Use the ip telnet server Global Configuration mode command to enable the device as a Telnet server that accepts connection requests from remote Telnet clients. Remote Telnet clients can configure the device through the Telnet connections.

Use the no form of this command to disable the Telnet server functionality on the device.

Syntax

ip telnet server

no ip telnet server

Default Configuration

Disabled

Command Mode

Global Configuration mode

User Guidelines

The device can be enabled to accept connection requests from both remote SSH and Telnet clients. It is recommended that the remote client connects to the device using SSH (as opposed to Telnet), since SSH is a secure protocol and Telnet is not. To enable the device to be an SSH server, use the ip ssh server command.

Example

The following example enables the device to be configured from a Telnet server.

switchxxxxxx(config)# ip telnet server

To enable or disable sending traps related to SSH session setup and shutdown use the ip ssh logging in Global Configuration mode. To restore default setting, use the no form of this command.

Syntax

ip ssh logging [enable | disable]

no ip ssh logging

Parameters

• enable - Enables SSH logging on device

• disable - Disables SSH logging on device

Default Configuration

SSH session logging is disabled by default.

Command Mode

Global configuration mode.

User Guidelines

This command enables SSH logging on the device. SSH logging is a mean to track the progress of SSH session setup and tear-down. SSH session setup and tear-down progress is tracked using SYSLOG message which are generated as part of the process. If SSH logging is disabled then SYSLOG messages will not be generated as part of the SSH setup or tear-down process.

Example

The following example enables SSH logging on the device.

switchxxxxxx(config)# ip ssh logging enable

The ip ssh server Global Configuration mode command enables the device to be an SSH server and so to accept connection requests from remote SSH clients. Remote SSH clients can manage the device through the SSH connection.

Use the no form of this command to disable the SSH server functionality from the device.

Syntax

ip ssh server

no ip ssh server

Default Configuration

The SSH server functionality is disabled by default.

Command Mode

Global Configuration mode

User Guidelines

The device, as an SSH server, generates the encryption keys automatically.

To generate new SSH server keys, use the crypto key generate dsa and crypto key generate rsa commands.

Example

The following example enables configuring the device to be an SSH server.

switchxxxxxx(config)# ip ssh server

The ip ssh port Global Configuration mode command specifies the TCP port used by the SSH server. Use the no form of this command to restore the default configuration.

Syntax

ip ssh port port-number

no ip ssh port

Parameters

• port-number—Specifies the TCP port number to be used by the SSH server. (Range: 1–59999).

Default Configuration

The default TCP port number is 22.

Command Mode

Global Configuration mode

Example

The following example specifies that TCP port number 808 is used by the SSH server.

switchxxxxxx(config)# ip ssh port 808

Use the ip ssh password-auth Global Configuration mode command to enable password authentication of incoming SSH sessions.

Use the no form of this command to disable this function.

Syntax

ip ssh password-auth

no ip ssh password-auth

Default Configuration

Password authentication of incoming SSH sessions is disabled.

Command Mode

Global Configuration mode

User Guidelines

This command enables password key authentication by a local SSH server of remote SSH clients.

The local SSH server advertises all enabled SSH authentication methods and remote SSH clients are responsible for choosing one of them.

After a remote SSH client is successfully authenticated by public key, the client must still be AAA-authenticated to gain management access to the device.

If no SSH authentication method is enabled, remote SSH clients must still be AAA-authenticated before being granted management access to the device.

Example

The following example enables password authentication of the SSH client.

switchxxxxxx(config)# ip ssh password-auth

Use the ip ssh pubkey-auth Global Configuration mode command to enable public key authentication of incoming SSH sessions.

Use the no form of this command to disable this function.

Syntax

ip ssh pubkey-auth [auto-login]

no ip ssh pubkey-auth

Parameters

• auto-login—Specifies that the device management AAA authentication (CLI login) is not needed. By default, the login is required after the SSH authentication.

Default Configuration

Public key authentication of incoming SSH sessions is disabled.

