Configuring Secure Shell (SSH)
• Finding Feature Information, page 1
• Prerequisites for Configuring Secure Shell, page 1
• Restrictions for Configuring Secure Shell, page 2
• Information about SSH, page 2
• How to Configure SSH, page 5
• Monitoring the SSH Configuration and Status, page 9
• Additional References, page 9
• Feature Information for SSH, page 10
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest caveats and
feature information, see Bug Search Tool and the release notes for your platform and software release. To
find information about the features documented in this module, and to see a list of the releases in which each
feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not
required.
Prerequisites for Configuring Secure Shell
The following are the prerequisites for configuring the switch for secure shell (SSH):
• For SSH to work, the switch needs an Rivest, Shamir, and Adleman (RSA) public/private key pair. This
is the same with Secure Copy Protocol (SCP), which relies on SSH for its secure transport.
• Before enabling SCP, you must correctly configure SSH, authentication, and authorization on the switch.
• Because SCP relies on SSH for its secure transport, the router must have an Rivest, Shamir, and Adelman
(RSA) key pair.
Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX
OL-29048-01 1
� Configuring Secure Shell (SSH)
Restrictions for Configuring Secure Shell
• SCP relies on SSH for security.
• SCP requires that authentication, authorization, and accounting (AAA) authorization be configured so
the router can determine whether the user has the correct privilege level.
• A user must have appropriate authorization to use SCP.
• A user who has appropriate authorization can use SCP to copy any file in the Cisco IOS File System
(IFS) to and from a switch by using the copy command. An authorized administrator can also do this
from a workstation.
• The Secure Shell (SSH) server requires an IPsec (Data Encryption Standard [DES] or 3DES) encryption
software image; the SSH client requires an IPsec (DES or 3DES) encryption software image.)
• Configure a hostname and host domain for your device by using the hostname and ip domain-name
commands in global configuration mode.
Related Topics
Secure Copy Protocol, on page 4
Restrictions for Configuring Secure Shell
The following are restrictions for configuring the Switch for secure shell.
• The switch supports Rivest, Shamir, and Adelman (RSA) authentication.
• SSH supports only the execution-shell application.
• The SSH server and the SSH client are supported only on Data Encryption Standard (DES) (56-bit) and
3DES (168-bit) data encryption software. In DES software images, DES is the only encryption algorithm
available. In 3DES software images, both DES and 3DES encryption algorithms are available.
• The Switch supports the Advanced Encryption Standard (AES) encryption algorithm with a 128-bit key,
192-bit key, or 256-bit key. However, symmetric cipher AES to encrypt the keys is not supported.
• This software release does not support IP Security (IPSec).
• When using SCP, you cannot enter the password into the copy command. You must enter the password
when prompted.
• The login banner is not supported in Secure Shell Version 1. It is supported in Secure Shell Version 2.
• The -l keyword and userid :{number} {ip-address} delimiter and arguments are mandatory when
configuring the alternative method of Reverse SSH for console access.
Related Topics
Secure Copy Protocol, on page 4
Information about SSH
Secure Shell (SSH) is a protocol that provides a secure, remote connection to a device. SSH provides more
security for remote connections than Telnet does by providing strong encryption when a device is authenticated.
This software release supports SSH Version 1 (SSHv1) and SSH Version 2 (SSHv2).
Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX
2 OL-29048-01
� Configuring Secure Shell (SSH)
SSH and Switch Access
SSH and Switch Access
Secure Shell (SSH) is a protocol that provides a secure, remote connection to a device. SSH provides more
security for remote connections than Telnet does by providing strong encryption when a device is authenticated.
This software release supports SSH Version 1 (SSHv1) and SSH Version 2 (SSHv2).
SSH functions the same in IPv6 as in IPv4. For IPv6, SSH supports IPv6 addresses and enables secure,
encrypted connections with remote IPv6 nodes over an IPv6 transport.
