Configuring Secure Shell

• Prerequisites for Configuring Secure Shell, on page 1

• Restrictions for Configuring Secure Shell, on page 2
• Information About Configuring Secure Shell , on page 2
• How to Configure Secure Shell, on page 4
• Monitoring the SSH Configuration and Status, on page 8
• Feature Information for Secure Shell, on page 8

Prerequisites for Configuring Secure Shell

The following are the prerequisites for configuring the switch for secure shell (SSH):
• For SSH to work, the switch needs an Rivest, Shamir, and Adleman (RSA) public/private key pair. This
is the same with Secure Copy Protocol (SCP), which relies on SSH for its secure transport.
• Before enabling SCP, you must correctly configure SSH, authentication, and authorization on the switch.
• Because SCP relies on SSH for its secure transport, the router must have an Rivest, Shamir, and Adelman
(RSA) key pair.
• SCP relies on SSH for security.
• SCP requires that authentication, authorization, and accounting (AAA) authorization be configured so
the router can determine whether the user has the correct privilege level.
• A user must have appropriate authorization to use SCP.
• A user who has appropriate authorization can use SCP to copy any file in the Cisco IOS File System
(IFS) to and from a switch by using the copy command. An authorized administrator can also do this
from a workstation.
• The Secure Shell (SSH) server requires an IPsec (Data Encryption Standard [DES] or 3DES) encryption
software image; the SSH client requires an IPsec (DES or 3DES) encryption software image.)
• Configure a hostname and host domain for your device by using the hostname and ip domain-name
commands in global configuration mode.

Configuring Secure Shell

1
 Configuring Secure Shell
Restrictions for Configuring Secure Shell

Restrictions for Configuring Secure Shell

The following are restrictions for configuring the device for secure shell.
• The switch supports Rivest, Shamir, and Adelman (RSA) authentication.
• SSH supports only the execution-shell application.
• The SSH server and the SSH client are supported only on Data Encryption Standard (DES) (56-bit) and
3DES (168-bit) data encryption software. In DES software images, DES is the only encryption algorithm
available. In 3DES software images, both DES and 3DES encryption algorithms are available.
• The device supports the Advanced Encryption Standard (AES) encryption algorithm with a 128-bit key,
192-bit key, or 256-bit key. However, symmetric cipher AES to encrypt the keys is not supported.
• When using SCP, you cannot enter the password into the copy command. You must enter the password
when prompted.
• The login banner is not supported in Secure Shell Version 1. It is supported in Secure Shell Version 2.
• The -l keyword and userid :{number} {ip-address} delimiter and arguments are mandatory when
configuring the alternative method of Reverse SSH for console access.
• To authenticate clients with freeradius over RADSEC, you should generate an RSA key longer than 1024
bit. Use the crypto key generate rsa general-keys exportable label label-name command to achieve this.

Information About Configuring Secure Shell

Secure Shell (SSH) is a protocol that provides a secure, remote connection to a device. SSH provides more
security for remote connections than Telnet does by providing strong encryption when a device is authenticated.
This software release supports SSH Version 2 (SSHv2).

SSH And Switch Access

Secure Shell (SSH) is a protocol that provides a secure, remote connection to a device. SSH provides more
security for remote connections than Telnet does by providing strong encryption when a device is authenticated.
This software release supports SSH Version 2 (SSHv2).
SSH functions the same in IPv6 as in IPv4. For IPv6, SSH supports IPv6 addresses and enables secure,
encrypted connections with remote IPv6 nodes over an IPv6 transport.

SSH Servers, Integrated Clients, and Supported Versions

The Secure Shell (SSH) Integrated Client feature is an application that runs over the SSH protocol to provide
device authentication and encryption. The SSH client enables a Cisco device to make a secure, encrypted
connection to another Cisco device or to any other device running the SSH server. This connection provides
functionality similar to that of an outbound Telnet connection except that the connection is encrypted. With
authentication and encryption, the SSH client allows for secure communication over an unsecured network.
The SSH server and SSH integrated client are applications that run on the switch. The SSH server works with
the SSH client supported in this release and with non-Cisco SSH clients. The SSH client works with publicly

Configuring Secure Shell

2
 Configuring Secure Shell
SSH Configuration Guidelines

and commercially available SSH servers. The SSH client supports the ciphers of Data Encryption Standard
(DES), 3DES, and password authentication.