Command Mode

Global Configuration mode

User Guidelines

This command enables public key authentication by a local SSH server of remote SSH clients.

The local SSH server advertises all enabled SSH authentication methods and remote SSH clients are responsible for choosing one of them.

After a remote SSH client is successfully authenticated by public key, the client must still be AAA-authenticated to gain management access to the device, except if the auto-login parameter was specified.

If no SSH authentication method is enabled, remote SSH clients must still be AAA-authenticated before being granted management access to the device.

If the auto-login keyword is specified for SSH authentication by public key management access is granted if SSH authentication succeeds and the name of SSH used is found in the local user database. The device management AAA authentication is transparent to the user. If the user name is not in the local user database, then the user receives a warning message, and the user will need to pass the device management AAA authentication independently of the SSH authentication.

If the auto-login keyword is not specified, management access is granted only if the user engages and passes both SSH authentication and device management AAA authentication independently.If no SSH authentication method is enabled management access is granted only if the user is AAA authenticated by the device management. No SSH authentication method means SSH is enabled and neither SSH authentication by public key nor password is enabled.

Example

The following example enables authentication of the SSH client.

switchxxxxxx(config)# ip ssh pubkey-auth

The crypto key pubkey-chain ssh Global Configuration mode command enters the SSH Public Key-chain Configuration mode. This mode is used to manually specify device public keys, such as SSH client public keys.

Syntax

crypto key pubkey-chain ssh

Default Configuration

Keys do not exist.

Command Mode

Global Configuration mode

User Guidelines

Use this command when you want to manually specify SSH client’s public keys.

Example

The following example enters the SSH Public Key-chain Configuration mode and manually configures the RSA key pair for SSH public key-chain to the user ‘bob’.

switchxxxxxx(config)# crypto key pubkey-chain ssh
switchxxxxxx(config-keychain)# user-key bob rsa
switchxxxxxx(config-keychain-key)# key-string
AAAAB3NzaC1yc2EAAAADAQABAAABAQCvTnRwPWl
Al4kpqIw9GBRonZQZxjHKcqKL6rMlQ+
ZNXfZSkvHG+QusIZ/76ILmFT34v7u7ChFAE+
Vu4GRfpSwoQUvV35LqJJk67IOU/zfwOl1g
kTwml75QR9gHujS6KwGN2QWXgh3ub8gDjTSq
muSn/Wd05iDX2IExQWu08licglk02LYciz
+Z4TrEU/9FJxwPiVQOjc+KBXuR0juNg5nFYsY
0ZCk0N/W9a/tnkm1shRE7Di71+w3fNiOA
6w9o44t6+AINEICBCCA4YcF6zMzaT1wefWwX6f+
Rmt5nhhqdAtN/4oJfce166DqVX1gWmN
zNR4DYDvSzg0lDnwCAC8Qh
Fingerprint: a4:16:46:23:5a:8d:1d:b5:37:59:eb:44:13:b9:33:e9

The user-key SSH Public Key-string Configuration mode command associates a username with a manually-configured SSH public key.

Use the no user-key command to remove an SSH user and the associated public key.

Syntax

user-key username {rsa | dsa}

no user-key username

Parameters

• username—Specifies the remote SSH client username. (Length: 1–48 characters)

• rsa—Specifies that the RSA key pair is manually configured.

• dsa—Specifies that the DSA key pair is manually configured.

Default Configuration

No SSH public keys exist.

Command Mode

SSH Public Key-string Configuration mode

User Guidelines

After entering this command, the existing key, if any, associated with the user will be deleted. You must follow this command with the key-string command to configure the key to the user.

Example

The following example enables manually configuring an SSH public key for SSH public key-chain bob.

switchxxxxxx(config)# crypto key pubkey-chain ssh
switchxxxxxx(config-keychain)# user-key bob rsa
switchxxxxxx(config-keychain-key)# key-string row
AAAAB3NzaC1yc2EAAAADAQABAAABAQCvTnRwPWl

The key-string SSH Public Key-string Configuration mode command manually specifies an SSH public key.

