The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This chapter contains the following sections:
Information About SSH and Telnet
The Secure Shell Protocol (SSH) server feature enables a SSH client to make a secure, encrypted connection to a Cisco Nexus device. SSH uses strong encryption for authentication. The SSH server in the Cisco Nexus device switch interoperates with publicly and commercially available SSH clients.
The user authentication mechanisms supported for SSH are RADIUS, TACACS+, and the use of locally stored user names and passwords.
The SSH client feature is an application running over the SSH protocol to provide device authentication and encryption. The SSH client enables a switch to make a secure, encrypted connection to another Cisco Nexus device or to any other device running an SSH server. This connection provides an outbound connection that is encrypted. With authentication and encryption, the SSH client allows for a secure communication over an insecure network.
The SSH client in the Cisco Nexus device works with publicly and commercially available SSH servers.
SSH requires server keys for secure communications to the Cisco Nexus device. You can use SSH keys for the following SSH options:
SSH version 2 using Rivest, Shamir, and Adelman (RSA) public-key cryptography
SSH version 2 using the Digital System Algrorithm (DSA)
Be sure to have an SSH server key-pair with the appropriate version before enabling the SSH service. You can generate the SSH server key-pair according to the SSH client version used. The SSH service accepts three types of key-pairs for use by SSH version 2:
The dsa option generates the DSA key-pair for the SSH version 2 protocol.
The rsa option generates the RSA key-pair for the SSH version 2 protocol.
By default, the Cisco Nexus device generates an RSA key using 1024 bits.
SSH supports the following public key formats:
OpenSSH
IETF Secure Shell (SECSH)
 Caution |
If you delete all of the SSH keys, you cannot start the SSH services. |
SSH authentication on CiscoNX-OS devices provide X.509 digital certificate support for host authentication. An X.509 digital certificate is a data item that ensures the origin and integrity of a message. It contains encryption keys for secured communications and is signed by a trusted certification authority (CA) to verify the identity of the presenter. The X.509 digital certificate support provides either DSA or RSA algorithms for authentication.
The certificate infrastructure uses the first certificate that supports the Secure Socket Layer (SSL) and is returned by the security infrastructure, either through a query or a notification. Verification of certificates is successful if the certificates are from any of the trusted CAs.
You can configure your device for SSH authentication using an X.509 certificate. If the authentication fails, you are prompted for a password.
Beginning with Cisco NX-OS Release 7.0(3)I5(1), you can configure SSH authentication using X.509v3 certificates (RFC 6187). X.509v3 certificate-based SSH authentication uses certificates combined with a smartcard to enable two-factor authentication for Cisco device access. The SSH client is provided by Cisco partner Pragma Systems.
The Telnet protocol enables TCP/IP connections to a host. Telnet allows a user at one site to establish a TCP connection to a login server at another site, and then passes the keystrokes from one system to the other. Telnet can accept either an IP address or a domain name as the remote system address.
The Telnet server is enabled by default on the Cisco Nexus device.
SSH has the following configuration guidelines and limitations:
The Cisco Nexus device supports only SSH version 2 (SSHv2).
SSH public and private keys imported into user accounts that are remotely authenticated through a AAA protocol (such as RADIUS or TACACS+) for the purpose of SSH Passwordless File Copy will not persist when the Nexus device is reloaded unless a local user account with the same name as the remote user account is configured on the device before the SSH keys are imported.
Configuring SSH
You can generate an SSH server key based on your security requirements. The default SSH server key is an RSA key that is generated using 1024 bits.
| Command or Action | Purpose | |
|---|---|---|
| Step 1 |
switch# configure terminal |
Enters global configuration move. |
| Step 2 |
switch(config)# ssh key {dsa [force] | rsa [bits [force]]} |
Generates the SSH server key. The bits argument is the number of bits used to generate the key. The range is from 768 to 2048 and the default value is 1024. Use the force keyword to replace an existing key. |
| Step 3 |
switch(config)# exit |
Exits global configuration mode. |
| Step 4 |
(Optional) switch# show ssh key [dsa | rsa] [md5] |
(Optional)
Displays the SSH server keys. For Cisco NX-OS Release 7.0(3)I4(6) and any later 7.0(3)I4(x) release, this command displays the fingerprint in SHA256 format by default. SHA256 is more secure than the old default format of MD5. However, the md5 option has been added, if you want to see the fingerprint in MD5 format for backward compatibility. |
| Step 5 |
(Optional) switch# copy running-config startup-config |
(Optional)
Copies the running configuration to the startup configuration. |
The following example shows how to generate an SSH server key:
switch# configure terminal
switch(config)# ssh key rsa 2048
switch(config)# exit
switch# show ssh key
switch# copy running-config startup-config
You can configure an SSH public key to log in using an SSH client without being prompted for a password. You can specify the SSH public key in one of three different formats:
Open SSH format
IETF SECSH format
Public Key Certificate in PEM format
You can specify the SSH public keys in SSH format for user accounts.