Note The SSH client functionality is available only when the SSH server is enabled.

User authentication is performed like that in the Telnet session to the device. SSH also supports the following
user authentication methods:
• TACACS+
• RADIUS
• Local authentication and authorization

SSH Configuration Guidelines

Follow these guidelines when configuring the switch as an SSH server or SSH client:
• An RSA key pair generated by a SSHv1 server can be used by an SSHv2 server, and the reverse.
• If the SSH server is running on an active switch and the active switch fails, the new active switch uses
the RSA key pair generated by the previous active switch.
• If you get CLI error messages after entering the crypto key generate rsa global configuration command,
an RSA key pair has not been generated. Reconfigure the hostname and domain, and then enter the crypto
key generate rsa command.
• When generating the RSA key pair, the message No host name specified might appear. If it does, you
must configure a hostname by using the hostname global configuration command.
• When generating the RSA key pair, the message No domain specified might appear. If it does, you must
configure an IP domain name by using the ip domain-name global configuration command.
• When configuring the local authentication and authorization authentication method, make sure that AAA
is disabled on the console.

Secure Copy Protocol Overview

The Secure Copy Protocol (SCP) feature provides a secure and authenticated method for copying switch
configurations or switch image files. SCP relies on Secure Shell (SSH), an application and a protocol that
provides a secure replacement for the Berkeley r-tools.
For SSH to work, the switch needs an RSA public/private key pair. This is the same with SCP, which relies
on SSH for its secure transport.
Because SSH also relies on AAA authentication, and SCP relies further on AAA authorization, correct
configuration is necessary.
• Before enabling SCP, you must correctly configure SSH, authentication, and authorization on the switch.
• Because SCP relies on SSH for its secure transport, the router must have an Rivest, Shamir, and Adelman
(RSA) key pair.

Configuring Secure Shell

3
 Configuring Secure Shell
Secure Copy Protocol

Note When using SCP, you cannot enter the password into the copy command. You must enter the password when
prompted.

Secure Copy Protocol

The Secure Copy Protocol (SCP) feature provides a secure and authenticated method for copying device
configurations or switch image files. The behavior of SCP is similar to that of remote copy (rcp), which comes
from the Berkeley r-tools suite, except that SCP relies on SSH for security. SCP also requires that authentication,
authorization, and accounting (AAA) authorization be configured so the device can determine whether the
user has the correct privilege level. To configure the Secure Copy feature, you should understand the SCP
concepts.

How to Configure Secure Shell

Setting Up the Device to Run SSH
Follow the procedure given below to set up your Device to run SSH:

Before you begin

Configure user authentication for local or remote access. This step is required. For more information, see
Related Topics below.

Procedure

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode.
Example: • Enter your password if prompted.

Device> enable

Step 2 configure terminal Enters global configuration mode.

Example:

Device# configure terminal

Step 3 hostname hostname Configures a hostname and IP domain name for

your Device.
Example:
Note Follow this procedure only if you are
Device(config)# hostname your_hostname configuring the Device as an SSH
server.

Configuring Secure Shell

4
 Configuring Secure Shell
Configuring the SSH Server

Command or Action Purpose

Step 4 ip domain-name domain_name Configures a host domain for your Device.
Example:

Device(config)# ip domain-name
your_domain

Step 5 crypto key generate rsa Enables the SSH server for local and remote
authentication on the Device and generates an
Example:
RSA key pair. Generating an RSA key pair for
the Device automatically enables SSH.
Device(config)# crypto key generate rsa
We recommend that a minimum modulus size
of 1024 bits.
When you generate RSA keys, you are
prompted to enter a modulus length. A longer
modulus length might be more secure, but it
takes longer to generate and to use.
Note Follow this procedure only if you are
configuring the Device as an SSH
server.

