Configuring Secure Shell

The Secure Shell (SSH) feature is an application and a protocol that provides a secure replacement to the Berkeley r-tools. The protocol secures sessions using standard cryptographic mechanisms, and the application can be used similarly to the Berkeley rexec and rsh tools. Two versions of SSH are available: SSH Version 1 and SSH Version 2.

Prerequisites for Configuring Secure Shell

The following are the prerequisites for configuring the switch for secure shell (SSH):

  • For SSH to work, the switch needs an Rivest, Shamir, and Adleman (RSA) public/private key pair. This is the same with Secure Copy Protocol (SCP), which relies on SSH for its secure transport.

  • Before enabling SCP, you must correctly configure SSH, authentication, and authorization on the switch.

  • Because SCP relies on SSH for its secure transport, the router must have an Rivest, Shamir, and Adelman (RSA) key pair.

  • SCP relies on SSH for security.

  • SCP requires that authentication, authorization, and accounting (AAA) authorization be configured so the router can determine whether the user has the correct privilege level.

  • A user must have appropriate authorization to use SCP.

  • A user who has appropriate authorization can use SCP to copy any file in the Cisco IOS File System (IFS) to and from a switch by using the copy command. An authorized administrator can also do this from a workstation.

  • The Secure Shell (SSH) server requires an IPsec (Data Encryption Standard [DES] or 3DES) encryption software image; the SSH client requires an IPsec (DES or 3DES) encryption software image.)
  • Configure a hostname and host domain for your device by using the hostname and ip domain-name commands in global configuration mode.

Restrictions for Configuring Secure Shell

The following are restrictions for configuring the device for secure shell.

  • The switch supports Rivest, Shamir, and Adelman (RSA) authentication.

  • SSH supports only the execution-shell application.

  • The SSH server and the SSH client are supported only on Data Encryption Standard (DES) (56-bit) and 3DES (168-bit) data encryption software. In DES software images, DES is the only encryption algorithm available. In 3DES software images, both DES and 3DES encryption algorithms are available.

  • The device supports the Advanced Encryption Standard (AES) encryption algorithm with a 128-bit key, 192-bit key, or 256-bit key. However, symmetric cipher AES to encrypt the keys is not supported.

  • When using SCP, you cannot enter the password into the copy command. You must enter the password when prompted.

  • The login banner is not supported in Secure Shell Version 1. It is supported in Secure Shell Version 2.

  • The -l keyword and userid :{number} {ip-address} delimiter and arguments are mandatory when configuring the alternative method of Reverse SSH for console access.

  • To authenticate clients with freeradius over RADSEC, you should generate an RSA key longer than 1024 bit. Use the crypto key generate rsa general-keys exportable label label-name command to achieve this.

Information About Configuring Secure Shell

Secure Shell (SSH) is a protocol that provides a secure, remote connection to a device. SSH provides more security for remote connections than Telnet does by providing strong encryption when a device is authenticated. This software release supports SSH Version 1 (SSHv1) and SSH Version 2 (SSHv2).

SSH and Device Access

Secure Shell (SSH) is a protocol that provides a secure, remote connection to a device. SSH provides more security for remote connections than Telnet does by providing strong encryption when a device is authenticated. This software release supports SSH Version 1 (SSHv1) and SSH Version 2 (SSHv2).

SSH functions the same in IPv6 as in IPv4. For IPv6, SSH supports IPv6 addresses and enables secure, encrypted connections with remote IPv6 nodes over an IPv6 transport.

SSH Servers, Integrated Clients, and Supported Versions

The Secure Shell (SSH) Integrated Client feature is an application that runs over the SSH protocol to provide device authentication and encryption. The SSH client enables a Cisco device to make a secure, encrypted connection to another Cisco device or to any other device running the SSH server. This connection provides functionality similar to that of an outbound Telnet connection except that the connection is encrypted. With authentication and encryption, the SSH client allows for secure communication over an unsecured network.

The SSH server and SSH integrated client are applications that run on the switch. The SSH server works with the SSH client supported in this release and with non-Cisco SSH clients. The SSH client works with publicly and commercially available SSH servers. The SSH client supports the ciphers of Data Encryption Standard (DES), 3DES, and password authentication.

