentication login default local
Device(config)# aaa authorization exec default local
Device(config)# username samplename privilege 15 password password1
Device(config)# ip ssh time-out 120
Device(config)# ip ssh authentication-retries 3
Device(config)# ip scp server enable

Example: Setting an SNMP Trap

The following example shows that an SNMP trap is set. The trap notification is generated automatically when
the SSH session terminates. In the example, a.b.c.d is the IP address of the SSH client. For an example of
SNMP trap debug output, see the “Example: SNMP Debugging, on page 52” section.

snmp-server
snmp-server host a.b.c.d public tty

Examples: SSH Keyboard Interactive Authentication

Example: Enabling Client-Side Debugs

The following example shows that the client-side debugs are turned on, and the maximum number of prompts
is six (three for the SSH keyboard interactive authentication method and three for the password authentication
method).

Password:
Password:
Password:
Password:
Password:
Password: cisco123
Last login: Tue Dec 6 13:15:21 2005 from 10.76.248.213
user1@courier:~> exit
logout
[Connection to 10.76.248.200 closed by foreign host]
Device1# debug ip ssh client

SSH Client debugging is on

Device1# ssh -l lab 10.1.1.3

Secure Shell Configuration Guide, Cisco IOS Release 15M&T

50
Secure Shell Version 2 Support
Examples: SSH Keyboard Interactive Authentication

Password:
*Nov 17 12:50:53.199: SSH0: sent protocol version id SSH-1.99-Cisco-1.25
*Nov 17 12:50:53.199: SSH CLIENT0: protocol version id is - SSH-1.99-Cisco-1.25
*Nov 17 12:50:53.199: SSH CLIENT0: sent protocol version id SSH-1.99-Cisco-1.25
*Nov 17 12:50:53.199: SSH CLIENT0: protocol version exchange successful
*Nov 17 12:50:53.203: SSH0: protocol version id is - SSH-1.99-Cisco-1.25
*Nov 17 12:50:53.335: SSH CLIENT0: key exchange successful and encryption on
*Nov 17 12:50:53.335: SSH2 CLIENT 0: using method keyboard-interactive
Password:
Password:
Password:
*Nov 17 12:51:01.887: SSH2 CLIENT 0: using method password authentication
Password:
Password: lab
Device2>

*Nov 17 12:51:11.407: SSH2 CLIENT 0: SSH2_MSG_USERAUTH_SUCCESS message received

*Nov 17 12:51:11.407: SSH CLIENT0: user authenticated
*Nov 17 12:51:11.407: SSH2 CLIENT 0: pty-req request sent
*Nov 17 12:51:11.411: SSH2 CLIENT 0: shell request sent
*Nov 17 12:51:11.411: SSH CLIENT0: session open

Example: Enabling ChPass with a Blank Password Change

In the following example, the ChPass feature is enabled, and a blank password change is accomplished using
the SSH Keyboard Interactive Authentication method. A TACACS+ access control server (ACS) is used as
the back-end AAA server.

Device1# ssh -l cisco 10.1.1.3

Password:
Old Password: cisco
New Password: cisco123
Re-enter New password: cisco123

Device2> exit

[Connection to 10.1.1.3 closed by foreign host]

Example: Enabling ChPass and Changing the Password on First Login

In the following example, the ChPass feature is enabled and TACACS+ ACS is used as the back-end server.
The password is changed on the first login using the SSH keyboard interactive authentication method.

Device1# ssh -l cisco 10.1.1.3

Password: cisco
Your password has expired.
Enter a new one now.
New Password: cisco123
Re-enter New password: cisco123

Device2> exit

[Connection to 10.1.1.3 closed by foreign host]

Device1# ssh -l cisco 10.1.1.3

Password:cisco1
Your password has expired.
Enter a new one now.
New Password: cisco
Re-enter New password: cisco12
The New and Re-entered passwords have to be the same.
Try again.

Secure Shell Configuration Guide, Cisco IOS Release 15M&T

51
Secure Shell Version 2 Support
Example: SNMP Debugging

New Password: cisco

Re-enter New password: cisco

Device2>

Example: Enabling ChPass and Expiring the Password After Three Logins
In the following example, the ChPass feature is enabled and TACACS+ ACS is used as the back-end AAA
server. The password expires after three logins using the SSH keyboard interactive authentication method.

Device# ssh -l cisco. 10.1.1.3

Password: cisco

Device2> exit

[Connection to 10.1.1.3 closed by foreign host]

Device1# ssh -l cisco 10.1.1.3

Password: cisco

Device2> exit

Device1# ssh -l cisco 10.1.1.3

Password: cisco

Device2> exit

[Connection to 10.1.1.3 closed by foreign host]

Device1# ssh -l cisco 10.1.1.3

Password: cisco
Your password has expired.
Enter a new one now.
New Password: cisco123
Re-enter New password: cisco123

Device2>

Example: SNMP Debugging

The following is sample output from the debug snmp packet command. The output provides SNMP trap
information for an SSH session.

Device1# debug snmp packet

SNMP packet debugging is on

Device1# ssh -l lab 10.0.0.2
Password:

Device2# exit

[Connection to 10.0.0.2 closed by foreign host]

Device1#
*Jul 18 10:18:42.619: SNMP: Queuing packet to 10.0.0.2
*Jul 18 10:18:42.619: SNMP: V1 Trap, ent cisco, addr 10.0.0.1, gentrap 6, spectrap 1
local.9.3.1.1.2.1 = 6
tcpConnEntry.1.10.0.0.1.22.10.0.0.2.55246 = 4
ltcpConnEntry.5.10.0.0.1.22.10.0.0.2.55246 = 1015
ltcpConnEntry.1.10.0.0.1.22.10.0.0.2.55246 = 1056
ltcpConnEntry.2.10.0.0.1.22.10.0.0.2.55246 = 1392

Secure Shell Configuration Guide, Cisco IOS Release 15M&T

52
Secure Shell Version 2 Support
Examples: SSH Debugging Enhancements

local.9.2.1.18.2 = lab
*Jul 18 10:18:42.879: SNMP: Packet sent via UDP to 10.0.0.2

Device1#

Examples: SSH Debugging Enhancements

The following is sample output from the debug ip ssh detail command. The output provides debugging
information about the SSH protocol and channel requests.

Device# debug ip ssh detail

00:04:22: SSH0: starting SSH control process

00:04:22: SSH0: sent protocol version id SSH-1.99-Cisco-1.25
00:04:22: SSH0: protocol version id is - SSH-1.99-Cisco-1.25
00:04:22: SSH2 0: SSH2_MSG_KEXINIT sent
00:04:22: SSH2 0: SSH2_MSG_KEXINIT received
00:04:22: SSH2:kex: client->server enc:aes128-cbc mac:hmac-sha1
00:04:22: SSH2:kex: server->client enc:aes128-cbc mac:hmac-sha1
00:04:22: SSH2 0: expecting SSH2_MSG_KEXDH_INIT
00:04:22: SSH2 0: SSH2_MSG_KEXDH_INIT received
00:04:22: SSH2: kex_derive_keys complete
00:04:22: SSH2 0: SSH2_MSG_NEWKEYS sent
00:04:22: SSH2 0: waiting for SSH2_MSG_NEWKEYS
00:04:22: SSH2 0: SSH2_MSG_NEWKEYS received
00:04:24: SSH2 0: authentication successful for lab
00:04:24: SSH2 0: channel open request
00:04:24: SSH2 0: pty-req request
00:04:24: SSH2 0: setting TTY - requested: height 24, width 80; set: height 24, width 80
00:04:24: SSH2 0: shell request
00:04:24: SSH2 0: shell message received
00:04:24: SSH2 0: starting shell for vty
00:04:38: SSH0: Session terminated normally

The following is sample output from the debug ip ssh packet command. The output provides debugging
information about the SSH packet.

Device# debug ip ssh packet

00:05:43: SSH2 0: send:packet of length 280 (length also includes padlen of 4)

00:05:43: SSH2 0: ssh_receive: 64 bytes received
00:05:43: SSH2 0: input: total packet length of 280 bytes
00:05:43: SSH2 0: partial packet length(block size)8 bytes,needed 272 bytes, maclen 0
00:05:43: SSH2 0: ssh_receive: 64 bytes received
00:05:43: SSH2 0: partial packet length(block size)8 bytes,needed 272 bytes, maclen 0
00:05:43: SSH2 0: ssh_receive: 64 bytes received
00:05:43: SSH2 0: partial packet length(block size)8 bytes,needed 272 bytes, maclen 0
00:05:43: SSH2 0: ssh_receive: 64 bytes received
00:05:43: SSH2 0: partial packet length(block size)8 bytes,needed 272 bytes, maclen 0
00:05:43: SSH2 0: ssh_receive: 24 bytes received
00:05:43: SSH2 0: partial packet length(block size)8 bytes,needed 272 bytes, maclen 0
00:05:43: SSH2 0: input: padlength 4 bytes
00:05:43: SSH2 0: ssh_receive: 64 bytes received
00:05:43: SSH2 0: input: total packet length of 144 bytes
00:05:43: SSH2 0: partial packet length(block size)8 bytes,needed 136 bytes, maclen 0
00:05:43: SSH2 0: ssh_receive: 64 bytes received
00:05:43: SSH2 0: partial packet length(block size)8 bytes,needed 136 bytes, maclen 0
00:05:43: SSH2 0: ssh_receive: 16 bytes received
00:05:43: SSH2 0: partial packet length(block size)8 bytes,needed 136 bytes, maclen 0
00:05:43: SSH2 0: input: padlength 6 bytes
00:05:43: SSH2 0: signature length 143
00:05:43: SSH2 0: send:packet of length 448 (length also includes padlen of 7)
00:05:43: SSH2 0: send:packet of length 16 (length also includes padlen of 10)
00:05:43: SSH2 0: newkeys: mode 1
00:05:43: SSH2 0: ssh_receive: 16 bytes received
00:05:43: SSH2 0: input: total packet length of 16 bytes
00:05:43: SSH2 0: partial packet length(block size)8 bytes,needed 8 bytes, maclen 0

Secure Shell Configuration Guide, Cisco IOS Release 15M&T

53
Secure Shell Version 2 Support
Where to Go Next

00:05:43: SSH2 0: input: padlength 10 bytes

00:05:43: SSH2 0: newkeys: mode 0
00:05:43: SSH2 0: ssh_receive: 52 bytes received
00:05:43: SSH2 0: input: total packet length of 32 bytes
00:05:43: SSH2 0: partial packet length(block size)16 bytes,needed 16 bytes, maclen 20
00:05:43: SSH2 0: MAC compared for #3 :ok

Where to Go Next
You have to use a SSH remote device that supports SSH Version 2, and you have to connect to a Cisco device.

