Configuring SSH
This chapter describes how to configure Secure Shell Protocol (SSH) on Nexus 1000V.
This chapter includes the following sections:
•
Verifying the SSH Configuration
Information About SSH
This section includes the following topics:
SSH Server
You can use the SSH server to enable an SSH client to make a secure, encrypted connection to a Nexus 1000V. SSH uses strong encryption for authentication. The SSH server in the Nexus 1000V can interoperate with publicly and commercially available SSH clients.
TACACS+ user authentication and locally stored usernames and passwords is supported for SSH.
SSH Client
The SSH client feature is an application that runs over the SSH protocol to provide device authentication and encryption. The SSH client enables Nexus 1000V to make a secure, encrypted connection to any device that runs the SSH server. This connection provides an encrypted outbound connection. With authentication and encryption, the SSH client produces secure communication over an insecure network.
The Nexus 1000V SSH client works with publicly and commercially available SSH servers.
SSH Server Keys
SSH requires server keys for secure communication. You can use SSH server keys for the following SSH options:
•SSH version 2 using Rivest, Shamir, and Adelman (RSA) public-key cryptography
•SSH version 2 using the Digital System Algrorithm (DSA)
Be sure to have an SSH server key-pair with the correct version before enabling the SSH service. Generate the SSH server key-pair according to the SSH client version used. The SSH service accepts two types of key-pairs for use by SSH version 2:
•The dsa option generates the DSA key-pair for the SSH version 2 protocol.
•The rsa option generates the RSA key-pair for the SSH version 2 protocol.
By default, an RSA key using 1024 bits is generated.
SSH supports the following public key formats:
•OpenSSH
•IETF Secure Shell (SECSH)
•Public Key Certificate in Privacy-Enhanced Mail (PEM)
If you delete all of the SSH keys, you cannot start the SSH services.
Prerequisites for SSH
SSH has the following prerequisite:
•You have configured IP on a Layer 3 interface, out-of-band on the mgmt 0 interface, or inband on an Ethernet interface.
•Before enabling the SSH server, obtain the SSH key.
Guidelines and Limitations
•Nexus 1000V supports only SSH version 2 (SSHv2).
•SSH is enabled by default.
Note Be aware that the Nexus 1000V commands might differ from the Cisco IOS commands.
Configuring SSH
This section includes the following topics:
•Configuring a User Account with a Public Key
Generating SSH Server Keys
Use this procedure to generate an SSH server key based on your security requirements.
BEFORE YOU BEGIN
Before beginning this procedure, you must know or do the following:
•You are logged in to the CLI in EXEC mode.
•The default SSH server key is an RSA key that is generated using 1024 bits.
SUMMARY STEPS
1. config t
2. no ssh server enable
3. ssh key {dsa [force] | rsa [bits [force]]}
4. ssh server enable
5. exit
6. show ssh key
7. copy running-config startup-config
DETAILED STEPS
Example:
n1000v# config t
n1000v(config)# no ssh server enable
XML interface to system may become unavailable since ssh is disabled
n1000v(config)# ssh key dsa force
generating dsa key(1024 bits).....
.
