Difference between revisions of "SSH Cisco IOS"
From Teknologisk videncenter
m |
m (→Example of configuration) |
||
| (5 intermediate revisions by 2 users not shown) | |||
| Line 1: | Line 1: | ||
| + | =Prerequisits= | ||
| + | The SSH Version 2 server is supported in Cisco IOS Release 12.3(4)T, 12.3(2)XE, 12.2(25)S, and 12.3(7)JA.<br/><br/> | ||
| + | The configuration for the SSH Version 2 server is similar to the configuration for SSH Version 1. The '''ip ssh version''' command was introduced so that you may define which version of SSH to configure. If you do not configure this command, SSH by default runs in compatibility mode; that is, both SSH Version 1 and SSH Version 2 connections are honored.<ref>http://www.cisco.com/en/US/docs/ios/sec_user_services/configuration/guide/sec_secure_shell_v2.html</ref> | ||
| + | <br/><br/> | ||
| + | SSH Version 1 is a protocol that has never been defined in a standard. If you do not want your router to fall back to the undefined protocol (Version 1), you should use the ip ssh version command and specify Version 2.<br/> | ||
| + | On Pre IOS 15 SSH version 2 is only a SSH version 1.99 because it is missing some of the mandatory features of version 2. | ||
| + | ==Restrictions for Secure Shell Version 2 Support== | ||
| + | *SSH servers and SSH clients are supported in 3DES software images. | ||
| + | *Execution Shell, remote command execution, and SCP are the only applications supported. | ||
| + | *Rivest, Shamir, and Adelman (RSA) key generation is an SSH server-side requirement. Routers that act as SSH clients need not generate RSA keys. | ||
| + | *The RSA key pair size must be greater than or equal to 768. | ||
| + | *The following functionality is not supported: | ||
| + | **Port forwarding | ||
| + | **Compression | ||
| + | |||
=Example of configuration= | =Example of configuration= | ||
<source lang=cli> | <source lang=cli> | ||
crypto key generate rsa general-keys modulus 1024 | crypto key generate rsa general-keys modulus 1024 | ||
| + | ! | ||
| + | hostname R1 | ||
| + | ! | ||
| + | username admin password 0 l8heise | ||
| + | ! | ||
| + | ip domain-name TSHOOT.HOT | ||
! | ! | ||
aaa new-model | aaa new-model | ||
| Line 18: | Line 39: | ||
ip ssh source-interface Loopback0 | ip ssh source-interface Loopback0 | ||
ip ssh logging events | ip ssh logging events | ||
| − | |||
| − | |||
! | ! | ||
line vty 0 4 | line vty 0 4 | ||
| Line 26: | Line 45: | ||
line con 0 | line con 0 | ||
login authentication CONSOLE | login authentication CONSOLE | ||
| + | ! | ||
| + | service password-encryption | ||
</source> | </source> | ||
| + | =References= | ||
| + | <references/> | ||
{{Source cli}} | {{Source cli}} | ||
[[Category:IOS]] | [[Category:IOS]] | ||
Latest revision as of 10:46, 1 October 2013
Contents
Prerequisits
The SSH Version 2 server is supported in Cisco IOS Release 12.3(4)T, 12.3(2)XE, 12.2(25)S, and 12.3(7)JA.
The configuration for the SSH Version 2 server is similar to the configuration for SSH Version 1. The ip ssh version command was introduced so that you may define which version of SSH to configure. If you do not configure this command, SSH by default runs in compatibility mode; that is, both SSH Version 1 and SSH Version 2 connections are honored.[1]
SSH Version 1 is a protocol that has never been defined in a standard. If you do not want your router to fall back to the undefined protocol (Version 1), you should use the ip ssh version command and specify Version 2.
On Pre IOS 15 SSH version 2 is only a SSH version 1.99 because it is missing some of the mandatory features of version 2.
Restrictions for Secure Shell Version 2 Support
- SSH servers and SSH clients are supported in 3DES software images.
- Execution Shell, remote command execution, and SCP are the only applications supported.
- Rivest, Shamir, and Adelman (RSA) key generation is an SSH server-side requirement. Routers that act as SSH clients need not generate RSA keys.
- The RSA key pair size must be greater than or equal to 768.
- The following functionality is not supported:
- Port forwarding
- Compression
Example of configuration
crypto key generate rsa general-keys modulus 1024
!
hostname R1
!
username admin password 0 l8heise
!
ip domain-name TSHOOT.HOT
!
aaa new-model
aaa authentication login default local
aaa authentication login CONSOLE none
aaa authorization exec default local
aaa session-id common
!
enable secret cisco
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh source-interface Loopback0
ip ssh logging events
!
line vty 0 4
transport input ssh
!
line con 0
login authentication CONSOLE
!
service password-encryption