SSH Servers, Integrated Clients, and Supported Versions
The Secure Shell (SSH) Integrated Client feature is an application that runs over the SSH protocol to provide
device authentication and encryption. The SSH client enables a Cisco device to make a secure, encrypted
connection to another Cisco device or to any other device running the SSH server. This connection provides
functionality similar to that of an outbound Telnet connection except that the connection is encrypted. With
authentication and encryption, the SSH client allows for secure communication over an unsecured network.
The SSH server and SSH integrated client are applications that run on the switch. The SSH server works with
the SSH client supported in this release and with non-Cisco SSH clients. The SSH client works with publicly
and commercially available SSH servers. The SSH client supports the ciphers of Data Encryption Standard
(DES), 3DES, and password authentication.
The switch supports an SSHv1 or an SSHv2 server.
The switch supports an SSHv1 client.
Note The SSH client functionality is available only when the SSH server is enabled.
User authentication is performed like that in the Telnet session to the device. SSH also supports the following
user authentication methods:
• TACACS+
• RADIUS
• Local authentication and authorization
Related Topics
Configuring the Switch for Local Authentication and Authorization
TACACS+ and Switch Access
RADIUS and Switch Access
SSH Configuration Guidelines
Follow these guidelines when configuring the switch as an SSH server or SSH client:
• An RSA key pair generated by a SSHv1 server can be used by an SSHv2 server, and the reverse.
• If the SSH server is running on a stack master and the stack master fails, the new stack master uses the
RSA key pair generated by the previous stack master.
Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX
OL-29048-01 3
� Configuring Secure Shell (SSH)
Secure Copy Protocol Overview
• If you get CLI error messages after entering the crypto key generate rsa global configuration command,
an RSA key pair has not been generated. Reconfigure the hostname and domain, and then enter the
crypto key generate rsa command. For more information, see Related Topics below.
• When generating the RSA key pair, the message No host name specified might appear. If it does, you
must configure a hostname by using the hostname global configuration command.
• When generating the RSA key pair, the message No domain specified might appear. If it does, you must
configure an IP domain name by using the ip domain-name global configuration command.
• When configuring the local authentication and authorization authentication method, make sure that AAA
is disabled on the console.
Related Topics
Setting Up the Switch to Run SSH, on page 5
Configuring the Switch for Local Authentication and Authorization
Secure Copy Protocol Overview
The Secure Copy Protocol (SCP) feature provides a secure and authenticated method for copying switch
configurations or switch image files. SCP relies on Secure Shell (SSH), an application and a protocol that
provides a secure replacement for the Berkeley r-tools.
For SSH to work, the switch needs an RSA public/private key pair. This is the same with SCP, which relies
on SSH for its secure transport.
Because SSH also relies on AAA authentication, and SCP relies further on AAA authorization, correct
configuration is necessary.
• Before enabling SCP, you must correctly configure SSH, authentication, and authorization on the switch.
• Because SCP relies on SSH for its secure transport, the router must have an Rivest, Shamir, and Adelman
(RSA) key pair.
Note When using SCP, you cannot enter the password into the copy command. You must enter the password
when prompted.
Secure Copy Protocol
The Secure Copy Protocol (SCP) feature provides a secure and authenticated method for copying switch
configurations or switch image files. The behavior of SCP is similar to that of remote copy (rcp), which comes
from the Berkeley r-tools suite, except that SCP relies on SSH for security. SCP also requires that authentication,
authorization, and accounting (AAA) authorization be configured so the switch can determine whether the
user has the correct privilege level. To configure the Secure Copy feature, you should understand the SCP
concepts.
Related Topics
Prerequisites for Configuring Secure Shell, on page 1
Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX
4 OL-29048-01
� Configuring Secure Shell (SSH)
How to Configure SSH
Restrictions for Configuring Secure Shell, on page 2
How to Configure SSH
Setting Up the Switch to Run SSH
Follow these steps to set up your Switch to run SSH:
Before You Begin
Configure user authentication for local or remote access. This step is required. For more information, see
Related Topics below.