generated dsa key
n1000v(config)# exit
n1000v# show ssh key
**************************************
rsa Keys generated:Sun Jul 27 15:18:46 2008
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAyKcb7Nv9Ki1OOId9/tdHHa/ngQujlvK5mXyL/n+DeOXK
fVhHbX2a+V0cm7CCLUkBh+BvZRmpmOVTmU/5awfVhVxMKXMiPOPBc+A6/n3FVroyRwupMki6mWoM6Uwa
GID5gsVPqFjFNSgMWtbhjo97XVKhgjFW+wOVt8QoAcrEtnwEfsnQk1EIr/0XIP1mqTsrqTsmjZ2vLk+f
FzTGYAxMvYZI+BrN47aoH2ywS7CpnODjCDXJuDYSPbc3PA8t0ghU/60m9R+s6AZPuljVQbGfxPrahEu4
GVc6sMJNU1JxmqDJkodhMArObB4Umzj7E3Rdby/ZWx/clTYiXQR1X1VfhQ==
bitcount:2048
fingerprint:
fd:ca:48:73:b9:ee:e7:86:9e:1e:40:46:f1:50:1d:44
**************************************
dsa Keys generated:Sun Jul 27 15:20:12 2008
ssh-dss AAAAB3NzaC1kc3MAAACBALpdxLjXNS/jcCNY+F1QZV9HegxBEb0DMUmq9bSq2N+KAcvHllEh
GnaiHhqarOlcEKqhLbIbuqtKTCvfa+Y1hBIAhWVjg1UR3/M22jqxnfhnxL5YRc1Q7fcesFax0myayAIU
nXrkO5iwv9XHTu+EInRc4kJ0XrG9SxtLmDe/fi2ZAAAAFQDbRabAjZa6GfDpwjXw5smRhrElJwAAAIEA
r50yi3hHawNnb5qgYLXhN+KA8XJF753eCWHtMw7NR8fz6fjQ1R2J97UjjGuQ8DvwpGeNQ5S+AuIo0rGq
svdg7TTecBcbgBOnR7Fs2+W5HiSVEGbvj1xaeK8fkNE6kaJumBB343b8Rgj0G97MP/os1GfkEqmX9glB
0IOM2mgHHyoAAACAfRir27hHy+fw8CxPlsK0R6cFhxYyd/qYYogXFKYIOPxpLoYrjqODeOFThU7TJuBz
aS97eXiruzbffHwzUGfXgmQT5o9IMZRTClWPA/5Ju4O9YABYHccUghf0W+QtgGOT6FOSvBh8uOV0kcHC
GMJAP8omphauZJlc+wgFxhnkyh4=
bitcount:1024
fingerprint:
44:91:32:1f:7a:d1:83:3c:f3:5e:db:53:0a:2d:ce:69
**************************************
Configuring a User Account with a Public Key
Use this procedure to configure an SSH public key to log in using the SSH client without being prompted for a password. You can specify the SSH public key in one of three different formats:
•OpenSSH format
•IETF SECSH format
•Public Key Certificate in PEM format
Configuring an OpenSSH Key
Use this procedure to specify the SSH public keys in OpenSSH format for user accounts.
BEFORE YOU BEGIN
Before beginning this procedure, you must know or do the following:
•You are logged in to the CLI in EXEC mode.
•You have already generated an SSH public key in OpenSSH format.
•The user account already exists in Nexus 1000V.
SUMMARY STEPS
1. config t
2. username username sshkey ssh-key
3. exit
4. show user-account
5. copy running-config startup-config
DETAILED STEPS
Configuring IETF or PEM Keys
Use this procedure to specify the SSH public keys in IETF SECSH or PEM format for user accounts.
BEFORE YOU BEGIN
Before beginning this procedure, you must know or do the following:
•You are logged in to the CLI in EXEC mode.
•You have already generated an SSH public key in one of the following formats:
–IETF SECSH format
–Public Key Certificate in PEM format
SUMMARY STEPS
1. copy server-file bootflash:filename
2. config t
3. username username sshkey file bootflash:filename
4. exit
5. show user-account
6. copy running-config startup-config
DETAILED STEPS
Starting SSH Sessions
Use this procedure to start SSH sessions using IP to connect to remote devices.
BEFORE YOU BEGIN
Before beginning this procedure, you must know or do the following:
•You are logged in to the CLI in EXEC mode.
•You have already obtained the hostname and, if needed, the username, for the remote device.
•The SSH server is already enabled on the remote device.
SUMMARY STEPS
1. ssh [username@]{hostname | username@hostname} [vrf vrf-name]
ssh6 [username@]{hostname | username@hostname} [vrf vrf-name]
DETAILED STEPS
Clearing SSH Hosts
Use this procedure to clear from your account the list of trusted SSH servers that were added when you downloaded a file from a server using SCP or SFTP, or when you started an SSH session to a remote host.