Additional References for Secure Shell Version 2 Support

AAA Security Configuration Guide: Securing User Services

Hostname and host domain configuration tasks
Secure shell configuration tasks

Downloading a software image Configuration Fundamentals Configuration Guide

Configuration fundamentals

IPsec configuration tasks Security Configuration Guide: Secure Connectivity

SNMP traps configuration tasks SNMP Configuration Guide

Standards

Standards Title
IETF Secure Shell Version 2 Draft Standards Internet Engineering Task Force website

Secure Shell Configuration Guide, Cisco IOS Release 15M&T

54
Secure Shell Version 2 Support
Feature Information for Secure Shell Version 2 Support

Technical Assistance

Feature Information for Secure Shell Version 2 Support

Table 4: Feature Information for Secure Shell Version 2 Support

Feature Name Releases Feature Information

Secure Shell Version 2 Support Cisco IOS 12.2(11)T The Secure Shell Version 2
Support feature allows you to
Cisco IOS 12.2(25)S
configure Secure Shell (SSH)
Cisco IOS 12.3(4)T Version 2 (SSH Version 1 support
Cisco IOS 15.3(2)S was implemented in an earlier
Cisco IOS software release). SSH
runs on top of a reliable transport
layer and provides strong
authentication and encryption
capabilities. SSH version 2 also
supports AES counter-based
encryption mode.
The following commands were
introduced or modified: debug ip
ssh, ip ssh min dh size, ip ssh rsa
keypair-name, ip ssh version, ssh.

Secure Shell Version 2 Client and Cisco IOS 12.0(32)SY The Cisco IOS image was updated
Server Support to provide for the automatic
Cisco IOS 12.3(7)JA
generation of SNMP traps when an
Cisco IOS 12.4(17) SSH session terminates.

Secure Shell Configuration Guide, Cisco IOS Release 15M&T

55
Secure Shell Version 2 Support
Feature Information for Secure Shell Version 2 Support

Feature Name Releases Feature Information

SSH Keyboard Interactive Cisco IOS 12.2(33)SXH3 The SSH Keyboard Interactive
Authentication Authentication feature, also known
Cisco IOS 12.4(18)
as Generic Message Authentication
for SSH, is a method that can be
used to implement different types
of authentication mechanisms.
Basically, any currently supported
authentication method that requires
only user input can be performed
with this feature.

Secure Shell Version 2 Cisco IOS 12.2(50)SY The Secure Shell Version 2
Enhancements Enhancements feature includes a
Cisco IOS 12.4(20)T
number of additional capabilities
Cisco IOS 15.1(2)S such as support for VRF-aware
SSH, SSH debug enhancements,
and DH Group 14 and Group 16
exchange support.
In Cisco IOS 15.1(2)S, support was
added for the Cisco 7600 series
router.
Note Only the VRF-aware SSH
feature is supported in
Cisco IOS Release
12.2(50)SY.
The following commands were
introduced or modified: debug ip
ssh, ip ssh dh min size.

Secure Shell Version 2 Cisco IOS 15.0(1)M The Secure Shell Version 2
Enhancements for RSA Keys. Enhancements for RSA Keys
Cisco IOS 15.1(1)S
feature includes a number of
additional capabilities to support
RSA key-based user authentication
for SSH and SSH server host key
storage and verification.
The following commands were
introduced or modified: ip ssh
pubkey-chain, ip ssh
stricthostkeycheck.

Secure Shell Configuration Guide, Cisco IOS Release 15M&T

56
CHAPTER 5
SSH Terminal-Line Access
The SSH Terminal-Line Access feature provides users secure access to tty (text telephone) lines. tty allows
the hearing- and speech-impaired to communicate by using a telephone to type messages.

• Finding Feature Information, page 57

• Prerequisites for SSH Terminal-Line Access, page 57
• Restrictions for SSH Terminal-Line Access, page 58
• Information About SSH Terminal-Line Access, page 58
• How to Configure SSH Terminal-Line Access, page 59
• Configuration Examples for SSH Terminal-Line Access, page 61
• Additional References, page 62
• Feature Information for SSH Terminal-Line Access, page 63

Finding Feature Information

Prerequisites for SSH Terminal-Line Access

Download the required image to your router. The secure shell (SSH) server requires the router to have an
IPSec (Data Encryption Standard (DES) or 3DES) encryption software image from Cisco IOS Release 12.1(1)T
or a later release. The SSH client requires the router to have an IPSec (DES or 3DES) encryption software
image from Cisco IOS Release 12.1(3)T or a later release. See the Cisco IOS Configuration Fundamentals
Configuration Guide , Release 12.4T for more information on downloading a software image.

Secure Shell Configuration Guide, Cisco IOS Release 15M&T

57
SSH Terminal-Line Access
Restrictions for SSH Terminal-Line Access

The SSH server requires the use of a username and password, which must be defined through the use of a
local username and password, TACACS+, or RADIUS.

Note The SSH Terminal-Line Access feature is available on any image that contains SSH.

Restrictions for SSH Terminal-Line Access

Console Server Requirement
To configure secure console server access, you must define each line in its own rotary and configure SSH to
use SSH over the network when user want to access each of those devices.

Memory and Performance Impact

Replacing reverse Telnet with SSH may reduce the performance of available tty lines due to the addition of
encryption and decryption processing above the vty processing. (Any cryptographic mechanism uses more
memory than a regular access.)

Information About SSH Terminal-Line Access

Overview of SSH Terminal-Line Access

Cisco IOS supports reverse Telnet, which allows users to Telnet through the router--via a certain port range--to
connect them to tty (asynchronous) lines. Reverse Telnet has allowed users to connect to the console ports of
remote devices that do not natively support Telnet. However, this method has provided very little security
because all Telnet traffic goes over the network in the clear. The SSH Terminal-Line Access feature replaces
reverse Telnet with SSH. This feature may be configured to use encryption to access devices on the tty lines,
which provide users with connections that support strong privacy and session integrity.
SSH is an application and a protocol that provides secure replacement for the suite of Berkeley r-tools such
as rsh, rlogin, and rcp. (Cisco IOS supports rlogin.) The protocol secures the sessions using standard
cryptographic mechanisms, and the application can be used similarly to the Berkeley rexec and rsh tools.
Currently two versions of SSH are available: SSH Version 1 and SSH Version 2. Only SSH Version 1 is
implemented in the Cisco IOS software.
The SSH Terminal-Line Access feature enables users to configure their router with secure access and perform
the following tasks:
• Connect to a router that has multiple terminal lines connected to consoles or serial ports of other routers,
switches, or devices.
• Simplify connectivity to a router from anywhere by securely connecting to the terminal server on a
specific line.
• Allow modems attached to routers to be used for dial-out securely.
• Require authentication of each of the lines through a locally defined username and password, TACACS+,
or RADIUS.

Secure Shell Configuration Guide, Cisco IOS Release 15M&T

58
SSH Terminal-Line Access
How to Configure SSH Terminal-Line Access

Note The session slot command that is used to start a session with a module requires Telnet to be accepted on
the virtual tty (vty) lines. When you restrict vty lines only to SSH, you cannot use the command to
communicate with the modules. This applies to any Cisco IOS device where the user can telnet to a module
on the device.

How to Configure SSH Terminal-Line Access

Configuring SSH Terminal-Line Access

Perform this task to configure a Cisco router to support reverse secure Telnet.

Note SSH must already be configured on the router.

SUMMARY STEPS

1. enable
2. configure terminal
3. line line-number [ending-line-number]
4. no exec
5. login {local | authentication listname}
6. rotary group
7. transport input {all | ssh}
8. exit
9. ip ssh port portnum rotary group

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode.
• Enter your password if prompted.
Example:
Router> enable

Step 2 configure terminal Enters global configuration mode.

Example:
Router# configure terminal

Secure Shell Configuration Guide, Cisco IOS Release 15M&T

59
SSH Terminal-Line Access
Configuring SSH Terminal-Line Access

Command or Action Purpose

Step 3 line line-number [ending-line-number] Identifies a line for configuration and enters line configuration mode.
Note For router console configurations, each line must be defined
Example: in its own rotary, and SSH must be configured to listen in on
Router(config)# line 1 200 each rotary.
Note An authentication method requiring a username and password
must be configured for each line. This may be done through
the use of a local username and password stored on the router,
through the use of TACACS+, or through the use of RADIUS.
Neither Line passwords nor the enable password are sufficient
to be used with SSH.
Step 4 no exec Disables exec processing on each of the lines.

Example:
Router(config-line)# no exec

Step 5 login {local | authentication listname} Defines a login authentication mechanism for the lines.
Note The authentication method must utilize a username and
Example: password.

Router(config-line)# login
authentication default

Step 6 rotary group Defines a group of lines consisting of one or more lines.
Note All rotaries used must be defined, and each defined rotary must
Example: be used when SSH is enabled.
Router(config-line)# rotary 1

Step 7 transport input {all | ssh} Defines which protocols to use to connect to a specific line of the router.

Example:
Router(config-line)# transport input
ssh

Step 8 exit Exits line configuration mode.

Example:
Router(config-line)# exit

Step 9 ip ssh port portnum rotary group Enables secure network access to the tty lines.
• Use this command to connect the portnum argument with the
Example: rotary groupargument, which is associated with a line or group of
Router(config)# ip ssh port 2000 lines.
rotary 1
Note The group argument must correspond with the rotary group
number chosen in Step 6.

Secure Shell Configuration Guide, Cisco IOS Release 15M&T

60
SSH Terminal-Line Access
Verifying SSH Terminal-Line Access

Verifying SSH Terminal-Line Access

To verify that this functionality is working, you can connect to a router using an SSH client.