SUMMARY STEPS
1. enable
2. configure terminal
3. hostname hostname
4. ip domain-name domain_name
5. crypto key generate rsa
6. end
7. show running-config
8. copy running-config startup-config
DETAILED STEPS
Command or Action Purpose
Step 1 enable Enables privileged EXEC mode. Enter your password if prompted.
Example:
Switch> enable
Step 2 configure terminal Enters the global configuration mode.
Example:
Switch# configure terminal
Step 3 hostname hostname Configures a hostname and IP domain name for your Switch.
Note Follow this procedure only if you are configuring the
Example: Switch as an SSH server.
Switch(config)# hostname your_hostname
Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX
OL-29048-01 5
� Configuring Secure Shell (SSH)
Configuring the SSH Server
Command or Action Purpose
Step 4 ip domain-name domain_name Configures a host domain for your Switch.
Example:
Switch(config)# ip domain-name
your_domain
Step 5 crypto key generate rsa Enables the SSH server for local and remote authentication on the
Switch and generates an RSA key pair. Generating an RSA key
Example: pair for the Switch automatically enables SSH.
Switch(config)# crypto key generate rsa We recommend that a minimum modulus size of 1024 bits.
When you generate RSA keys, you are prompted to enter a modulus
length. A longer modulus length might be more secure, but it takes
longer to generate and to use.
Note Follow this procedure only if you are configuring the
Switch as an SSH server.
Step 6 end Returns to privileged EXEC mode.
Example:
Switch(config)# end
Step 7 show running-config Verifies your entries.
Example:
Switch# show running-config
Step 8 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:
Switch# copy running-config
startup-config
Related Topics
SSH Configuration Guidelines, on page 3
Configuring the Switch for Local Authentication and Authorization
Configuring the SSH Server
Follow these steps to configure the SSH server:
Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX
6 OL-29048-01
� Configuring Secure Shell (SSH)
Configuring the SSH Server
Note This procedure is only required if you are configuring the Switch as an SSH server.
SUMMARY STEPS
1. enable
2. configure terminal
3. ip ssh version [1 | 2]
4. ip ssh {timeout seconds | authentication-retries number}
5. Use one or both of the following:
• line vtyline_number[ ending_line_number ]
• transport input ssh
6. end
7. show running-config
8. copy running-config startup-config
DETAILED STEPS
Command or Action Purpose
Step 1 enable Enables privileged EXEC mode. Enter your password if prompted.
Example:
Switch> enable
Step 2 configure terminal Enters the global configuration mode.
Example:
Switch# configure terminal
Step 3 ip ssh version [1 | 2] (Optional) Configures the Switch to run SSH Version 1 or SSH Version
2.
Example: • 1—Configure the Switch to run SSH Version 1.
Switch(config)# ip ssh version 1
• 2—Configure the Switch to run SSH Version 2.
If you do not enter this command or do not specify a keyword, the SSH
server selects the latest SSH version supported by the SSH client. For
example, if the SSH client supports SSHv1 and SSHv2, the SSH server
selects SSHv2.
Step 4 ip ssh {timeout seconds | Configures the SSH control parameters:
authentication-retries number}
Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX
OL-29048-01 7
� Configuring Secure Shell (SSH)
Configuring the SSH Server
Command or Action Purpose
• Specify the time-out value in seconds; the default is 120 seconds.
Example: The range is 0 to 120 seconds. This parameter applies to the SSH
negotiation phase. After the connection is established, the Switch
Switch(config)# ip ssh timeout 90 uses the default time-out values of the CLI-based sessions.
authentication-retries 2
By default, up to five simultaneous, encrypted SSH connections for
multiple CLI-based sessions over the network are available (session
0 to session 4). After the execution shell starts, the CLI-based session
time-out value returns to the default of 10 minutes.
• Specify the number of times that a client can re-authenticate to the
server. The default is 3; the range is 0 to 5.