BSUMMARY STEPS
1. clear ssh hosts
DETAILED STEPS
|
|
|
|
|---|---|---|
Step 1 |
clear ssh hosts
Example: n1000v# clear ssh hosts |
Clears the SSH host sessions. |
Disabling the SSH Server
Use this procedure to disable the SSH server to prevent SSH access to the switch.By default, the SSH server is enabled.
BEFORE YOU BEGIN
Before beginning this procedure, you must know or do the following:
•You are logged in to the CLI in EXEC mode.
•If you disable SSH, to reenableit you mustfirst generate an SSH server key.
See the "Generating SSH Server Keys" procedure.
SUMMARY STEPS
1. config t
2. no ssh server enable
3. exit
4. show ssh server
5. copy running-config startup-config
DETAILED STEPS
Deleting SSH Server Keys
Use this procedure to delete SSH server keys after you disable the SSH server.
BEFORE YOU BEGIN
Before beginning this procedure, you must know or do the following:
•You are logged in to the CLI in EXEC mode.
•If you disable SSH, to reenableit you mustfirst generate an SSH server key.
See the "Generating SSH Server Keys" procedure.
SUMMARY STEPS
1. config t
2. no ssh server enable
3. no ssh key [dsa | rsa]
4. exit
5. show ssh key
6. copy running-config startup-config
DETAILED STEPS
Example:
n1000v# config t
n1000v(config)# no ssh server enable
n1000v(config)# no ssh key rsa
n1000v(config)# exit
n1000v# show ssh key
**************************************
rsa Keys generated:Sun Jul 27 15:18:46 2008
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAyKcb7Nv9Ki1OOId9/tdHHa/ngQujlvK5mXyL/n+DeOXK
fVhHbX2a+V0cm7CCLUkBh+BvZRmpmOVTmU/5awfVhVxMKXMiPOPBc+A6/n3FVroyRwupMki6mWoM6Uwa
GID5gsVPqFjFNSgMWtbhjo97XVKhgjFW+wOVt8QoAcrEtnwEfsnQk1EIr/0XIP1mqTsrqTsmjZ2vLk+f
FzTGYAxMvYZI+BrN47aoH2ywS7CpnODjCDXJuDYSPbc3PA8t0ghU/60m9R+s6AZPuljVQbGfxPrahEu4
GVc6sMJNU1JxmqDJkodhMArObB4Umzj7E3Rdby/ZWx/clTYiXQR1X1VfhQ==
bitcount:2048
fingerprint:
fd:ca:48:73:b9:ee:e7:86:9e:1e:40:46:f1:50:1d:44
**************************************
dsa Keys generated:Sun Jul 27 15:20:12 2008
ssh-dss AAAAB3NzaC1kc3MAAACBALpdxLjXNS/jcCNY+F1QZV9HegxBEb0DMUmq9bSq2N+KAcvHllEh
GnaiHhqarOlcEKqhLbIbuqtKTCvfa+Y1hBIAhWVjg1UR3/M22jqxnfhnxL5YRc1Q7fcesFax0myayAIU
nXrkO5iwv9XHTu+EInRc4kJ0XrG9SxtLmDe/fi2ZAAAAFQDbRabAjZa6GfDpwjXw5smRhrElJwAAAIEA
r50yi3hHawNnb5qgYLXhN+KA8XJF753eCWHtMw7NR8fz6fjQ1R2J97UjjGuQ8DvwpGeNQ5S+AuIo0rGq
svdg7TTecBcbgBOnR7Fs2+W5HiSVEGbvj1xaeK8fkNE6kaJumBB343b8Rgj0G97MP/os1GfkEqmX9glB
0IOM2mgHHyoAAACAfRir27hHy+fw8CxPlsK0R6cFhxYyd/qYYogXFKYIOPxpLoYrjqODeOFThU7TJuBz
aS97eXiruzbffHwzUGfXgmQT5o9IMZRTClWPA/5Ju4O9YABYHccUghf0W+QtgGOT6FOSvBh8uOV0kcHC
GMJAP8omphauZJlc+wgFxhnkyh4=
bitcount:1024
fingerprint:
44:91:32:1f:7a:d1:83:3c:f3:5e:db:53:0a:2d:ce:69
**************************************
mcs-srvr43(config)# no ssh key rsa