The switch supports an SSHv1 or an SSHv2 server.

The switch supports an SSHv1 client.


Note

The SSH client functionality is available only when the SSH server is enabled.

User authentication is performed like that in the Telnet session to the device. SSH also supports the following user authentication methods:

  • TACACS+

  • RADIUS

  • Local authentication and authorization

RSA Authentication Support

Rivest, Shamir, and Adleman (RSA) authentication available in Secure Shell (SSH) clients is not supported on the SSH server for Cisco software by default.

SSL Configuration Guidelines

When SSL is used in a switch cluster, the SSL session terminates at the cluster commander. Cluster member switches must run standard HTTP.

Before you configure a CA trustpoint, you should ensure that the system clock is set. If the clock is not set, the certificate is rejected due to an incorrect date.

In a switch stack, the SSL session terminates at the active switch.

Secure Copy Protocol Overview

The Secure Copy Protocol (SCP) feature provides a secure and authenticated method for copying switch configurations or switch image files. SCP relies on Secure Shell (SSH), an application and a protocol that provides a secure replacement for the Berkeley r-tools.

For SSH to work, the switch needs an RSA public/private key pair. This is the same with SCP, which relies on SSH for its secure transport.

Because SSH also relies on AAA authentication, and SCP relies further on AAA authorization, correct configuration is necessary.

  • Before enabling SCP, you must correctly configure SSH, authentication, and authorization on the switch.

  • Because SCP relies on SSH for its secure transport, the router must have an Rivest, Shamir, and Adelman (RSA) key pair.


Note

When using SCP, you cannot enter the password into the copy command. You must enter the password when prompted.


Secure Copy Protocol

The Secure Copy Protocol (SCP) feature provides a secure and authenticated method for copying switch configurations or switch image files. The behavior of SCP is similar to that of remote copy (rcp), which comes from the Berkeley r-tools suite, except that SCP relies on SSH for security. SCP also requires that authentication, authorization, and accounting (AAA) authorization be configured so the switch can determine whether the user has the correct privilege level. To configure the Secure Copy feature, you should understand the SCP concepts.

How Secure Copy Works

The behavior of Secure Copy (SCP) is similar to that of remote copy (RCP), which comes from the Berkeley r-tools suite (Berkeley university’s own set of networking applications), except that SCP relies on Secure Shell (SSH) for security. In addition, SCP requires that authentication, authorization, and accounting (AAA) authorization be configured so that the device can determine whether the user has the correct privilege level.

SCP allows a user only with a privilege level of 15 to copy any file that exists in the Cisco IOS File System (IFS) to and from a device by using the copy command. An authorized administrator may also perform this action from a workstation.


Note

Enable the SCP option while using the pscp.exe file with the Cisco software.


Reverse Telnet

Reverse telnet allows you to telnet to a certain port range and connect to terminal or auxiliary lines. Reverse telnet has often been used to connect a Cisco device that has many terminal lines to the consoles of other Cisco devices. Telnet makes it easy to reach the device console from anywhere simply by telnet to the terminal server on a specific line. This telnet approach can be used to configure a device even if all network connectivity to that device is disconnected. Reverse telnet also allows modems that are attached to Cisco devices to be used for dial-out (usually with a rotary device).

Reverse SSH

Reverse telnet can be accomplished using SSH. Unlike reverse telnet, SSH provides for secure connections. The Reverse SSH Enhancements feature provides you with a simplified method of configuring SSH. Using this feature, you no longer have to configure a separate line for every terminal or auxiliary line on which you want to enable SSH. The previous method of configuring reverse SSH limited the number of ports that can be accessed to 100. The Reverse SSH Enhancements feature removes the port number limitation.

How to Configure Secure Shell

Setting Up the Switch to Run SSH

Follow the procedure given below to set up your Switch to run SSH:

Before you begin

Configure user authentication for local or remote access. This step is required. For more information, see Related Topics below.

