Information About Secure Shell
Secure Shell (SSH) is a protocol that provides a secure, remote connection to a device. SSH provides more security for remote connections than Telnet does by providing strong encryption when a device is authenticated. This software release supports SSH Version 1 (SSHv1) and SSH Version 2 (SSHv2).
Prerequisites for Configuring Secure Shell
The following are the prerequisites for configuring the device for secure shell (SSH):
-
For SSH to work, the switch needs an RSA public/private key pair.
-
The Secure Shell (SSH) server requires an IPsec (Data Encryption Standard [DES] or 3DES) encryption software image; the SSH client requires an IPsec (DES or 3DES) encryption software image.)
-
Configure a hostname and host domain for your device by using the hostname and ip domain-name commands in global configuration mode. Use the hostname and ip domain-name commands in global configuration mode.
Restrictions for Configuring Secure Shell
The following are restrictions for configuring the router for secure shell.
-
The router supports RSA authentication.
-
SSH supports only the execution-shell application.
-
The SSH server and the SSH client are supported only on Data Encryption Standard (DES) (56-bit) and 3DES (168-bit) data encryption software. In DES software images, DES is the only encryption algorithm available. In 3DES software images, both DES and 3DES encryption algorithms are available.
Note
Cisco highly recommends the 3DES encryption as it is stronger. See the Cisco IOS-XE Device hardening guide at https://www.cisco.com/c/en/us/support/docs/ip/access-lists/13608-21.html for details.
-
This software release supports IP Security (IPSec).
-
The router supports the Advanced Encryption Standard (AES) encryption algorithm with a 128-bit key, 192-bit key, or 256-bit key. However, symmetric cipher AES to encrypt the keys is not supported.
-
The login banner is not supported in Secure Shell Version 1. It is supported in Secure Shell Version 2, which Cisco recommends due to its better security.
-
The -l keyword and userid :{number} {ip-address} delimiter and arguments are mandatory when configuring the alternative method of Reverse SSH for console access.
SSH And Router Access
Secure Shell (SSH) is a protocol that provides a secure, remote connection to a device. SSH provides more security for remote connections than Telnet does by providing strong encryption when a device is authenticated. This software release supports SSH Version 1 (SSHv1) and SSH Version 2 (SSHv2). SSH functions the same in IPv6 as in IPv4. For IPv6, SSH supports IPv6 addresses and enables secure, encrypted connections with remote IPv6 nodes over an IPv6 transport.
SSH Servers, Integrated Clients, and Supported Versions
The Secure Shell (SSH) Integrated Client feature is an application that runs over the SSH protocol to provide device authentication and encryption. The SSH client enables a Cisco device to make a secure, encrypted connection to another Cisco device or to any other device running the SSH server. This connection provides functionality similar to that of an outbound Telnet connection except that the connection is encrypted. With authentication and encryption, the SSH client allows for secure communication over an unsecured network.
The SSH server and SSH integrated client are applications that run on the switch. The SSH server works with the SSH client supported in this release and with non-Cisco SSH clients. The SSH client works with publicly and commercially available SSH servers. The SSH client supports the ciphers of Data Encryption Standard (DES), 3DES, and password authentication.
Note |
The SSH client functionality is available only when the SSH server is enabled. |
User authentication is performed like that in the Telnet session to the device. SSH also supports the following user authentication methods:
-
TACACS+
-
RADIUS
-
Local authentication and authorization
SSH Configuration Guidelines
Follow these guidelines when configuring the device as an SSH server or SSH client:
-
An RSA key pair generated by a SSHv1 server can be used by an SSHv2 server, and the reverse.
-
If you get CLI error messages after entering the crypto key generate rsa global configuration command, an RSA key pair has not been generated. Reconfigure the hostname and domain, and then enter the crypto key generate rsa command.
-
When generating the RSA key pair, the message No hostname specified might appear. If it does, you must configure an IP hostname by using the hostname global configuration command.
-
When generating the RSA key pair, the message No domain specified might appear. If it does, you must configure an IP domain name by using the ip domain-name global configuration command.
-
When configuring the local authentication and authorization authentication method, make sure that AAA is disabled on the console.