Configuration Examples for SSH Terminal-Line Access

Example SSH Terminal-Line Access Configuration

The following example shows how to configure the SSH Terminal-Line Access feature on a modem used for
dial-out on lines 1 through 200. To get any of the dial-out modems, use any SSH client and start an SSH
session to port 2000 of the router to get to the next available modem from the rotary.

line 1 200
no exec
login authentication default
rotary 1
transport input ssh
exit
ip ssh port 2000 rotary 1

Example SSH Terminal-Line Access for a Console Serial Line Ports

Configuration
The following example shows how to configure the SSH Terminal-Line Access feature to access the console
or serial line interface of various devices. For this type of access, each line is put into its own rotary, and each
rotary is used for a single port. In this example, lines 1 through 3 are used; the port (line) mappings of the
configuration are shown in the table below.

Table 5: Port (line) Configuration Mappings

Line Number SSH Port Number

1 2001

2 2002

3 2003

line 1
no exec
login authentication default
rotary 1
transport input ssh
line 2

Secure Shell Configuration Guide, Cisco IOS Release 15M&T

61
SSH Terminal-Line Access
Additional References

no exec
login authentication default
rotary 2
transport input ssh
line 3
no exec
login authentication default
rotary 3
transport input ssh
ip ssh port 2001 rotary 1 3

Additional References
Related Documents

SSH Cisco IOS Security Configuration Guide: Securing

User Services

SSH commands Cisco IOS Security Command Reference

Dial Technologies Cisco IOS Dial Technologies Configuration Guide

Dial commands Cisco IOS Dial Technologies Command Reference

Downloading a software image Cisco IOS Configuration Fundamentals Configuration

Guide

Standards

Standard Title
--

MIBs

MIB MIBs Link

To locate and download MIBs for selected platforms,
Cisco software releases, and feature sets, use Cisco
MIB Locator found at the following URL:
http://www.cisco.com/go/mibs

Secure Shell Configuration Guide, Cisco IOS Release 15M&T

62
SSH Terminal-Line Access
Feature Information for SSH Terminal-Line Access

RFCs

RFC Title
None. --

Technical Assistance

Feature Information for SSH Terminal-Line Access

Secure Shell Configuration Guide, Cisco IOS Release 15M&T

63
SSH Terminal-Line Access
Feature Information for SSH Terminal-Line Access

Table 6: Feature Information for SSH Terminal-Line Access

Feature Name Releases Feature Information

SSH Terminal-Line Access Cisco IOS 12.2(4)JA The SSH Terminal-Line Access
feature provides users secure
Cisco IOS 12.2(15)T
access to tty (text telephone) lines.
Cisco IOS 12.2(6th)S tty allows the hearing- and
speech-impaired to communicate
by using a telephone to type
messages.
This feature was introduced in
Cisco IOS Release 12.2(4)JA.
This feature was integrated into
Cisco IOS Release 12.2(15)T.
This feature was integrated into
Cisco IOS Release 12.2(6th)S.
The following command was
introduced or modified: ip ssh
port.

Secure Shell Configuration Guide, Cisco IOS Release 15M&T

64
CHAPTER 6
Secure Shell—Configuring User Authentication
Methods
The Secure Shell—Configuring User Authentication Methods feature helps configure the user authentication
methods available in the Secure Shell (SSH) server.

• Finding Feature Information, page 65

• Restrictions for Secure Shell—Configuring User Authentication Methods, page 65
• Information About Secure Shell—Configuring User Authentication Methods, page 66
• How to Configure Secure Shell—Configuring User Authentication Methods, page 66
• Configuration Examples for Secure Shell—Configuring User Authentication Methods, page 69
• Additional References for Secure Shell—Configuring User Authentication Methods, page 70
• Feature Information for Secure Shell—Configuring User Authentication Methods, page 71

Finding Feature Information

Restrictions for Secure Shell—Configuring User Authentication

Methods
Secure Shell (SSH) server and SSH client are supported on data encryption software (DES) (56-bit) and 3DES
(168-bit) images only.

Secure Shell Configuration Guide, Cisco IOS Release 15M&T

65
Secure Shell—Configuring User Authentication Methods
Information About Secure Shell—Configuring User Authentication Methods

Information About Secure Shell—Configuring User

Authentication Methods

Secure Shell User Authentication Overview

Secure Shell (SSH) enables an SSH client to make a secure, encrypted connection to a Cisco device (Cisco
IOS SSH server). The SSH client uses the SSH protocol to provide device authentication and encryption.
The SSH server supports three types of user authentication methods and sends these authentication methods
to the SSH client in the following predefined order:
• Public-key authentication method
• Keyboard-interactive authentication method
• Password authentication method

By default, all the user authentication methods are enabled. Use the no ip ssh server authenticate user
{publickey | keyboard | pasword} command to disable any specific user authentication method so that the
disabled method is not negotiated in the SSH user authentication protocol. This feature helps the SSH server
offer any preferred user authentication method in an order different from the predefined order. The disabled
user authentication method can be enabled using the ip ssh server authenticate user {publickey | keyboard
| pasword} command.
As per RFC 4252 (The Secure Shell (SSH) Authentication Protocol), the public-key authentication method
is mandatory. This feature enables the SSH server to override the RFC behavior and disable any SSH user
authentication method, including public-key authentication.
For example, if the SSH server prefers the password authentication method, the SSH server can disable the
public-key and keyboard-interactive authentication methods.

How to Configure Secure Shell—Configuring User

Authentication Methods

Configuring User Authentication for the SSH Server

Perform this task to configure user authentication methods in the Secure Shell (SSH) server.

Secure Shell Configuration Guide, Cisco IOS Release 15M&T

66
Secure Shell—Configuring User Authentication Methods
Configuring User Authentication for the SSH Server

SUMMARY STEPS

1. enable
2. configure terminal
3. no ip ssh server authenticate user {publickey | keyboard | pasword}
4. ip ssh server authenticate user {publickey | keyboard | pasword}
5. default ip ssh server authenticate user
6. end

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode.
• Enter your password if prompted.
Example:
Device> enable

Step 2 configure terminal Enters global configuration mode.

Example:
Device# configure terminal

Step 3 no ip ssh server authenticate user {publickey | Disables a user authentication method in the Secure Shell (SSH)
keyboard | pasword} server.
Note A warning message is displayed when the no ip ssh
Example: server authenticate user publickey command is used
to disable public-key authentication. This command
Device(config)# no ip ssh server authenticate overrides the RFC 4252 (The Secure Shell (SSH)
user publickey
Authentication Protocol) behavior, which states that
%SSH:Publickey disabled.Overriding RFC public-key authentication is mandatory.

Step 4 ip ssh server authenticate user {publickey | Enables the disabled user authentication method in the SSH
keyboard | pasword} server.

Example:
Device(config)# ip ssh server authenticate
user publickey

Step 5 default ip ssh server authenticate user Returns to the default behavior in which all user authentication
methods are enabled in the predefined order.
Example:
Device(config)# default ip ssh server
authenticate user

Secure Shell Configuration Guide, Cisco IOS Release 15M&T

67
Secure Shell—Configuring User Authentication Methods
Verifying User Authentication for the SSH Server

Command or Action Purpose

Step 6 end Exits global configuration mode and returns to privileged EXEC
mode.
Example:
Device(config)# end

Troubleshooting Tips
• If the public-key-based authentication method is disabled using the no ip ssh server authenticate user
publickey command, the RFC 4252 (The Secure Shell (SSH) Authentication Protocol) behavior in
which public-key authentication is mandatory is overridden and the following warning message is
displayed:
%SSH:Publickey disabled.Overriding RFC

• If all three authentication methods are disabled, the following warning message is displayed:
%SSH:No auth method configured.Incoming connection will be dropped

• In the event of an incoming SSH session request from the SSH client when all three user authentication
methods are disabled on the SSH server, the connection request is dropped at the SSH server and a
system log message is available in the following format:
%SSH-3-NO_USERAUTH: No auth method configured for SSH Server. Incoming connection from
<ip address> (tty = <ttynum>) dropped

Verifying User Authentication for the SSH Server

SUMMARY STEPS

1. enable
2. show ip ssh

DETAILED STEPS

Step 1 enable
Enables privileged EXEC mode.
• Enter your password if prompted.

Example:
Device> enable

Step 2 show ip ssh

Secure Shell Configuration Guide, Cisco IOS Release 15M&T

68
Secure Shell—Configuring User Authentication Methods
Configuration Examples for Secure Shell—Configuring User Authentication Methods

Displays the version and configuration data for Secure Shell (SSH).

Example:
The following sample output from the show ip ssh command confirms that all three user authentication methods are
enabled in the SSH server:
Device# show ip ssh

Authentication methods:publickey,keyboard-interactive,password
The following sample output from the show ip ssh command confirms that all three user authentication methods are
disabled in the SSH server:
Device# show ip ssh

Authentication methods:NONE

Configuration Examples for Secure Shell—Configuring User

Authentication Methods

Example: Disabling User Authentication Methods

The following example shows how to disable the public-key-based authentication and keyboard-based
authentication methods, allowing the SSH client to connect to the SSH server using the password-based
authentication method:

Device> enable
Device# configure terminal
Device(config)# no ip ssh server authenticate user publickey
%SSH:Publickey disabled.Overriding RFC
Device(config)# no ip ssh server authenticate user keyboard
Device(config)# exit

Example: Enabling User Authentication Methods

The following example shows how to enable the public-key-based authentication and keyboard-based
authentication methods:

Device> enable
Device# configure terminal
Device(config)# ip ssh server authenticate user publickey
Device(config)# ip ssh server authenticate user keyboard
Device(config)# exit

Secure Shell Configuration Guide, Cisco IOS Release 15M&T

69
Secure Shell—Configuring User Authentication Methods
Example: Configuring Default User Authentication Methods

Example: Configuring Default User Authentication Methods

The following example shows how to return to the default behavior in which all three user authentication
methods are enabled in the predefined order:

Device> enable
Device# configure terminal
Device(config)# default ip ssh server authenticate user
Device(config)# exit

Additional References for Secure Shell—Configuring User

Authentication Methods
Related Documents

SSH configuration Secure Shell Configuration Guide

Standards and RFCs

Standard/RFC Title
RFC 4252 The Secure Shell (SSH) Authentication Protocol

RFC 4253 The Secure Shell (SSH) Transport Layer Protocol

Secure Shell Configuration Guide, Cisco IOS Release 15M&T

70
Secure Shell—Configuring User Authentication Methods
Feature Information for Secure Shell—Configuring User Authentication Methods

Technical Assistance

Description Link
The Cisco Support website provides extensive online http://www.cisco.com/support
resources, including documentation and tools for
troubleshooting and resolving technical issues with
Cisco products and technologies.
To receive security and technical information about
your products, you can subscribe to various services,
such as the Product Alert Tool (accessed from Field
Notices), the Cisco Technical Services Newsletter,
and Really Simple Syndication (RSS) Feeds.
Access to most tools on the Cisco Support website
requires a Cisco.com user ID and password.

