- Finding Feature Information
- Restrictions for Secure Shell—Configuring User Authentication Methods
- Information About Secure Shell—Configuring User Authentication Methods
- How to Configure Secure Shell—Configuring User Authentication Methods
- Configuration Examples for Secure Shell—Configuring User Authentication Methods
- Additional References for Secure Shell—Configuring User Authentication Methods
- Feature Information for Secure Shell—Configuring User Authentication Methods
Secure Shell—Configuring User Authentication Methods
The Secure Shell—Configuring User Authentication Methods feature helps configure the user authentication methods available in the Secure Shell (SSH) server.
- Finding Feature Information
- Restrictions for Secure Shell—Configuring User Authentication Methods
- Information About Secure Shell—Configuring User Authentication Methods
- How to Configure Secure Shell—Configuring User Authentication Methods
- Configuration Examples for Secure Shell—Configuring User Authentication Methods
- Additional References for Secure Shell—Configuring User Authentication Methods
- Feature Information for Secure Shell—Configuring User Authentication Methods
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Restrictions for Secure Shell—Configuring User Authentication Methods
Secure Shell (SSH) server and SSH client are supported on data encryption software (DES) (56-bit) and 3DES (168-bit) images only.
Information About Secure Shell—Configuring User Authentication Methods
Secure Shell User Authentication Overview
Secure Shell (SSH) enables an SSH client to make a secure, encrypted connection to a Cisco device (Cisco IOS SSH server). The SSH client uses the SSH protocol to provide device authentication and encryption.
The SSH server supports three types of user authentication methods and sends these authentication methods to the SSH client in the following predefined order:
Public-key authentication method
Keyboard-interactive authentication method
Password authentication method
By default, all the user authentication methods are enabled. Use the no ip ssh server authenticate user {publickey | keyboard | pasword} command to disable any specific user authentication method so that the disabled method is not negotiated in the SSH user authentication protocol. This feature helps the SSH server offer any preferred user authentication method in an order different from the predefined order. The disabled user authentication method can be enabled using the ip ssh server authenticate user {publickey | keyboard | pasword} command.
As per RFC 4252 (The Secure Shell (SSH) Authentication Protocol), the public-key authentication method is mandatory. This feature enables the SSH server to override the RFC behavior and disable any SSH user authentication method, including public-key authentication.
For example, if the SSH server prefers the password authentication method, the SSH server can disable the public-key and keyboard-interactive authentication methods.
How to Configure Secure Shell—Configuring User Authentication Methods
Configuring User Authentication for the SSH Server
Perform this task to configure user authentication methods in the Secure Shell (SSH) server.
1.
enable
2.
configure
terminal
3.
no
ip ssh
server authenticate user
{publickey | keyboard | pasword}
4.
ip ssh
server authenticate user
{publickey | keyboard | pasword}
5.
default ip ssh
server authenticate user
6.
end
DETAILED STEPS
Troubleshooting Tips
If the public-key-based authentication method is disabled using the no ip ssh server authenticate user publickey command, the RFC 4252 (The Secure Shell (SSH) Authentication Protocol) behavior in which public-key authentication is mandatory is overridden and the following warning message is displayed:
%SSH:Publickey disabled.Overriding RFC
If all three authentication methods are disabled, the following warning message is displayed:
%SSH:No auth method configured.Incoming connection will be dropped
In the event of an incoming SSH session request from the SSH client when all three user authentication methods are disabled on the SSH server, the connection request is dropped at the SSH server and a system log message is available in the following format:
%SSH-3-NO_USERAUTH: No auth method configured for SSH Server. Incoming connection from <ip address> (tty = <ttynum>) dropped
Verifying User Authentication for the SSH Server
1.
enable
2.
show
ip ssh
DETAILED STEPS
Step 1 |
enable
Enables privileged EXEC mode. Example: Device> enable |
Step 2 |
show
ip ssh
Displays the version and configuration data for Secure Shell (SSH). Example: Device# show ip ssh Authentication methods:publickey,keyboard-interactive,password
Device# show ip ssh Authentication methods:NONE |
Configuration Examples for Secure Shell—Configuring User Authentication Methods
- Example: Disabling User Authentication Methods
- Example: Enabling User Authentication Methods
- Example: Configuring Default User Authentication Methods
Example: Disabling User Authentication Methods
The following example shows how to disable the public-key-based authentication and keyboard-based authentication methods, allowing the SSH client to connect to the SSH server using the password-based authentication method:
Device> enable Device# configure terminal Device(config)# no ip ssh server authenticate user publickey %SSH:Publickey disabled.Overriding RFC Device(config)# no ip ssh server authenticate user keyboard Device(config)# exit
Example: Enabling User Authentication Methods
The following example shows how to enable the public-key-based authentication and keyboard-based authentication methods:
Device> enable Device# configure terminal Device(config)# ip ssh server authenticate user publickey Device(config)# ip ssh server authenticate user keyboard Device(config)# exit
Example: Configuring Default User Authentication Methods
The following example shows how to return to the default behavior in which all three user authentication methods are enabled in the predefined order:
Device> enable Device# configure terminal Device(config)# default ip ssh server authenticate user Device(config)# exit
Additional References for Secure Shell—Configuring User Authentication Methods
Related Documents
Related Topic |
Document Title |
---|---|
Cisco IOS commands |
|
Security commands |
|
SSH configuration |
Secure Shell Configuration Guide |
Standards and RFCs
Standard/RFC | Title |
---|---|
RFC 4252 |
The Secure Shell (SSH) Authentication Protocol |
RFC 4253 |
The Secure Shell (SSH) Transport Layer Protocol |
Technical Assistance
Description | Link |
---|---|
The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies. To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds. Access to most tools on the Cisco Support website requires a Cisco.com user ID and password. |
Feature Information for Secure Shell—Configuring User Authentication Methods
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to . An account on Cisco.com is not required.
Feature Name |
Releases |
Feature Information |
---|---|---|
Secure Shell—Configuring User Authentication Methods |
Cisco IOS XE Release 3.10S |
The Secure Shell—Configuring User Authentication Methods feature helps configure the user authentication methods available in the Secure Shell (SSH) server. The following command was introduced: ip ssh server authenticate user. In Cisco IOS XE Release 3.10, this feature was introduced on Cisco ASR 1000 Series Aggregation Services Routers. |