mcs-srvr43(config)# show ssh key
**************************************
could not retrieve rsa key information
**************************************
dsa Keys generated:Sun Jul 27 15:20:12 2008
ssh-dss AAAAB3NzaC1kc3MAAACBALpdxLjXNS/jcCNY+F1QZV9HegxBEb0DMUmq9bSq2N+KAcvHllEh
GnaiHhqarOlcEKqhLbIbuqtKTCvfa+Y1hBIAhWVjg1UR3/M22jqxnfhnxL5YRc1Q7fcesFax0myayAIU
nXrkO5iwv9XHTu+EInRc4kJ0XrG9SxtLmDe/fi2ZAAAAFQDbRabAjZa6GfDpwjXw5smRhrElJwAAAIEA
r50yi3hHawNnb5qgYLXhN+KA8XJF753eCWHtMw7NR8fz6fjQ1R2J97UjjGuQ8DvwpGeNQ5S+AuIo0rGq
svdg7TTecBcbgBOnR7Fs2+W5HiSVEGbvj1xaeK8fkNE6kaJumBB343b8Rgj0G97MP/os1GfkEqmX9glB
0IOM2mgHHyoAAACAfRir27hHy+fw8CxPlsK0R6cFhxYyd/qYYogXFKYIOPxpLoYrjqODeOFThU7TJuBz
aS97eXiruzbffHwzUGfXgmQT5o9IMZRTClWPA/5Ju4O9YABYHccUghf0W+QtgGOT6FOSvBh8uOV0kcHC
GMJAP8omphauZJlc+wgFxhnkyh4=
bitcount:1024
fingerprint:
44:91:32:1f:7a:d1:83:3c:f3:5e:db:53:0a:2d:ce:69
**************************************
mcs-srvr43(config)# no ssh key dsa
mcs-srvr43(config)# show ssh key
**************************************
could not retrieve rsa key information
**************************************
could not retrieve dsa key information
**************************************
no ssh keys present. you will have to generate them
**************************************
n1000v#
Clearing SSH Sessions
Use this procedure to clear SSH sessions from the device.
BEFORE YOU BEGIN
Before beginning this procedure, you must know or do the following:
•You are logged in to the CLI in EXEC mode.
SUMMARY STEPS
1. show users
2. clear line vty-line
3. show users
DETAILED STEPS
Example:
n1000v# show users
NAME LINE TIME IDLE PID COMMENT
admin tty1 Jul 25 19:13 old 2867
admin pts/0 Jul 28 09:49 00:02 28556 (10.21.148.122)
admin pts/1 Jul 28 09:46 . 28437 (::ffff:10.21.148.122)*
n1000v# clear line 0
n1000v# show users
NAME LINE TIME IDLE PID COMMENT
admin tty1 Jul 25 19:13 old 2867
admin pts/1 Jul 28 09:46 . 28437 (::ffff:10.21.148.122)*
mcs-srvr43(config)#
Verifying the SSH Configuration
To display the SSH configuration information, use one of the following commands:
Example:
n1000v# show ssh key rsa
**************************************
rsa Keys generated:Mon Jul 28 09:49:18 2008
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAGEAv0a4p6VulQMW4AMgoPfApB2KegF3QTojCzed51iVQnEkNglnM7A/oEIZAtlVLY k/PEzt+ED7lPal/8pomaqjgRxHSeK2gw1cJKSDbcYH5na8uox1Hr50eK0q2+ZfvMqV
bitcount:768
fingerprint:
76:6c:a0:5c:79:a6:ae:3d:cb:27:a1:86:62:fa:09:df
**************************************
SSH Example Configuration
To configure SSH with an OpenSSH key, follow these steps:
Step 1 Disable the SSH server.
n1000v# config t
n1000v(config)# no ssh server enable
Step 2 Generate an SSH server key.
n1000v(config)# ssh key rsa
generating rsa key(1024 bits).....