Feature Information for Secure Shell—Configuring User

Authentication Methods
The following table provides release information about the feature or features described in this module. This
table lists only the software release that introduced support for a given feature in a given software release
train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

Table 7: Feature Information for Secure Shell—Configuring User Authentication Methods

Feature Name Releases Feature Information

Secure Shell—Configuring User 15.3(3)M The Secure Shell—Configuring
Authentication Methods 15.2(1)SY User Authentication Methods
feature helps configure the user
authentication methods available
in the Secure Shell (SSH) server.
The following command was
introduced: ip ssh server
authenticate user.

Secure Shell Configuration Guide, Cisco IOS Release 15M&T

71
Secure Shell—Configuring User Authentication Methods
Feature Information for Secure Shell—Configuring User Authentication Methods

Secure Shell Configuration Guide, Cisco IOS Release 15M&T

72
CHAPTER 7
AES-CTR Support for SSHv2
The AES-CTR Support for SSHv2 feature provides increased security through support for the Advanced
Encryption Standard counter (AES-CTR) encryption mode during an encrypted Secure Shell version 2
(SSHv2) session between the server and the client.

• Finding Feature Information, page 73

• Prerequisites for AES-CTR Support for SSHv2, page 73
• Restrictions for AES-CTR Support for SSHv2, page 74
• Information About AES-CTR Support for SSHv2, page 74
• How to Configure AES-CTR Support for SSHv2, page 74
• Configuration Examples for AES-CTR Support for SSHv2, page 77
• Additional References for AES-CTR Support for SSHv2, page 77
• Feature Information for AES-CTR Support for SSHv2, page 78

Finding Feature Information

Prerequisites for AES-CTR Support for SSHv2

• Ensure that you use a Secure Shell (SSH) remote device that supports SSH Version 2 (SSHv2) and
connect to a Cisco device.
• Ensure that both the client and the server that are used in the SSH session support the Advanced
Encryption Standard counter mode (AES-CTR) encryption mode.

Secure Shell Configuration Guide, Cisco IOS Release 15M&T

73
AES-CTR Support for SSHv2
Restrictions for AES-CTR Support for SSHv2

Restrictions for AES-CTR Support for SSHv2

• The Secure Shell (SSH) server and SSH client are supported only on crypto k9 (Triple Data Encryption
Standard [3DES]) software images depending on your release.

Information About AES-CTR Support for SSHv2

Secure Shell Version 2 Encryption Modes
The Cisco Secure Shell (SSH) implementation enables a secure, encrypted connection between a server and
client. The SSH servers and clients use the SSH protocol to provide device authentication and encryption.
To start an encrypted session between the SSH client and server, the preferred mode of encryption needs to
be decided. For increased security, the preferred crypto algorithm for the SSH session is the Advanced
Encryption Standard counter mode (AES-CTR).
SSH version 2 (SSHv2) supports AES-CTR encryption for 128-, 192-, and 256-bit key length. From the
supported AES-CTR algorithms, the preferred algorithm is chosen based on the processing capability. The
greater the length of the key, the stronger the encryption.
The Cisco SSH servers and clients support three types of crypto algorithms to encrypt data and selects the
encryption mode in the following order of preferred encryption:
• AES-CTR
• AES Cipher Block Chaining (AES-CBC)
• Triple Data Encryption Standard (3DES)

If the SSH session uses a remote device that does not support the AES-CTR encryption mode, then the
encryption mode for the session falls back to AES-CBC mode.

How to Configure AES-CTR Support for SSHv2

Starting an Encrypted Session from the SSH Client
Perform this task to start an encrypted Secure Shell (SSH) session from the SSH client using the Advanced
Encryption Standard counter mode (AES-CTR) encryption mode.

Note The device with which you want to connect must support an SSH server that has the AES-CTR encryption
algorithm that is supported in Cisco software. SSH can be run even when the device is disabled.

Secure Shell Configuration Guide, Cisco IOS Release 15M&T

74
AES-CTR Support for SSHv2
Verifying the Encryption Mode Used in the SSH Server or Client

SUMMARY STEPS

1. enable
2. ssh [-v {1 | 2} | -c {aes128-ctr | aes192-ctr | aes256-ctr | aes128-cbc | 3des | aes192-cbc | aes256-cbc} |
-l user-id | -l user-id:vrf-name number ip-address ip-address | -l user-id:rotary number ip-address | -m
{hmac-md5-128 | hmac-md5-96 | hmac-sha1-160 | hmac-sha1-96} | -o numberofpasswordprompts
n | -p port-num] {ip-addr | hostname} [command | -vrf]
3. exit

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode.
• Enter your password if prompted.
Example:
Device> enable

Step 2 ssh [-v {1 | 2} | -c {aes128-ctr | aes192-ctr | aes256-ctr | aes128-cbc | Starts an encrypted session with a remote
3des | aes192-cbc | aes256-cbc} | -l user-id | -l user-id:vrf-name number networking device.
ip-address ip-address | -l user-id:rotary number ip-address | -m
{hmac-md5-128 | hmac-md5-96 | hmac-sha1-160 | hmac-sha1-96} |
-o numberofpasswordprompts n | -p port-num] {ip-addr | hostname}
[command | -vrf]

Example:
Device# ssh -v 2 -c aes256-ctr -m hmac-sha1-96 -l user2
10.76.82.24

Step 3 exit Exits privileged EXEC mode.

Example:
Device# exit

Verifying the Encryption Mode Used in the SSH Server or Client

SUMMARY STEPS

1. enable
2. show ssh
3. debug ip ssh detail

Secure Shell Configuration Guide, Cisco IOS Release 15M&T

75
AES-CTR Support for SSHv2
Verifying the Encryption Mode Used in the SSH Server or Client

DETAILED STEPS

Step 1 enable
Enables privileged EXEC mode.
• Enter your password if prompted.

Example:
Device> enable

Step 2 show ssh

Displays the encryption algorithms used for an encrypted session.

Example:
The following sample output from the show ssh command shows that the AES-CTR encryption mode is used for the
session between the SSH server and client:
Device# show ssh

Connection Version Mode Encryption Hmac State Username

0 1.99 IN aes128-ctr hmac-sha1 Session started cisco

0 1.99 OUT aes128-ctr hmac-sha1 Session started cisco

%No SSHv1 server connections running.

Step 3 debug ip ssh detail

Displays the version and configuration data for Secure Shell (SSH).

Example:
The following sample output from the debug ip ssh detail command in the SSH server shows that the AES-CTR
encryption mode is used for the session between the SSH server and client:
Device# debug ip ssh detail

SSH2 0: kex: client->server enc:aes128-ctr mac:hmac-md5

SSH2 0: kex: server->client enc:aes128-ctr mac:hmac-md5

The following sample output from the debug ip ssh detail command in the SSH client shows that the AES-CTR encryption
mode is used for the session between the SSH server and client:
Device# debug ip ssh detail

SSH2 CLIENT 0: kex: server->client enc:aes128-ctr mac:hmac-md5

SSH2 CLIENT 0: kex: client->server enc:aes128-ctr mac:hmac-md5

Secure Shell Configuration Guide, Cisco IOS Release 15M&T

76
AES-CTR Support for SSHv2
Configuration Examples for AES-CTR Support for SSHv2

Configuration Examples for AES-CTR Support for SSHv2

Example: Starting an Encrypted Session from the SSH Client
The following example shows how to start an encrypted Secure Shell (SSH) session from the SSH client using
the Advanced Encryption Standard counter mode (AES-CTR) encryption mode:

Device> enable
Device# ssh -v 2 -c aes256-ctr -m hmac-sha1-96 -l user2 10.76.82.24
Device# exit

Additional References for AES-CTR Support for SSHv2

SSH configuration Secure Shell Configuration Guide

Standards and RFCs

Standard/RFC Title
RFC 4344 The Secure Shell (SSH) Transport Layer Encryption
Modes

Secure Shell Configuration Guide, Cisco IOS Release 15M&T

77
AES-CTR Support for SSHv2
Feature Information for AES-CTR Support for SSHv2

Technical Assistance

Description Link
The Cisco Support website provides extensive online http://www.cisco.com/cisco/web/support/index.html
resources, including documentation and tools for
troubleshooting and resolving technical issues with
Cisco products and technologies.
To receive security and technical information about
your products, you can subscribe to various services,
such as the Product Alert Tool (accessed from Field
Notices), the Cisco Technical Services Newsletter,
and Really Simple Syndication (RSS) Feeds.
Access to most tools on the Cisco Support website
requires a Cisco.com user ID and password.

Feature Information for AES-CTR Support for SSHv2

Table 8: Feature Information for AES-CTR Support for SSHv2

Feature Name Releases Feature Information

AES-CTR Support for SSHv2 15.4(2)T The AES-CTR Support for SSHv2
feature provides increased security
15.2(1)SY
through support for the Advanced
Encryption Standard counter
(AES-CTR) encryption mode
during an encrypted Secure Shell
version 2 (SSHv2) session between
the server and the client.

Secure Shell Configuration Guide, Cisco IOS Release 15M&T

78
CHAPTER 8
X.509v3 Certificates for SSH Authentication
The X.509v3 Certificates for SSH Authentication feature uses the X.509v3 digital certificates in server and
user authentication at the secure shell (SSH) server side.
This module describes how to configure server and user certificate profiles for a digital certificate.