SUMMARY STEPS

  1. enable
  2. configure terminal
  3. hostname hostname
  4. ip domain-name domain_name
  5. crypto key generate rsa
  6. end
  7. show running-config
  8. copy running-config startup-config

DETAILED STEPS

  Command or Action Purpose
Step 1

enable

Example:


Switch> enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

configure terminal

Example:


Switch# configure terminal

Enters global configuration mode.

Step 3

hostname hostname

Example:


Switch(config)# hostname your_hostname

Configures a hostname and IP domain name for your Switch.

Note 

Follow this procedure only if you are configuring the Switch as an SSH server.

Step 4

ip domain-name domain_name

Example:


Switch(config)# ip domain-name your_domain

Configures a host domain for your Switch.

Step 5

crypto key generate rsa

Example:


Switch(config)# crypto key generate rsa

Enables the SSH server for local and remote authentication on the Switch and generates an RSA key pair. Generating an RSA key pair for the Switch automatically enables SSH.

We recommend that a minimum modulus size of 1024 bits.

When you generate RSA keys, you are prompted to enter a modulus length. A longer modulus length might be more secure, but it takes longer to generate and to use.

Note 

Follow this procedure only if you are configuring the Switch as an SSH server.

Step 6

end

Example:


Switch(config)# end

Returns to privileged EXEC mode.

Step 7

show running-config

Example:


Switch# show running-config 

Verifies your entries.

Step 8

copy running-config startup-config

Example:


Switch# copy running-config startup-config 

(Optional) Saves your entries in the configuration file.

Configuring the SSH Server

Beginning in privileged EXEC mode, follow these steps to configure the SSH server:


Note

This procedure is only required if you are configuring the switch as an SSH server.


SUMMARY STEPS

  1. configure terminal
  2. ip ssh version [1 | 2]
  3. ip ssh {time-out seconds | authentication-retries number}
  4. Use one or both of the following:
    • line vtyline_number [ending_line_number]
    • transport input ssh
  5. end

DETAILED STEPS

  Command or Action Purpose
Step 1

configure terminal

Example:


Switch# configure terminal

Enters global configuration mode.

Step 2

ip ssh version [1 | 2]

Example:


Switch(config)# ip ssh version 1

(Optional) Configures the switch to run SSH Version 1 or SSH Version 2.

  • 1 —Configure the switch to run SSH Version 1.

  • 2 —Configure the switch to run SSH Version 2.

If you do not enter this command or do not specify a keyword, the SSH server selects the latest SSH version supported by the SSH client. For example, if the SSH client supports SSHv1 and SSHv2, the SSH server selects SSHv2.

Step 3

ip ssh {time-out seconds | authentication-retries number}

Example:


Switch(config)# ip ssh time-out 90
OR
Switch(config)# ip ssh authentication-retries 2

Configures the SSH control parameters:

  • time-out seconds : Specify the time-out value in seconds; the default is 120 seconds. The range is 0 to 120 seconds. This parameter applies to the SSH negotiation phase. After the connection is established, the switch uses the default time-out values of the CLI-based sessions.

    By default, up to five simultaneous, encrypted SSH connections for multiple CLI-based sessions over the network are available (session 0 to session 4). After the execution shell starts, the CLI-based session time-out value returns to the default of 10 minutes.

  • authentication-retries number : Specify the number of times that a client can re-authenticate to the server. The default is 3; the range is 0 to 5.

Repeat this step when configuring both parameters.

Step 4

Use one or both of the following:

  • line vtyline_number [ending_line_number]
  • transport input ssh

Example:

Switch(config)# line vty 1 10

or

Switch(config-line)# transport input ssh

(Optional) Configures the virtual terminal line settings.

  • Enters line configuration mode to configure the virtual terminal line settings. For line_number and ending_line_number , specify a pair of lines. The range is 0 to 15.

  • Specifies that the switch prevent non-SSH Telnet connections. This limits the router to only SSH connections.

Step 5

end

Example:


Switch(config-line)# end

Returns to privileged EXEC mode.

Invoking an SSH Client

Perform this task to invoke the Secure Shell (SSH) client. The SSH client runs in user EXEC mode and has no specific configuration tasks.

