The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
The SSH Terminal-Line Access feature provides users secure access to tty (text telephone) lines. tty allows the hearing- and speech-impaired to communicate by using a telephone to type messages.
Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "Feature Information for SSH Terminal-Line Access" section.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
•Prerequisites for SSH Terminal-Line Access
•Restrictions for SSH Terminal-Line Access
•Information About SSH Terminal-Line Access
•How to Configure SSH Terminal-Line Access
•Configuration Examples for SSH Terminal-Line Access
•Feature Information for SSH Terminal-Line Access
Download the required image to your router. The secure shell (SSH) server requires the router to have an IPSec (Data Encryption Standard (DES) or 3DES) encryption software image from Cisco IOS Release 12.1(1)T or a later release. The SSH client requires the router to have an IPSec (DES or 3DES) encryption software image from Cisco IOS Release 12.1(3)T or a later release. See the Cisco IOS Configuration Fundamentals Configuration Guide, Release 12.4T for more information on downloading a software image.
The SSH server requires the use of a username and password, which must be defined through the use of a local username and password, TACACS+, or RADIUS.
Note The SSH Terminal-Line Access feature is available on any image that contains SSH.
Console Server Requirement
To configure secure console server access, you must define each line in its own rotary and configure SSH to use SSH over the network when user want to access each of those devices.
Memory and Performance Impact
Replacing reverse Telnet with SSH may reduce the performance of available tty lines due to the addition of encryption and decryption processing above the vty processing. (Any cryptographic mechanism uses more memory than a regular access.)
•Overview of SSH Terminal-Line Access
Cisco IOS supports reverse Telnet, which allows users to Telnet through the router—via a certain port range—to connect them to tty (asynchronous) lines. Reverse Telnet has allowed users to connect to the console ports of remote devices that do not natively support Telnet. However, this method has provided very little security because all Telnet traffic goes over the network in the clear. The SSH Terminal-Line Access feature replaces reverse Telnet with SSH. This feature may be configured to use encryption to access devices on the tty lines, which provide users with connections that support strong privacy and session integrity.
SSH is an application and a protocol that provides secure replacement for the suite of Berkeley r-tools such as rsh, rlogin, and rcp. (Cisco IOS supports rlogin.) The protocol secures the sessions using standard cryptographic mechanisms, and the application can be used similarly to the Berkeley rexec and rsh tools. Currently two versions of SSH are available: SSH Version 1 and SSH Version 2. Only SSH Version 1 is implemented in the Cisco IOS software.
The SSH Terminal-Line Access feature enables users to configure their router with secure access and perform the following tasks:
•Connect to a router that has multiple terminal lines connected to consoles or serial ports of other routers, switches, or devices.
•Simplify connectivity to a router from anywhere by securely connecting to the terminal server on a specific line.
•Allow modems attached to routers to be used for dial-out securely.
•Require authentication of each of the lines through a locally defined username and password, TACACS+, or RADIUS.
Note The session slot command that is used to start a session with a module requires Telnet to be accepted on the virtual tty (vty) lines. When you restrict vty lines only to SSH, you cannot use the command to communicate with the modules. This applies to any Cisco IOS device where the user can telnet to a module on the device.
•Configuring SSH Terminal-Line Access
Perform this task to configure a Cisco router to support reverse secure Telnet.
Note SSH must already be configured on the router.
1. enable
2. configure terminal
3. line line-number [ending-line-number]
4. no exec
5. login {local | authentication listname}
6. rotary group
7. transport input {all | ssh}
8. exit
9. ip ssh port portnum rotary group
To verify that this functionality is working, you can connect to a router using an SSH client.
•Example: SSH Terminal-Line Access Configuration
•Example: SSH Terminal-Line Access for a Console (Serial Line) Ports Configuration
The following example shows how to configure the SSH Terminal-Line Access feature on a modem used for dial-out on lines 1 through 200. To get any of the dial-out modems, use any SSH client and start an SSH session to port 2000 of the router to get to the next available modem from the rotary.
line 1 200
no exec
login authentication default
rotary 1
transport input ssh
exit
ip ssh port 2000 rotary 1
The following example shows how to configure the SSH Terminal-Line Access feature to access the console or serial line interface of various devices. For this type of access, each line is put into its own rotary, and each rotary is used for a single port. In this example, lines 1 through 3 are used; the port (line) mappings of the configuration are shown in Table 1.
|
|
---|---|
1 |
2001 |
2 |
2002 |
3 |
2003 |
line 1
no exec
login authentication default
rotary 1
transport input ssh
line 2
no exec
login authentication default
rotary 2
transport input ssh
line 3
no exec
login authentication default
rotary 3
transport input ssh
ip ssh port 2001 rotary 1 3
|
|
---|---|
— |
|
|
---|---|
To locate and download MIBs for selected platforms, Cisco software releases, and feature sets, use Cisco MIB Locator found at the following URL: |
|
|
---|---|
None. |
— |
Table 2 lists the release history for this feature.
Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Note Table 2 lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.