• Finding Feature Information, page 79

• Prerequisites for X.509v3 Certificates for SSH Authentication, page 80
• Restrictions for X.509v3 Certificates for SSH Authentication, page 80
• Information About X.509v3 Certificates for SSH Authentication, page 80
• How to Configure X.509v3 Certificates for SSH Authentication, page 81
• Configuration Examples for X.509v3 Certificates for SSH Authentication, page 85
• Additional References for X.509v3 Certificates for SSH Authentication, page 85
• Feature Information for X.509v3 Certificates for SSH Authentication, page 86

Finding Feature Information

Secure Shell Configuration Guide, Cisco IOS Release 15M&T

79
X.509v3 Certificates for SSH Authentication
Prerequisites for X.509v3 Certificates for SSH Authentication

Prerequisites for X.509v3 Certificates for SSH Authentication

• The X.509v3 Certificates for SSH Authentication feature introduces the ip ssh server algorithm
authentication command to replace the ip ssh server authenticate user command. If you use the ip
ssh server authenticate user command, the following deprecation message is displayed.
Warning: SSH command accepted but this CLI will be deprecated soon. Please move to new
CLI “ip ssh server algorithm authentication”. Please configure “default ip ssh server
authenticate user” to make CLI ineffective.

◦Use the default ip ssh server authenticate user command to remove the ip ssh server authenticate
user command from effect. The IOS secure shell (SSH) server then starts using the ip ssh server
algorithm authentication command.

Restrictions for X.509v3 Certificates for SSH Authentication

• The X.509v3 Certificates for SSH Authentication feature implementation is applicable only on the IOS
secure shell (SSH) server side.
• IOS SSH server supports only the x509v3-ssh-rsa algorithm based certificate for server and user
authentication on the IOS SSH server side.

Information About X.509v3 Certificates for SSH Authentication

Digital certificates
The validity of the authentication depends upon the strength of the linkage between the public signing key
and the identity of the signer. Digital certificates in the X.509v3 format (RFC5280) are used to provide identity
management. A chain of signatures by a trusted root certification authority and its intermediate certificate
authorities binds a given public signing key to a given digital identity.
Public key infrastructure (PKI) trustpoint helps manage the digital certificates. The association between the
certificate and the trustpoint helps track the certificate. The trustpoint contains information about the certificate
authority (CA), different identity parameters, and the digital certificate. Multiple trustpoints can be created
to associate with different certificates.

Server and user authentication using X.509v3

For server authentication, the IOS secure shell (SSH) server sends its own certificate to the SSH client for
verification. This server certificate is associated with the trustpoint configured in the server certificate profile
(ssh-server-cert-profile-server configuration mode).
For user authentication, the SSH client sends the user's certificate to the IOS SSH server for verification. The
SSH server validates the incoming user certificate using public key infrastructure (PKI) trustpoints configured
in the server certificate profile (ssh-server-cert-profile-user configuration mode).
By default, certificate-based authentication is enabled for server and user at the IOS SSH server end.

Secure Shell Configuration Guide, Cisco IOS Release 15M&T

80
X.509v3 Certificates for SSH Authentication
How to Configure X.509v3 Certificates for SSH Authentication

How to Configure X.509v3 Certificates for SSH Authentication

Configuring IOS SSH Server to Use Digital Certificates for Sever Authentication
SUMMARY STEPS

1. enable
2. configure terminal
3. ip ssh server algorithm hostkey {x509v3-ssh-rsa [ssh-rsa] | ssh-rsa [x509v3-ssh-rsa]}
4. ip ssh server certificate profile
5. server
6. trustpoint sign PKI-trustpoint-name
7. ocsp-response include
8. end

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode.
• Enter your password if prompted.
Example:
Device> enable

Step 2 configure terminal Enters global configuration mode.

Example:
Device# configure terminal

Step 3 ip ssh server algorithm hostkey Defines the order of host key algorithms. Only the configured
{x509v3-ssh-rsa [ssh-rsa] | ssh-rsa algorithm is negotiated with the secure shell (SSH) client.
[x509v3-ssh-rsa]} Note The IOS SSH server must have at least one configured host
key algorithm:
Example:
• ssh-rsa – public key based authentication
Device(config)# ip ssh server algorithm
hostkey x509v3-ssh-rsa • x509v3-ssh-rsa – certificate-based authentication

Step 4 ip ssh server certificate profile Configures server certificate profile and user certificate profile and
enters SSH certificate profile configuration mode.
Example:
Device(config)# ip ssh server certificate
profile

Secure Shell Configuration Guide, Cisco IOS Release 15M&T

81
X.509v3 Certificates for SSH Authentication
Configuring IOS SSH Server to Verify User's Digital Certificate for User Authentication

Command or Action Purpose

Step 5 server Configures server certificate profile and enters SSH server certificate
profile server configuration mode.
Example:
Device(ssh-server-cert-profile)# server

Step 6 trustpoint sign PKI-trustpoint-name Attaches the public key infrastructure (PKI) trustpoint to the server
certificate profile. The SSH server uses the certificate associated
Example: with this PKI trustpoint for server authentication.

Device(ssh-server-cert-profile-server)#
trustpoint sign trust1

Step 7 ocsp-response include (Optional) Sends the Online Certificate Status Protocol (OCSP)
response or OCSP stapling along with the server certificate.
Example: Note By default the “no” form of this command is configured
Device(ssh-server-cert-profile-server)# and no OCSP response is sent along with the server
ocsp-response include certificate.

Step 8 end Exits SSH server certificate profile server configuration mode and
enters privileged EXEC mode.
Example:
Device(ssh-server-cert-profile-server)#
end

Configuring IOS SSH Server to Verify User's Digital Certificate for User
Authentication
SUMMARY STEPS

1. enable
2. configure terminal
3. ip ssh server algorithm authentication {publickey | keyboard | password}
4. ip ssh server algorithm publickey {x509v3-ssh-rsa [ssh-rsa] | ssh-rsa [x509v3-ssh-rsa]}
5. ip ssh server certificate profile
6. user
7. trustpoint verify PKI-trustpoint-name
8. ocsp-response required
9. end

Secure Shell Configuration Guide, Cisco IOS Release 15M&T

82
X.509v3 Certificates for SSH Authentication
Configuring IOS SSH Server to Verify User's Digital Certificate for User Authentication

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode.
• Enter your password if prompted.
Example:
Device> enable

Step 2 configure terminal Enters global configuration mode.

Example:
Device# configure terminal

Step 3 ip ssh server algorithm authentication Defines the order of user authentication algorithms. Only the configured
{publickey | keyboard | password} algorithm is negotiated with the secure shell (SSH) client.
Note The IOS SSH server must have at least one configured user
Example: authentication algorithm.
Device(config)# ip ssh server algorithm Note To use the certificate method for user authentication, the
authentication publickey publickey keyword must be configured.
Note The ip ssh server algorithm authentication command
replaces the ip ssh server authenticate user command.
Step 4 ip ssh server algorithm publickey Defines the order of public key algorithms. Only the configured
{x509v3-ssh-rsa [ssh-rsa] | ssh-rsa algorithm is accepted by the SSH client for user authentication.
[x509v3-ssh-rsa]} Note The IOS SSH client must have at least one configured public
key algorithm:
Example:
• ssh-rsa – public-key-based authentication
Device(config)# ip ssh server algorithm
publickey x509v3-ssh-rsa • x509v3-ssh-rsa – certificate-based authentication

Step 5 ip ssh server certificate profile Configures server certificate profile and user certificate profile and
enters SSH certificate profile configuration mode.
Example:
Device(config)# ip ssh server
certificate profile

Step 6 user Configures user certificate profile and enters SSH server certificate
profile user configuration mode.
Example:
Device(ssh-server-cert-profile)# user

Step 7 trustpoint verify PKI-trustpoint-name Configures the public key infrastructure (PKI) trustpoint that is used
to verify the incoming user certificate.
Example: Note Configure multiple trustpoints by executing the same command
Device(ssh-server-cert-profile-user)# multiple times. A maximum of 10 trustpoints can be
trustpoint verify trust2 configured.

Secure Shell Configuration Guide, Cisco IOS Release 15M&T

83
X.509v3 Certificates for SSH Authentication
Verifying Configuration for Server and User Authentication Using Digital Certificates

Command or Action Purpose

Step 8 ocsp-response required (Optional) Mandates the presence of the Online Certificate Status
Protocol (OCSP) response with the incoming user certificate.
Example: Note By default the “no” form of this command is configured and
Device(ssh-server-cert-profile-user)# the user certificate is accepted without an OCSP response.
ocsp-response required

Step 9 end Exits SSH server certificate profile user configuration mode and enters
privileged EXEC mode.
Example:
Device(ssh-server-cert-profile-user)#
end

Verifying Configuration for Server and User Authentication Using Digital

Certificates
SUMMARY STEPS

1. enable
2. show ip ssh

DETAILED STEPS

Step 1 enable
Enables privileged EXEC mode.
• Enter your password if prompted.

Example:
Device> enable

Step 2 show ip ssh

Displays the currently configured authentication methods. To confirm the use of certificate-based authentication, ensure
that the x509v3-ssh-rsa algorithm is the configured host key algorithm.