SUMMARY STEPS

  1. enable
  2. ssh -l username -vrf vrf-name ip-address

DETAILED STEPS

  Command or Action Purpose
Step 1

enable

Example:


Device> enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

ssh -l username -vrf vrf-name ip-address

Example:


Device# ssh -l user1 -vrf vrf1 192.0.2.1

Invokes the SSH client to connect to an IP host or address in the specified virtual routing and forwarding (VRF) instance.

Troubleshooting Tips

  • If your Secure Shell (SSH) configuration commands are rejected as illegal commands, you have not successfully generated an Rivest, Shamir, and Adleman (RSA) key pair for your device. Make sure that you have specified a hostname and domain. Then use the crypto key generate rsa command to generate an RSA key pair and enable the SSH server.

  • When configuring the RSA key pair, you might encounter the following error messages:
    • No hostname specified.

      You must configure a hostname for the device using the hostname global configuration command.

    • No domain specified.

      You must configure a host domain for the device using the ip domain-name global configuration command.

  • The number of allowable SSH connections is limited to the maximum number of vtys configured for the device. Each SSH connection uses a vty resource.

  • SSH uses either local security or the security protocol that is configured through AAA on your device for user authentication. When configuring Authentication, Authorization, and Accounting ( AAA), you must ensure that AAA is disabled on the console for user authentication. AAA authorization is disabled on the console by default. If AAA authorization is enabled on the console, disable it by configuring the no aaa authorization console command during the AAA configuration stage.

Configuring Reverse SSH for Console Access

To configure reverse SSH console access on the SSH server, perform the following steps.

SUMMARY STEPS

  1. enable
  2. configure terminal
  3. line line-number ending-line-number
  4. no exec
  5. login authentication listname
  6. transport input ssh
  7. exit
  8. exit
  9. ssh -l userid : {number } {ip-address }

DETAILED STEPS

  Command or Action Purpose
Step 1

enable

Example:


Device> enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

configure terminal

Example:


Device# configure terminal

Enters global configuration mode.

Step 3

line line-number ending-line-number

Example:


Device# line 1 3

Identifies a line for configuration and enters line configuration mode.

Step 4

no exec

Example:


Device(config-line)# no exec

Disables EXEC processing on a line.

Step 5

login authentication listname

Example:


Device(config-line)# login authentication default

Defines a login authentication mechanism for the lines.

Note 

The authentication method must use a username and password.

Step 6

transport input ssh

Example:


Device(config-line)# transport input ssh

Defines which protocols to use to connect to a specific line of the device.

  • The ssh keyword must be used for the Reverse SSH Enhancements feature.

Step 7

exit

Example:


Device(config-line)# exit

Exits line configuration mode.

Step 8

exit

Example:


Device(config)# exit

Exits global configuration mode.

Step 9

ssh -l userid : {number } {ip-address }

Example:


Device# ssh -l lab:1 router.example.com

Specifies the user ID to use when logging in on the remote networking device that is running the SSH server.

  • userid --User ID.

  • : --Signifies that a port number and terminal IP address will follow the userid argument.

  • number --Terminal or auxiliary line number.

  • ip-address --Terminal server IP address.

Note 

The userid argument and :rotary {number }{ip-address } delimiter and arguments are mandatory when configuring the alternative method of Reverse SSH for modem access.

Configuring Reverse SSH for Modem Access

To configure Reverse SSH for modem access, perform the steps shown in the “SUMMARY STEPS” section below.

In this configuration, reverse SSH is being configured on a modem used for dial-out lines. To get any of the dial-out modems, you can use any SSH client and start a SSH session as shown (in Step 10) to get to the next available modem from the rotary device.

SUMMARY STEPS

  1. enable
  2. configure terminal
  3. line line-number ending-line-number
  4. no exec
  5. login authentication listname
  6. rotary group
  7. transport input ssh
  8. exit
  9. exit
  10. ssh -l userid :rotary {number } {ip-address }

DETAILED STEPS

  Command or Action Purpose
Step 1

enable

Example:


Device> enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

configure terminal

Example:


Device# configure terminal

Enters global configuration mode.