Repeat this step when configuring both parameters.
Step 5 Use one or both of the following: (Optional) Configures the virtual terminal line settings.
• line • Enters line configuration mode to configure the virtual terminal line
vtyline_number[ ending_line_number ] settings. For line_number and ending_line_number, specify a pair
of lines. The range is 0 to 15.
• transport input ssh
• Specifies that the Switch prevent non-SSH Telnet connections. This
limits the router to only SSH connections.
Example:
Switch(config)# line vty 1 10
or
Switch(config-line)# transport input
ssh
Step 6 end Returns to privileged EXEC mode.
Example:
Switch(config-line)# end
Step 7 show running-config Verifies your entries.
Example:
Switch# show running-config
Step 8 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:
Switch# copy running-config
startup-config
Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX
8 OL-29048-01
� Configuring Secure Shell (SSH)
Monitoring the SSH Configuration and Status
Monitoring the SSH Configuration and Status
This table displays the SSH server configuration and status.
Table 1: Commands for Displaying the SSH Server Configuration and Status
Command Purpose
show ip ssh Shows the version and configuration information for
the SSH server.
show ssh Shows the status of the SSH server.
Additional References
Related Documents
Related Topic Document Title
Configuring Identity Control policies and Identity Session Aware Networking Configuration Guide,
Service templates for Session Aware networking. Cisco IOS XE Release 3SE (Catalyst 3850 Switches)
http://www.cisco.com/en/US/docs/ios-xml/ios/san/
configuration/xe-3se/3850/san-xe-3se-3850-book.html
Configuring RADIUS, TACACS+, Secure Shell, Securing User Services Configuration Guide Library,
802.1X and AAA. Cisco IOS XE Release 3SE (Catalyst 3850 Switches)
http://www.cisco.com/en/US/docs/ios-xml/ios/
security/config_library/xe-3se/3850/
secuser-xe-3se-3850-library.html
Error Message Decoder
Description Link
To help you research and resolve system error https://www.cisco.com/cgi-bin/Support/Errordecoder/
messages in this release, use the Error Message index.cgi
Decoder tool.
Standards and RFCs
Standard/RFC Title
Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX
OL-29048-01 9
� Configuring Secure Shell (SSH)
Feature Information for SSH
MIBs
MIB MIBs Link
All supported MIBs for this release. To locate and download MIBs for selected platforms,
Cisco IOS releases, and feature sets, use Cisco MIB
Locator found at the following URL:
http://www.cisco.com/go/mibs
Technical Assistance
Description Link
The Cisco Support website provides extensive online http://www.cisco.com/support
resources, including documentation and tools for
troubleshooting and resolving technical issues with
Cisco products and technologies.
To receive security and technical information about
your products, you can subscribe to various services,
such as the Product Alert Tool (accessed from Field
Notices), the Cisco Technical Services Newsletter,
and Really Simple Syndication (RSS) Feeds.
Access to most tools on the Cisco Support website
requires a Cisco.com user ID and password.
Feature Information for SSH
Release Feature Information
Cisco IOS 15.0(2)EX This feature was introduced.
Cisco IOS 15.2(1)E The Reverse SSH Enhancements feature, which is
supported for SSH Version 1 and 2, provides an
alternative way to configure reverse Secure Shell
(SSH) so that separate lines do not need to be
configured for every terminal or auxiliary line on
which SSH must be enabled. This feature also
eliminates the rotary-group limitation.
This feature was supported on CAT4500-X,
CAT4500E-SUP6E, CAT4500E-SUP6L-E,
CAT4500E-SUP7E, CAT4500E-SUP7L-E.
The following command was introduced: ssh.
Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX
10 OL-29048-01
� Configuring Secure Shell (SSH)
Feature Information for SSH
Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX
OL-29048-01 11
� Configuring Secure Shell (SSH)
Feature Information for SSH
Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX
12 OL-29048-01