Example:
Device# show ip ssh

SSH Enabled - version 1.99

Authentication methods:publickey,keyboard-interactive,password
Authentication Publickey Algorithms:x509v3-ssh-rsa,ssh-rsa

Secure Shell Configuration Guide, Cisco IOS Release 15M&T

84
X.509v3 Certificates for SSH Authentication
Configuration Examples for X.509v3 Certificates for SSH Authentication

Hostkey Algorithms:x509v3-ssh-rsa,ssh-rsa
Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 1024 bits

Configuration Examples for X.509v3 Certificates for SSH

Authentication
Example: Configuring IOS SSH Server to Use Digital Certificates for Sever
Authentication
Device> enable
Device# configure terminal
Device(config)# ip ssh server algorithm hostkey x509v3-ssh-rsa
Device(config)# ip ssh server certificate profile
Device(ssh-server-cert-profile)# server
Device(ssh-server-cert-profile-server)# trustpoint sign trust1
Device(ssh-server-cert-profile-server)# exit

Example: Configuring IOS SSH Server to Verify User's Digital Certificate for
User Authentication
Device> enable
Device# configure terminal
Device(config)# ip ssh server algorithm authentication publickey
Device(config)# ip ssh server algorithm publickey x509v3-ssh-rsa
Device(config)# ip ssh server certificate profile
Device(ssh-server-cert-profile)# user
Device(ssh-server-cert-profile-user)# trustpoint verify trust2
Device(ssh-server-cert-profile-user)# end

Additional References for X.509v3 Certificates for SSH

Authentication
Related Documents

Secure Shell Configuration Guide, Cisco IOS Release 15M&T

85
X.509v3 Certificates for SSH Authentication
Feature Information for X.509v3 Certificates for SSH Authentication

SSH authentication “Secure Shell-Configuring User Authentication

Methods” chapter in Secure Shell Configuration Guide

Public key infrastructure (PKI) trustpoint “Configuring and Managing a Cisco IOS Certificate
Server for PKI Deployment” chapter in Public Key
Infrastructure Configuration Guide

Technical Assistance

Feature Information for X.509v3 Certificates for SSH

Authentication
The following table provides release information about the feature or features described in this module. This
table lists only the software release that introduced support for a given feature in a given software release
train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

Secure Shell Configuration Guide, Cisco IOS Release 15M&T

86
X.509v3 Certificates for SSH Authentication
Feature Information for X.509v3 Certificates for SSH Authentication

Table 9: Feature Information for X.509v3 Certificates for SSH Authentication

Feature Name Releases Feature Information

X.509v3 Certificates for SSH Cisco IOS 15.5(1)S The X.509v3 Certificates for SSH
Authentication Authentication feature uses the
Cisco IOS 15.5(2)T
X.509v3 digital certificates in
server and user authentication at
the secure shell (SSH) server side.
The following commands were
introduced or modified: ip ssh
server algorithm hostkey, ip ssh
server algorithm authentication,
and ip ssh server certificate
profile.

Secure Shell Configuration Guide, Cisco IOS Release 15M&T

87
X.509v3 Certificates for SSH Authentication
Feature Information for X.509v3 Certificates for SSH Authentication

Secure Shell Configuration Guide, Cisco IOS Release 15M&T

88
CHAPTER 9
SSH Algorithms for Common Criteria Certification
The SSH Algorithms for Common Criteria Certification feature provides the list and order of the algorithms
that are allowed for Common Criteria Certification. This module describes how to configure the encryption,
Message Authentication Code (MAC), and host key algorithms for a secure shell (SSH) server and client so
that SSH connections can be limited on the basis of the allowed algorithms list.

• Finding Feature Information, page 89

• Information About SSH Algorithms for Common Criteria Certification, page 90
• How to Configure SSH Algorithms for Common Criteria Certification, page 91
• Configuration Examples For SSH Algorithms for Common Criteria Certification, page 96
• Additional References for SSH Algorithms for Common Criteria Certification, page 97
• Feature Information for SSH Algorithms for Common Criteria Certification, page 98

Finding Feature Information

Secure Shell Configuration Guide, Cisco IOS Release 15M&T

89
SSH Algorithms for Common Criteria Certification
Information About SSH Algorithms for Common Criteria Certification

Information About SSH Algorithms for Common Criteria

Certification

SSH Algorithms for Common Criteria Certification

A Secure Shell (SSH) configuration enables a Cisco IOS SSH server and client to authorize the negotiation
of only those algorithms that are configured from the allowed list. If a remote party tries to negotiate using
only those algorithms that are not part of the allowed list, the request is rejected and the session is not
established.

Cisco IOS SSH Server Algorithms

Cisco IOS secure shell (SSH) servers support the encryption algorithms (Advanced Encryption Standard
Counter Mode [AES-CTR], AES Cipher Block Chaining [AES-CBC], Triple Data Encryption Standard
[3DES]) in the following order:
1 aes128-ctr
2 aes192-ctr
3 aes256-ctr
4 aes128-cbc
5 3des-cbc
6 aes192-cbc
7 aes256-cbc

Cisco IOS SSH servers support the Message Authentication Code (MAC) algorithms in the following order:
1 hmac-sha1
2 hmac-sha1-96

Cisco IOS SSH servers support the host key algorithms in the following order:
1 x509v3-ssh-rsa
2 ssh-rsa

Cisco IOS SSH Client Algorithms

Cisco IOS secure shell (SSH) clients support the encryption algorithms (Advanced Encryption Standard
counter mode [AES-CTR], AES Cipher Block Chaining [AES-CBC], Triple Data Encryption Standard [3DES])
in the following order:
1 aes128-ctr

Secure Shell Configuration Guide, Cisco IOS Release 15M&T

90
SSH Algorithms for Common Criteria Certification
How to Configure SSH Algorithms for Common Criteria Certification

2 aes192-ctr
3 aes256-ctr
4 aes128-cbc
5 3des-cbc
6 aes192-cbc
7 aes256-cbc

Cisco IOS SSH clients support the Message Authentication Code (MAC) algorithms in the following order:
1 hmac-sha1
2 hmac-sha1-96

Cisco IOS SSH clients support only one host key algorithm and do not need a CLI configuration:
• ssh-rsa

How to Configure SSH Algorithms for Common Criteria

Certification

Configuring an Encryption Key Algorithm for a Cisco IOS SSH Server and Client
SUMMARY STEPS

1. enable
2. configure terminal
3. ip ssh {server | client} algorithm encryption {aes128-ctr | aes192-ctr | aes256-ctr | aes128-cbc |
3des-cbc | aes192-cbc | aes256-cbc}
4. end

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode.
• Enter your password if prompted.
Example:
Device> enable

Secure Shell Configuration Guide, Cisco IOS Release 15M&T

91
SSH Algorithms for Common Criteria Certification
Configuring a MAC Algorithm for a Cisco IOS SSH Server and Client

Command or Action Purpose

Step 2 configure terminal Enters global configuration mode.

Example:
Device# configure terminal

Step 3 ip ssh {server | client} algorithm encryption Defines the order of encryption algorithms in the SSH server and
{aes128-ctr | aes192-ctr | aes256-ctr | aes128-cbc client. This order is presented during algorithm negotiation.
| 3des-cbc | aes192-cbc | aes256-cbc} Note The Cisco IOS SSH server and client must have at least
one configured encryption algorithm.
Example: Note To disable one algorithm from the previously configured
Device(config)# ip ssh server algorithm algorithm list, use the no form of this command. To disable
encryption aes128-ctr aes192-ctr aes256-ctr more than one algorithm, use the no form of this command
aes128-cbc 3des-cbc aes192-cbc aes256-cbc multiple times with different algorithm names.
Device(config)# ip ssh client algorithm Note For a default configuration, use the default form of this
encryption aes128-ctr aes192-ctr aes256-ctr command as shown below:
aes128-cbc 3des-cbc aes192-cbc aes256-cbc

Device(config)# ip ssh server algorithm encryption

aes128-ctr aes192-ctr aes256-ctr aes128-cbc
3des-cbc aes192-cbc aes256-cbc

Step 4 end Exits global configuration mode and returns to privileged EXEC
mode.
Example:
Device(config)# end

Troubleshooting Tips
If you try to disable the last encryption algorithm in the configuration, the following message is displayed
and the command is rejected:

% SSH command rejected: All encryption algorithms cannot be disabled

Configuring a MAC Algorithm for a Cisco IOS SSH Server and Client
SUMMARY STEPS

1. enable
2. configure terminal
3. ip ssh {server | client} algorithm mac {hmac-sha1 | hmac-sha1-96}
4. end

Secure Shell Configuration Guide, Cisco IOS Release 15M&T

92
SSH Algorithms for Common Criteria Certification
Configuring a MAC Algorithm for a Cisco IOS SSH Server and Client

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode.
• Enter your password if prompted.
Example:
Device> enable

Step 2 configure terminal Enters global configuration mode.

Example:
Device# configure terminal

Step 3 ip ssh {server | client} algorithm mac Defines the order of MAC (Message Authentication Code) algorithms in
{hmac-sha1 | hmac-sha1-96} the SSH server and client. This order is presented during algorithm
negotiation.
Example: Note The Cisco IOS SSH server and client must have at least one
Device(config)# ip ssh server configured Hashed Message Authentication Code (HMAC)
algorithm mac hmac-sha1 hmac-sha1-96 algorithm.
Note To disable one algorithm from the previously configured
Device(config)# ip ssh client
algorithm mac hmac-sha1 hmac-sha1-96 algorithm list, use the no form of this command. To disable more
than one algorithm, use the no form of this command multiple
times with different algorithm names.
Note For default configuration, use the default form of this command
as shown below:

Device(config)# ip ssh server algorithm mac hmac-sha1

hmac-sha1-96

Step 4 end Exits global configuration mode and returns to privileged EXEC mode.

Example:
Device(config)# end

Troubleshooting Tips
If you try to disable the last MAC algorithm in the configuration, the following message is displayed and the
command is rejected:

% SSH command rejected: All mac algorithms cannot be disabled

Secure Shell Configuration Guide, Cisco IOS Release 15M&T

93
SSH Algorithms for Common Criteria Certification
Configuring a Host Key Algorithm for a Cisco IOS SSH Server

Configuring a Host Key Algorithm for a Cisco IOS SSH Server

SUMMARY STEPS

1. enable
2. configure terminal
3. ip ssh server algorithm hostkey {x509v3-ssh-rsa | ssh-rsa}
4. end

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode.
• Enter your password if prompted.
Example:
Device> enable

Step 2 configure terminal Enters global configuration mode.