Step 3

line line-number ending-line-number

Example:


Device# line 1 200

Identifies a line for configuration and enters line configuration mode.

Step 4

no exec

Example:


Device(config-line)# no exec

Disables EXEC processing on a line.

Step 5

login authentication listname

Example:


Device(config-line)# login authentication default

Defines a login authentication mechanism for the lines.

Note 

The authentication method must use a username and password.

Step 6

rotary group

Example:


Device(config-line)# rotary 1

Defines a group of lines consisting of one or more virtual terminal lines or one auxiliary port line.

Step 7

transport input ssh

Example:


Device(config-line)# transport input ssh

Defines which protocols to use to connect to a specific line of the device.

  • The ssh keyword must be used for the Reverse SSH Enhancements feature.

Step 8

exit

Example:


Device(config-line)# exit

Exits line configuration mode.

Step 9

exit

Example:


Device(config)# exit

Exits global configuration mode.

Step 10

ssh -l userid :rotary {number } {ip-address }

Example:


Device# ssh -l lab:rotary1 router.example.com

Specifies the user ID to use when logging in on the remote networking device that is running the SSH server.

  • userid --User ID.

  • : --Signifies that a port number and terminal IP address will follow the userid argument.

  • number --Terminal or auxiliary line number.

  • ip-address --Terminal server IP address.

Note 

The userid argument and :rotary {number }{ip-address } delimiter and arguments are mandatory when configuring the alternative method of Reverse SSH for modem access.

Troubleshooting Reverse SSH on the Client

To troubleshoot the reverse SSH configuration on the client (remote device), perform the following steps.

SUMMARY STEPS

  1. enable
  2. debug ip ssh client

DETAILED STEPS

  Command or Action Purpose
Step 1

enable

Example:


Device> enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

debug ip ssh client

Example:


Device# debug ip ssh client

Displays debugging messages for the SSH client.

Troubleshooting Reverse SSH on the Server

To troubleshoot the reverse SSH configuration on the terminal server, perform the following steps. The steps may be configured in any order or independent of one another.

SUMMARY STEPS

  1. enable
  2. debug ip ssh
  3. show ssh
  4. show line

DETAILED STEPS

  Command or Action Purpose
Step 1

enable

Example:


Device> enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

debug ip ssh

Example:


Device# debug ip ssh

Displays debugging messages for the SSH server.

Step 3

show ssh

Example:


Device# show ssh

Displays the status of the SSH server connections.

Step 4

show line

Example:


Device# show line

Displays parameters of a terminal line.

Monitoring the SSH Configuration and Status

This table displays the SSH server configuration and status.

Table 1. Commands for Displaying the SSH Server Configuration and Status

Command

Purpose

show ip ssh

Shows the version and configuration information for the SSH server.

show ssh

Shows the status of the SSH server.

Configuring Secure Copy

To configure a Cisco device for Secure Copy (SCP) server-side functionality, perform the following steps.

SUMMARY STEPS

  1. enable
  2. configure terminal
  3. aaa new-model
  4. aaa authentication login {default | list-name } method1 [ method2... ]
  5. aaa authorization {network | exec | commands level | reverse-access | configuration } {default | list-name } [method1 [ method2... ]]
  6. username name [privilege level ] password encryption-type encrypted-password
  7. ip scp server enable
  8. exit
  9. show running-config
  10. debug ip scp

DETAILED STEPS

  Command or Action Purpose
Step 1

enable

Example:


Device> enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

configure terminal

Example:


Device# configure terminal

Enters global configuration mode.

Step 3

aaa new-model

Example:


Device(config)# aaa new-model

Sets AAA authentication at login.

Step 4

aaa authentication login {default | list-name } method1 [ method2... ]

Example:


Device(config)# aaa authentication login default group tacacs+

Enables the AAA access control system.

Step 5

aaa authorization {network | exec | commands level | reverse-access | configuration } {default | list-name } [method1 [ method2... ]]

Example:


Device(config)# aaa authorization exec default group tacacs+

Sets parameters that restrict user access to a network.

