Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

• Ensure that you use a Secure Shell (SSH) remote device that supports SSH Version 2 (SSHv2) and connect to a Cisco device.

• Ensure that both the client and the server that are used in the SSH session support the Advanced Encryption Standard counter mode (AES-CTR) encryption mode.

• The Secure Shell (SSH) server and SSH client are supported only on crypto k9 (Triple Data Encryption Standard [3DES]) software images depending on your release.

The Cisco Secure Shell (SSH) implementation enables a secure, encrypted connection between a server and client. The SSH servers and clients use the SSH protocol to provide device authentication and encryption.

To start an encrypted session between the SSH client and server, the preferred mode of encryption needs to be decided. For increased security, the preferred crypto algorithm for the SSH session is the Advanced Encryption Standard counter mode (AES-CTR).

SSH version 2 (SSHv2) supports AES-CTR encryption for 128-, 192-, and 256-bit key length. From the supported AES-CTR algorithms, the preferred algorithm is chosen based on the processing capability. The greater the length of the key, the stronger the encryption.

If the SSH session uses a remote device that does not support the AES-CTR encryption mode, then the encryption mode for the session falls back to AES-CBC mode.

Perform this task to start an encrypted Secure Shell (SSH) session from the SSH client using the Advanced Encryption Standard counter mode (AES-CTR) encryption mode.

Note	The device with which you want to connect must support an SSH server that has the AES-CTR encryption algorithm that is supported in Cisco software. SSH can be run even when the device is disabled.

1.    enable


2.    ssh [-v {1 | 2} | -c {aes128-ctr | aes192-ctr | aes256-ctr | aes128-cbc | 3des | aes192-cbc | aes256-cbc} | -l user-id | -l user-id:vrf-name number ip-address ip-address | -l user-id:rotary number ip-address | -m {hmac-md5-128 | hmac-md5-96 | hmac-sha1-160 | hmac-sha1-96} | -o numberofpasswordprompts n | -p port-num] {ip-addr | hostname} [command | -vrf]


3.    exit

Device> enable

Device# ssh -v 2 -c aes256-ctr -m hmac-sha1-96 -l user2 10.76.82.24

Device# exit

1.    enable


2.    show ssh


3.    debug ip ssh detail

Device> enable

Device# show ssh

Connection Version Mode Encryption  Hmac                State         Username    

0          1.99     IN   aes128-ctr  hmac-sha1     Session started       cisco
0          1.99     OUT  aes128-ctr  hmac-sha1     Session started       cisco

%No SSHv1 server connections running.

Device# debug ip ssh detail

SSH2 0: kex: client->server enc:aes128-ctr mac:hmac-md5 
SSH2 0: kex: server->client enc:aes128-ctr mac:hmac-md5 

Device# debug ip ssh detail

SSH2 CLIENT 0: kex: server->client enc:aes128-ctr mac:hmac-md5 
SSH2 CLIENT 0: kex: client->server enc:aes128-ctr mac:hmac-md5