Example:
Device# configure terminal

Step 3 ip ssh server algorithm hostkey Defines the order of host key algorithms. Only the configured algorithm is
{x509v3-ssh-rsa | ssh-rsa} negotiated with the Cisco IOS secure shell (SSH) client.
Note The Cisco IOS SSH server must have at least one configured host
Example: key algorithm:
Device(config)# ip ssh server • x509v3-ssh-rsa—X.509v3 certificate-based authentication
algorithm hostkey x509v3-ssh-rsa
ssh-rsa
• ssh-rsa—Public-key-based authentication
Note To disable one algorithm from the previously configured algorithm
list, use the no form of this command. To disable more than one
algorithm, use the no form of this command multiple times with
different algorithm names.
Note For default configuration, use the default form of this command as
shown below:

Device(config)# ip ssh server algorithm hostkey

x509v3-ssh-rsa ssh-rsa

Step 4 end Exits global configuration mode and returns to privileged EXEC mode.

Example:
Device(config)# end

Secure Shell Configuration Guide, Cisco IOS Release 15M&T

94
SSH Algorithms for Common Criteria Certification
Verifying SSH Algorithms for Common Criteria Certification

Troubleshooting Tips
If you try to disable the last host key algorithm in the configuration, the following message is displayed and
the command is rejected:

% SSH command rejected: All hostkey algorithms cannot be disabled

Verifying SSH Algorithms for Common Criteria Certification

SUMMARY STEPS

1. enable
2. show ip ssh

DETAILED STEPS

Step 1 enable
Enables privileged EXEC mode.
• Enter your password if prompted.

Example:
Device> enable

Step 2 show ip ssh

Displays configured Secure Shell (SSH) encryption, host key, and Message Authentication Code (MAC) algorithms.

Example:
The following sample output from the show ip ssh command shows the encryption algorithms configured in the default
order:
Device# show ip ssh

Encryption Algorithms: aes128-ctr, aes192-ctr, aes256-ctr, aes128-cbc, 3des-cbc, aes192-cbc, aes256-cbc

The following sample output from the show ip ssh command shows the MAC algorithms configured in the default order:
Device# show ip ssh

MAC Algorithms: hmac-sha1 hmac-sha1-96

Secure Shell Configuration Guide, Cisco IOS Release 15M&T

95
SSH Algorithms for Common Criteria Certification
Configuration Examples For SSH Algorithms for Common Criteria Certification

The following sample output from the show ip ssh command shows the host key algorithms configured in the default
order:
Device# show ip ssh

Hostkey Algorithms: x509v3-ssh-rsa, ssh-rsa

Configuration Examples For SSH Algorithms for Common Criteria

Certification

Example: Configuring Encryption Key Algorithms for a Cisco IOS SSH Server
Device> enable
Device# configure terminal
Device(config)# ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr aes128-cbc
3des-cbc aes192-cbc aes256-cbc
Device(config)# end

Example: Configuring Encryption Key Algorithms for a Cisco IOS SSH Client
Device> enable
Device# configure terminal
Device(config)# ip ssh client algorithm encryption aes128-ctr aes192-ctr aes256-ctr aes128-cbc
3des-cbc aes192-cbc aes256-cbc
Device(config)# end

Example: Configuring MAC Algorithms for a Cisco IOS SSH Server

Device> enable
Device# configure terminal
Device(config)# ip ssh server algorithm mac hmac-sha1 hmac-sha1-96
Device(config)# end

Example: Configuring MAC Algorithms for a Cisco IOS SSH Client

Device> enable
Device# configure terminal
Device(config)# ip ssh client algorithm mac hmac-sha1 hmac-sha1-96
Device(config)# end

Secure Shell Configuration Guide, Cisco IOS Release 15M&T

96
SSH Algorithms for Common Criteria Certification
Example: Configuring Host Key Algorithms for a Cisco IOS SSH Server

Example: Configuring Host Key Algorithms for a Cisco IOS SSH Server
Device> enable
Device# configure terminal
Device(config)# ip ssh server algorithm hostkey x509v3-ssh-rsa ssh-rsa
Device(config)# end

Additional References for SSH Algorithms for Common Criteria

Certification
Related Documents

SSH authentication “Secure Shell-Configuring User Authentication

Methods” chapter in the Secure Shell Configuration
Guide

X.509v3 digital certificates in server and user “X.509v3 Certificates for SSH Authentication” chapter
authentication in the Secure Shell Configuration Guide

Secure Shell Configuration Guide, Cisco IOS Release 15M&T

97
SSH Algorithms for Common Criteria Certification
Feature Information for SSH Algorithms for Common Criteria Certification

Technical Assistance

Feature Information for SSH Algorithms for Common Criteria

Certification
The following table provides release information about the feature or features described in this module. This
table lists only the software release that introduced support for a given feature in a given software release
train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

Secure Shell Configuration Guide, Cisco IOS Release 15M&T

98
SSH Algorithms for Common Criteria Certification
Feature Information for SSH Algorithms for Common Criteria Certification

Table 10: Feature Information for SSH Algorithms for Common Criteria Certification

Feature Name Releases Feature Information

SSH Algorithms for Common Cisco IOS 15.5(2)T The SSH Algorithms for Common
Criteria Certification Criteria Certification feature
Cisco IOS 15.5(2)S
provides the list and order of the
algorithms that are allowed for
Common Criteria Certification.
This module describes how to
configure the encryption, Message
Authentication Code (MAC), and
host key algorithms for a secure
shell (SSH) server and client so
that SSH connections can be
limited on the basis of the allowed
algorithms list.
The following commands were
introduced by this feature: ip ssh
{server | client} algorithm
encryption, ip ssh {server |
client} algorithm mac.

Secure Shell Configuration Guide, Cisco IOS Release 15M&T

99
SSH Algorithms for Common Criteria Certification
Feature Information for SSH Algorithms for Common Criteria Certification