Step 6 end Returns to privileged EXEC mode.

Example:

Device(config)# end

Step 7 show running-config Verifies your entries.

Example:

Device# show running-config

Step 8 copy running-config startup-config (Optional) Saves your entries in the

configuration file.
Example:

Device# copy running-config

startup-config

Configuring the SSH Server

Follow these steps to configure the SSH server:

Configuring Secure Shell

5
 Configuring Secure Shell
Configuring the SSH Server

Note This procedure is only required if you are configuring the Device as an SSH server.

Procedure

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode.
Example: • Enter your password if prompted.

Device> enable

Step 2 configure terminal Enters global configuration mode.

Example:

Device# configure terminal

Step 3 ip ssh version [2] (Optional) Configures the Device to run SSH
Version 2.
Example:
If you do not enter this command or do not
Device(config)# ip ssh version 2 specify a keyword, the SSH server selects the
latest SSH version supported by the SSH client.

Step 4 ip ssh {time-out seconds | authentication-retries Configures the SSH control parameters:
number}
• time-out seconds: Specify the time-out
Example: value in seconds; the default is 120
seconds. The range is 0 to 120 seconds.
Device(config)# ip ssh time-out 90 This parameter applies to the SSH
OR negotiation phase. After the connection is
Device(config)# ip ssh
established, the Device uses the default
authentication-retries 2
time-out values of the CLI-based sessions.
By default, up to five simultaneous,
encrypted SSH connections for multiple
CLI-based sessions over the network are
available (session 0 to session 4). After the
execution shell starts, the CLI-based
session time-out value returns to the
default of 10 minutes.
• authentication-retries number: Specify the
number of times that a client can
re-authenticate to the server. The default
is 3; the range is 0 to 5.

Repeat this step when configuring both

parameters.

Configuring Secure Shell

6
Configuring Secure Shell
Configuring the SSH Server

Command or Action Purpose

Step 5 Use one or both of the following: (Optional) Configures the virtual terminal line
settings.
• line vty
line_number[ending_line_number] • Enters line configuration mode to
• transport input ssh configure the virtual terminal line settings.
For the line_number and
Example: ending_line_number arguments, the range
Device(config)# line vty 1 10 is from 0 to 15.
• Specifies that the Device prevents
or
non-SSH Telnet connections, limiting the
Device(config-line)# transport input ssh device to only SSH connections.

Step 6 end Exits line configuration mode and returns to

privileged EXEC mode.
Example:

Device(config-line)# end

Step 7 Use one of the following: • Shows the version and configuration
information for your SSH server.
• show ip ssh
• show ssh • Shows the status of the SSH server
connections on the Device.
Example:
Device# show ip ssh

or
Device# show ssh

Step 8 show running-config Verifies your entries.

Example:

Device# show running-config

Step 9 copy running-config startup-config (Optional) Saves your entries in the

configuration file.
Example:

Device# copy running-config

startup-config

Configuring Secure Shell

7
 Configuring Secure Shell
Monitoring the SSH Configuration and Status

Monitoring the SSH Configuration and Status

This table displays the SSH server configuration and status.

Table 1: Commands for Displaying the SSH Server Configuration and Status

Command Purpose

show ip Shows the version and configuration information for the SSH server.
ssh

show ssh Shows the status of the SSH server.

Feature Information for Secure Shell

The following table provides release information about the feature or features described in this module. This
table lists only the software release that introduced support for a given feature in a given software release
train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

Table 2: Feature Information for Secure Shell

Feature Name Releases Feature Information

Secure Shell Cisco IOS XE Everest SSH is a protocol that provides a secure, remote
16.6.1 connection to a device. SSH provides more security
for remote connections than Telnet does by providing
strong encryption when a device is authenticated.
This software release supports SSHv2.

Configuring Secure Shell

8