Note 

The exec keyword runs authorization to determine if the user is allowed to run an EXEC shell; therefore, you must use the exec keyword when you configure SCP.

Step 6

username name [privilege level ] password encryption-type encrypted-password

Example:


Device(config)# username superuser privilege 2 password 0 superpassword

Establishes a username-based authentication system.

Note 

You may omit this step if a network-based authentication mechanism, such as TACACS+ or RADIUS, has been configured.

Step 7

ip scp server enable

Example:


Device(config)# ip scp server enable

Enables SCP server-side functionality.

Step 8

exit

Example:


Device(config)# exit

Exits global configuration mode and returns to privileged EXEC mode.

Step 9

show running-config

Example:


Device# show running-config

(Optional) Displays the SCP server-side functionality.

Step 10

debug ip scp

Example:


Device# debug ip scp

(Optional) Troubleshoots SCP authentication problems.

Configuration Examples for Secure Shell

Example: Secure Copy Configuration Using Local Authentication

The following example shows how to configure the server-side functionality of Secure Copy (SCP). This example uses a locally defined username and password.


! AAA authentication and authorization must be configured properly in order for SCP to work.
aaa new-model
aaa authentication login default local
aaa authorization exec default local
username user1 privilege 15 password 0 lab
! SSH must be configured and functioning properly.
ip scp server enable

Example: SCP Server-Side Configuration Using Network-Based Authentication

The following example shows how to configure the server-side functionality of SCP using a network-based authentication mechanism:


! AAA authentication and authorization must be configured properly for SCP to work. 
aaa new-model 
aaa authentication login default group tacacs+
aaa authorization exec default group tacacs+
! SSH must be configured and functioning properly.
ip ssh time-out 120
ip ssh authentication-retries 3
ip scp server enable

Example Reverse SSH Console Access

The following configuration example shows that reverse SSH has been configured for console access for terminal lines 1 through 3:

Terminal Server Configuration


line 1 3
   no exec
   login authentication default
   transport input ssh

Client Configuration

The following commands configured on the SSH client will form the reverse SSH session with lines 1, 2, and 3, respectively:


ssh -l lab:1 router.example.com
ssh -l lab:2 router.example.com
ssh -l lab:3 router.example.com

Example Reverse SSH Modem Access

The following configuration example shows that dial-out lines 1 through 200 have been grouped under rotary group 1 for modem access:


line 1 200
   no exec
   login authentication default
   rotary 1
   transport input ssh
   exit

The following command shows that reverse SSH will connect to the first free line in the rotary group:


ssh -l lab:rotary1 router.example.com

Example: Monitoring the SSH Configuration and Status

To verify that the Secure Shell (SSH) server is enabled and to display the version and configuration data for your SSH connection, use the show ip ssh command. The following example shows that SSH is enabled:


Device# show ip ssh

SSH Enabled - version 1.5
Authentication timeout: 120 secs; Authentication retries: 3

The following example shows that SSH is disabled:


Device# show ip ssh

%SSH has not been enabled

To verify the status of your SSH server connections, use the show ssh command. The following example shows the SSH server connections on the device when SSH is enabled:


Device# show ssh

Connection      Version     Encryption	State	Username
	0	1.5	3DES	Session Started		guest

The following example shows that SSH is disabled:


Device# show ssh

%No SSH server connections running.

Additional References for Secure Shell

Technical Assistance

Description Link

The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies.

To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds.

Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.

http://www.cisco.com/support

Feature Information for Configuring Secure Shell

Release Feature Information
Cisco IOS Release 15.0(2)EX

This feature was introduced.

Cisco IOS 15.2(1)E

The Reverse SSH Enhancements feature, which is supported for SSH Version 1 and 2, provides an alternative way to configure reverse Secure Shell (SSH) so that separate lines do not need to be configured for every terminal or auxiliary line on which SSH must be enabled. This feature also eliminates the rotary-group limitation.

This feature was supported on CAT4500-X, CAT4500E-SUP6E, CAT4500E-SUP6L-E, CAT4500E-SUP7E, CAT4500E-SUP7L-E.

The following command was introduced: ssh .