Secure Shell Configuration Guide, Cisco IOS Release 15M&T

100

NIL CISCO SD-WAN & Security Bootcamp 20.1 - LG
No ratings yet
NIL CISCO SD-WAN & Security Bootcamp 20.1 - LG
108 pages
B - Sec - 152ex - 2960-X - CG (Catalyst 2960-X Switch Security Configuration Guide)
No ratings yet
B - Sec - 152ex - 2960-X - CG (Catalyst 2960-X Switch Security Configuration Guide)
498 pages
16.4.7 Lab - Configure Network Devices With SSH - ILM
100% (1)
16.4.7 Lab - Configure Network Devices With SSH - ILM
11 pages
BCSL-063 Solved Assignment 2024-25
No ratings yet
BCSL-063 Solved Assignment 2024-25
14 pages
EDME 22.1.0 Installation Guide 02
No ratings yet
EDME 22.1.0 Installation Guide 02
97 pages
SSH Configuration On Cisco Routers
No ratings yet
SSH Configuration On Cisco Routers
11 pages
Configuration Guide - MPLS (V600R003C00 - 02)
No ratings yet
Configuration Guide - MPLS (V600R003C00 - 02)
642 pages
Dell Openmanage Network Deployment Guide en Us
No ratings yet
Dell Openmanage Network Deployment Guide en Us
69 pages
CCNASv2 InstructorPPT CH2
No ratings yet
CCNASv2 InstructorPPT CH2
85 pages
Cisco IOS Shell Configuration Guide, Cisco IOS Release 15.1M - Cisco IOS Shell (Support) - Cisco
No ratings yet
Cisco IOS Shell Configuration Guide, Cisco IOS Release 15.1M - Cisco IOS Shell (Support) - Cisco
15 pages
1.3.6 Packet Tracer - Configure SSH
100% (1)
1.3.6 Packet Tracer - Configure SSH
2 pages
DVTK RIS Emulator User Manual
No ratings yet
DVTK RIS Emulator User Manual
15 pages
Secure Shell Configuration Guide, Cisco IOS Release 12.2SX: Americas Headquarters
No ratings yet
Secure Shell Configuration Guide, Cisco IOS Release 12.2SX: Americas Headquarters
73 pages
B 1612 Programmability CG
No ratings yet
B 1612 Programmability CG
288 pages
CCNA Security: Chapter Two Securing Network Devices
No ratings yet
CCNA Security: Chapter Two Securing Network Devices
16 pages
OST Unit 2 Notes
No ratings yet
OST Unit 2 Notes
99 pages
B Cisco Nexus 7000 NX-OS Security Configuration Guide Release 5-x Chapter 01000
No ratings yet
B Cisco Nexus 7000 NX-OS Security Configuration Guide Release 5-x Chapter 01000
24 pages
Sec Data Acl 15 MT Book
No ratings yet
Sec Data Acl 15 MT Book
294 pages
02 - CK - Securing Network Devices
No ratings yet
02 - CK - Securing Network Devices
64 pages
ST Vid11393 Agd2
No ratings yet
ST Vid11393 Agd2
742 pages
Configuring Secure Shell: in This Chapter
No ratings yet
Configuring Secure Shell: in This Chapter
12 pages
Configuring SSH
No ratings yet
Configuring SSH
12 pages
B Cisco n5k Security Config GD 513 n1 1 Chapter 0110
No ratings yet
B Cisco n5k Security Config GD 513 n1 1 Chapter 0110
12 pages
Lab 9 - RSS100 - Securing Layer 2 Switches
No ratings yet
Lab 9 - RSS100 - Securing Layer 2 Switches
38 pages
6.3.1.1 Lab - Securing Layer 2 Switches
No ratings yet
6.3.1.1 Lab - Securing Layer 2 Switches
18 pages
Nfvis Config Guide 3 12
No ratings yet
Nfvis Config Guide 3 12
254 pages
B Consolidated Config Guide 3850 Chapter 0110010
No ratings yet
B Consolidated Config Guide 3850 Chapter 0110010
8 pages
SSH Install v24
No ratings yet
SSH Install v24
115 pages
6.3.1.1 Lab - Securing Layer 2 Switches
100% (1)
6.3.1.1 Lab - Securing Layer 2 Switches
23 pages
6.5.1.1 Lab - Securing Layer 2 Switches
0% (2)
6.5.1.1 Lab - Securing Layer 2 Switches
29 pages
Configuring Secure Shell (SSH) : Finding Feature Information
No ratings yet
Configuring Secure Shell (SSH) : Finding Feature Information
10 pages
Client Switch SSH Instructions V3a
No ratings yet
Client Switch SSH Instructions V3a
8 pages
Linux Commands From A To Z
No ratings yet
Linux Commands From A To Z
6 pages
08-SSH Configuration
No ratings yet
08-SSH Configuration
25 pages
Network Security and Cyber Security
No ratings yet
Network Security and Cyber Security
26 pages
How To Configure SSH On Cisco Switch or Router
No ratings yet
How To Configure SSH On Cisco Switch or Router
4 pages
Red Hat Enterprise Linux 9 Securing Networks en Us
No ratings yet
Red Hat Enterprise Linux 9 Securing Networks en Us
94 pages
4.4.9 Lab - Configure Network Devices With SSH - ILM
No ratings yet
4.4.9 Lab - Configure Network Devices With SSH - ILM
10 pages
How To Configure SSH in Packet Tracer - SYSNETTECH Solutions
No ratings yet
How To Configure SSH in Packet Tracer - SYSNETTECH Solutions
6 pages
Cisco SSH
100% (1)
Cisco SSH
1 page
11.2.4.5 Lab - Accessing Network Devices With SSH
50% (2)
11.2.4.5 Lab - Accessing Network Devices With SSH
11 pages
CCNA 2 v5.0 Routing and Switching: Home CCNA v6.0 CCNA Security V2 IT-Essentials
No ratings yet
CCNA 2 v5.0 Routing and Switching: Home CCNA v6.0 CCNA Security V2 IT-Essentials
14 pages
Switch Getting Started Guide
No ratings yet
Switch Getting Started Guide
77 pages
Pi Netrw
No ratings yet
Pi Netrw
76 pages
4145 SSH
No ratings yet
4145 SSH
13 pages
Linux 100 Interview Questions
No ratings yet
Linux 100 Interview Questions
14 pages
CCNA Security: Chapter Two Securing Network Devices
No ratings yet
CCNA Security: Chapter Two Securing Network Devices
70 pages
11.2.4.6 Lab - Accessing Network Devices With SSH - ILM
No ratings yet
11.2.4.6 Lab - Accessing Network Devices With SSH - ILM
11 pages
Switch Initial Configuration
No ratings yet
Switch Initial Configuration
5 pages
Day 42 Slides - SSH
No ratings yet
Day 42 Slides - SSH
22 pages
11.2.4.6 Lab - Accessing Network Devices With SSH
0% (3)
11.2.4.6 Lab - Accessing Network Devices With SSH
6 pages
Security Chp6 Lab-Secure-Layer2 Instructor
No ratings yet
Security Chp6 Lab-Secure-Layer2 Instructor
42 pages
11-Igmp Principle Issue1.01
100% (1)
11-Igmp Principle Issue1.01
32 pages
TEC Installation FCT Man en-US
No ratings yet
TEC Installation FCT Man en-US
60 pages
Cloud Security Module I
No ratings yet
Cloud Security Module I
53 pages
2019 Packet Tracer - Part 02
No ratings yet
2019 Packet Tracer - Part 02
16 pages
Linux For Devops
No ratings yet
Linux For Devops
16 pages
16.4.7 Lab - Configure Network Devices With SSH
No ratings yet
16.4.7 Lab - Configure Network Devices With SSH
6 pages
4-VLAN Mapping Configuration
No ratings yet
4-VLAN Mapping Configuration
37 pages
Cisco Device Complete Lab Manaul
No ratings yet
Cisco Device Complete Lab Manaul
82 pages
Ccna Lab Manual
No ratings yet
Ccna Lab Manual
83 pages
Network Plumbing: Configuring Secure Shell On Routers and Switches Running Cisco IOS
No ratings yet
Network Plumbing: Configuring Secure Shell On Routers and Switches Running Cisco IOS
10 pages
5-STP Principle and Configuration ISSUE1.00
No ratings yet
5-STP Principle and Configuration ISSUE1.00
32 pages
Cisco Lab
No ratings yet
Cisco Lab
4 pages
Configuring Secure Shell SSH
No ratings yet
Configuring Secure Shell SSH
8 pages
Specification of AS32 TTL 100
No ratings yet
Specification of AS32 TTL 100
23 pages
C-View v1.0 DICOM Conformance Statement (MAN-02865) English Rev - 001 02 - 12
No ratings yet
C-View v1.0 DICOM Conformance Statement (MAN-02865) English Rev - 001 02 - 12
27 pages
AWS Pricing Calculator
No ratings yet
AWS Pricing Calculator
19 pages
Implementing Cisco SD-WAN Solutions
No ratings yet
Implementing Cisco SD-WAN Solutions
2 pages
Change Management System (IPPT)
No ratings yet
Change Management System (IPPT)
3 pages
1-VLAN Basic Principle and Configuration ISSUE1.00
No ratings yet
1-VLAN Basic Principle and Configuration ISSUE1.00
19 pages
2.2.1.4 Packet Tracer - Configuring SSH Instruction - IG PDF
No ratings yet
2.2.1.4 Packet Tracer - Configuring SSH Instruction - IG PDF
2 pages
Arikawa 2017
No ratings yet
Arikawa 2017
5 pages
5.2.1.4 Packet Tracer - Configuring SSH Instruction
No ratings yet
5.2.1.4 Packet Tracer - Configuring SSH Instruction
2 pages
16.4.7 Lab - Configure Network Devices With SSH
No ratings yet
16.4.7 Lab - Configure Network Devices With SSH
6 pages
DICOM Basic Print SCU Conformance Statement: KODAK PACS Link 9410 Acquisition System
No ratings yet
DICOM Basic Print SCU Conformance Statement: KODAK PACS Link 9410 Acquisition System
17 pages
SCP Known Issues
No ratings yet
SCP Known Issues
13 pages
How Will 5G Transform Industrial Iot?: Mehmet Yavuz
No ratings yet
How Will 5G Transform Industrial Iot?: Mehmet Yavuz
27 pages
Balamuralidhar P - IoT 5G
No ratings yet
Balamuralidhar P - IoT 5G
15 pages
3 Steps To Perform SSH Login Without Password
No ratings yet
3 Steps To Perform SSH Login Without Password
16 pages
Maximize Your File Transfer Efficiency With Rsync and SCP
No ratings yet
Maximize Your File Transfer Efficiency With Rsync and SCP
8 pages
Experiment No - 6
No ratings yet
Experiment No - 6
6 pages
5.2.1.4 Configuring SSH Instruction
No ratings yet
5.2.1.4 Configuring SSH Instruction
4 pages
Common Ports Cheat Sheet
No ratings yet
Common Ports Cheat Sheet
10 pages
Smart Cities in The New Service Economy: Building Platforms For Smart Services
No ratings yet
Smart Cities in The New Service Economy: Building Platforms For Smart Services
13 pages
SNA Bullet 11 MCQS
No ratings yet
SNA Bullet 11 MCQS
12 pages
Keeper
No ratings yet
Keeper
15 pages
Articulo Biorefinerias
No ratings yet
Articulo Biorefinerias
10 pages
Chapter 4. Using The Command-Line Interface
No ratings yet
Chapter 4. Using The Command-Line Interface
22 pages
Secure Shell (SSH) Configuration: Objective
No ratings yet
Secure Shell (SSH) Configuration: Objective
5 pages
Update or Upgrade BIG-IP HA Systems Using The Configuration Utility - BIG-IP Update and Upgrade Guide
No ratings yet
Update or Upgrade BIG-IP HA Systems Using The Configuration Utility - BIG-IP Update and Upgrade Guide
7 pages
6.3.1.1 Lab - Securing Layer 2 Switches
No ratings yet
6.3.1.1 Lab - Securing Layer 2 Switches
22 pages
SSH Command Cheat Sheet & Quick Reference
No ratings yet
SSH Command Cheat Sheet & Quick Reference
6 pages
2012 Smart LazaroiuRoscia Definitionmethodologyforthesmartcitiesmodel Energy
No ratings yet
2012 Smart LazaroiuRoscia Definitionmethodologyforthesmartcitiesmodel Energy
9 pages
1.3.6 Packet Tracer - Configure SSH - ILM
No ratings yet
1.3.6 Packet Tracer - Configure SSH - ILM
2 pages
3-Example For Configuring VLAN Aggregation
No ratings yet
3-Example For Configuring VLAN Aggregation
2 pages
Configure Network Devices With SSH
No ratings yet
Configure Network Devices With SSH
5 pages
CCNA 2 RSE Chapter 2 SIC Practice Skills Assessment Packet Tracer Answers
No ratings yet
CCNA 2 RSE Chapter 2 SIC Practice Skills Assessment Packet Tracer Answers
4 pages
4.4.9 Lab - Configure Network Devices With SSH Ok
No ratings yet
4.4.9 Lab - Configure Network Devices With SSH Ok
5 pages
Connect To Your Linux Instance From Windows Using PuTTY
No ratings yet
Connect To Your Linux Instance From Windows Using PuTTY
4 pages
Build Your Own VPN Server: A Step by Step Guide: Build Your Own VPN
From Everand
Build Your Own VPN Server: A Step by Step Guide: Build Your Own VPN
Lin Song
No ratings yet
Linux DevOps Tools Engineer (701) Practice Tests: 400 Questions to Ace Your Certification
From Everand
Linux DevOps Tools Engineer (701) Practice Tests: 400 Questions to Ace Your Certification
Steve Brown
No ratings yet
Cisco CCNA Command Guide: An Introductory Guide for CCNA & Computer Networking Beginners: Computer Networking, #3
From Everand
Cisco CCNA Command Guide: An Introductory Guide for CCNA & Computer Networking Beginners: Computer Networking, #3
Ramon Nastase
4.5/5 (2)
Deploying Certificates Cisco Meeting Server: Design your certificates for CMS services and integrate with Cisco UCM Expressway and TMS
From Everand
Deploying Certificates Cisco Meeting Server: Design your certificates for CMS services and integrate with Cisco UCM Expressway and TMS
Redouane MEDDANE
No ratings yet
Virtualization Security: Protecting Virtualized Environments
From Everand
Virtualization Security: Protecting Virtualized Environments
Dave Shackleford
3/5 (1)
Network Security All-in-one: ASA Firepower WSA Umbrella VPN ISE Layer 2 Security
From Everand
Network Security All-in-one: ASA Firepower WSA Umbrella VPN ISE Layer 2 Security
Redouane MEDDANE
No ratings yet