Syntax

key-string [row key-string]

Parameters

• row—Specifies the SSH public key row by row. The maximum length of a row is 160 characters.

• key-string—Specifies the key in UU-encoded DER format. UU-encoded DER format is the same format as in the authorized_keys file used by OpenSSH.

Default Configuration

Keys do not exist.

Command Mode

SSH Public Key-string Configuration mode

User Guidelines

Use the key-string SSH Public Key-string Configuration mode command without the row parameter to specify which SSH public key is to be interactively configured next. Enter a row with no characters to complete the command.

Use the key-string row SSH Public Key-string Configuration mode command to specify the SSH public key, row by row. Each row must begin with a key-string row command.

The UU-encoded DER format is the same format as in the authorized_keys file used by OpenSSH.

Example

The following example enters public key strings for SSH public key client ‘bob’.

switchxxxxxx(config)# crypto key pubkey-chain ssh
switchxxxxxx(config-keychain)# user-key bob rsa
switchxxxxxx(config-keychain-key)# key-string
AAAAB3NzaC1yc2EAAAADAQABAAABAQCvTnRwPWl
Al4kpqIw9GBRonZQZxjHKcqKL6rMlQ+
ZNXfZSkvHG+QusIZ/76ILmFT34v7u7ChFAE+
Vu4GRfpSwoQUvV35LqJJk67IOU/zfwOl1g
kTwml75QR9gHujS6KwGN2QWXgh3ub8gDjTSq
muSn/Wd05iDX2IExQWu08licglk02LYciz
+Z4TrEU/9FJxwPiVQOjc+KBXuR0juNg5nFYsY
0ZCk0N/W9a/tnkm1shRE7Di71+w3fNiOA
6w9o44t6+AINEICBCCA4YcF6zMzaT1wefWwX6f+
Rmt5nhhqdAtN/4oJfce166DqVX1gWmN
zNR4DYDvSzg0lDnwCAC8Qh
Fingerprint: a4:16:46:23:5a:8d:1d:b5:37:59:eb:44:13:b9:33:e9
switchxxxxxx(config)# crypto key pubkey-chain ssh
switchxxxxxx(config-keychain)# user-key bob rsa
switchxxxxxx(config-keychain-key)# key-string row AAAAB3Nza
switchxxxxxx(config-keychain-key)# key-string row C1yc2

The show ip ssh Privileged EXEC mode command displays the SSH server configuration.

Syntax

show ip ssh

Command Mode

Privileged EXEC mode

Example

The following example displays the SSH server configuration.

The following table describes the significant fields shown in the display.

The show crypto key pubkey-chain ssh Privileged EXEC mode command displays SSH public keys stored on the device.

Syntax

show crypto key pubkey-chain ssh [username username] [fingerprint {bubble-babble | hex}]

Parameters

• username username—Specifies the remote SSH client username. (Length: 1–48 characters)

• fingerprint {bubble-babble | hex}—Specifies the fingerprint display format. The possible values are:

  bubble-babble—Specifies that the fingerprint is displayed in Bubble Babble format.

  hex—Specifies that the fingerprint is displayed in hexadecimal format.

Default Configuration

The default fingerprint format is hexadecimal.

Command Mode

Privileged EXEC mode

Example

The following examples display SSH public keys stored on the device.

switchxxxxxx# show crypto key pubkey-chain ssh
Username	      Fingerprint
-----------   ----------------------------------------------------------
bob           9A:CC:01:C5:78:39:27:86:79:CC:23:C5:98:59:F1:86
john          98:F7:6E:28:F2:79:87:C8:18:F8:88:CC:F8:89:87:C8
switchxxxxxx# show crypto key pubkey-chain ssh username bob
Username	      Fingerprint
-----------   ----------------------------------------------------------
bob           9A:CC:01:C5:78:39:27:86:79:CC:23:C5:98:59:F1:86