.generated rsa key
Step 3 Enable the SSH server.
n1000v(config)# ssh server enable
Step 4 Display the SSH server key.
n1000v(config)# show ssh key
rsa Keys generated:Sat Sep 29 00:10:39 2007
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAvWhEBsF55oaPHNDBnpXOTw6+/OdHoLJZKr+MZm99n2U0
ChzZG4svRWmHuJY4PeDWl0e5yE3g3EO3pjDDmt923siNiv5aSga60K36lr39HmXL6VgpRVn1XQFiBwn4
na+H1d3Q0hDt+uWEA0tka2uOtXlDhliEmn4HVXOjGhFhoNE=
bitcount:1024
fingerprint:
51:6d:de:1c:c3:29:50:88:df:cc:95:f0:15:5d:9a:df
**************************************
could not retrieve dsa key information
**************************************
Step 5 Specify the SSH public key in OpenSSH format.
n1000v(config)# username User1 sshkey ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAy19oF6QaZl9G+3f1XswK3OiW4H7YyUyuA50rv7gsEPjhOBYmsi6PAVKui1nIf/ DQhum+lJNqJP/eLowb7ubO+lVKRXFY/G+lJNIQW3g9igG30c6k6+XVn+NjnI1B7ihvpVh7dLddMOXwOnXHYshXmSiH 3UD/vKyziEh5S4Tplx8=
Step 6 Save the configuration.
n1000v(config)# copy running-config startup-config
Example:
n1000v# config t
n1000v(config)# no ssh server enable
n1000v(config)# ssh key rsa
generating rsa key(1024 bits).....
n1000v(config)# ssh server enable
n1000v(config)# show ssh key
rsa Keys generated:Sat Sep 29 00:10:39 2007
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAvWhEBsF55oaPHNDBnpXOTw6+/OdHoLJZKr+MZm99n2U0
ChzZG4svRWmHuJY4PeDWl0e5yE3g3EO3pjDDmt923siNiv5aSga60K36lr39HmXL6VgpRVn1XQFiBwn4
na+H1d3Q0hDt+uWEA0tka2uOtXlDhliEmn4HVXOjGhFhoNE=
bitcount:1024
fingerprint:
51:6d:de:1c:c3:29:50:88:df:cc:95:f0:15:5d:9a:df
**************************************
could not retrieve dsa key information
**************************************
n1000v(config)# username User1 sshkey ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAy19oF6QaZl9G+3f1XswK3OiW4H7YyUyuA50rv7gsEPjhOBYmsi6PAVKui1nIf/ DQhum+lJNqJP/eLowb7ubO+lVKRXFY/G+lJNIQW3g9igG30c6k6+XVn+NjnI1B7ihvpVh7dLddMOXwOnXHYshXmSiH 3UD/vKyziEh5S4Tplx8=
n1000v(config)# copy running-config startup-config
[########################################] 100%
n1000v(config)#
Default Settings
The following table lists the default settings for SSH.
|
|
|
|---|---|
SSH server |
Enabled. |
SSH server key |
RSA key generated with 1024 bits. |
RSA key bits for generation |
1024. |
Additional References
For additional information related to implementing RBAC, see the following sections:
Related Documents
|
|
|
|---|---|
CLI |
Cisco Nexus 1000V Getting Started Guide, Release 4.0(4)SV1(1) |
Telnet |
Standards
|
|
|
|---|---|
No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature. |
— |
Feature History for SSH
This section provides the SSH release history.
|
|
|
|
|---|---|---|
SSH |
4.0 |
This feature was introduced. |
Feedback