| Command or Action | Purpose | |
|---|---|---|
| Step 1 |
switch# configure terminal |
Enters global configuration move. |
| Step 2 |
switch(config)# username username sshkey ssh-key |
Configures the SSH public key in SSH format. |
| Step 3 |
switch(config)# exit |
Exits global configuration mode. |
| Step 4 |
(Optional) switch# show user-account |
(Optional)
Displays the user account configuration. |
| Step 5 |
(Optional) switch# copy running-config startup-config |
(Optional)
Copies the running configuration to the startup configuration. |
The following example shows how to specify an SSH public key in open SSH format:
switch# configure terminal
switch(config)# username User1 sshkey ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAri3mQy4W1AV9Y2t2hrEWgbUEYz
CfTPO5B8LRkedn56BEy2N9ZcdpqE6aqJLZwfZcTFEzaAAZp9AS86dgBAjsKGs7UxnhGySr8ZELv+DQBsDQH6rZt0KR+2Da8hJD4Z
XIeccWk0gS1DQUNZ300xstQsYZUtqnx1bvm5Ninn0McNinn0Mc=
switch(config)# exit
switch# show user-account
switch# copy running-config startup-config
 Note |
The username command in the example above is a single line that has been broken for legibility. |
You can specify the SSH public keys in IETF SECSH format for user accounts.
| Command or Action | Purpose | |
|---|---|---|
| Step 1 |
switch# copy server-file bootflash: filename |
Downloads the file that contains the SSH key in IETF SECSH format from a server. The server can be FTP, SCP, SFTP, or TFTP. |
| Step 2 |
switch# configure terminal |
Enters global configuration move. |
| Step 3 |
switch(config)# username username sshkey file filename |
Configures the SSH public key in SSH format. |
| Step 4 |
switch(config)# exit |
Exits global configuration mode. |
| Step 5 |
(Optional) switch# show user-account |
(Optional)
Displays the user account configuration. |
| Step 6 |
(Optional) switch# copy running-config startup-config |
(Optional)
Copies the running configuration to the startup configuration. |
The following example shows how to specify the SSH public key in the IETF SECSH format:
switch#copy tftp://10.10.1.1/secsh_file.pub bootflash:secsh_file.pub
switch# configure terminal
switch(config)# username User1 sshkey file bootflash:secsh_file.pub
switch(config)# exit
switch# show user-account
switch# copy running-config startup-configYou can specify the SSH public keys in PEM-formatted Public Key Certificate form for user accounts.
| Command or Action | Purpose | |
|---|---|---|
| Step 1 |
switch# copy server-file bootflash: filename |
Downloads the file that contains the SSH key in PEM-formatted Public Key Certificate form from a server. The server can be FTP, SCP, SFTP, or TFTP |
| Step 2 |
switch# configure terminal |
Enters global configuration move. |
| Step 3 |
(Optional) switch# show user-account |
(Optional)
Displays the user account configuration. |
| Step 4 |
(Optional) switch# copy running-config startup-config |
(Optional)
Copies the running configuration to the startup configuration. |
The following example shows how to specify the SSH public keys in PEM-formatted public key certificate form:
switch# copy tftp://10.10.1.1/cert.pem bootflash:cert.pem
switch# configure terminal
switch# show user-account
switch# copy running-config startup-config
You can configure SSH to use a specific interface.
| Command or Action | Purpose | |
|---|---|---|
| Step 1 |
switch# configure terminal |
Enters global configuration move. |
| Step 2 |
switch(config)# ip ssh source-interface type slot/port |
Configures the source interface for all SSH packets. The following list contains the valid values for interface.
|
| Step 3 |
switch(config)# show ip ssh source-interface |
Displays the configured SSH source interface. |
This example shows how to configure the SSH source interface:
switch(config)# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
switch(config)# ip ssh source-interface ethernet 1/7
switch(config)# show ip ssh source-interface
VRF Name Interface
default Ethernet1/7
You can start SSH sessions to connect to remote devices from your Cisco Nexus device.
| Command or Action | Purpose |
|---|---|
|
switch# ssh {hostname | username@hostname} [vrf vrf-name] |
Creates an SSH session to a remote device. The hostname argument can be an IPv4 address or a hostname. |
When you download a file from a server using SCP or SFTP, you establish a trusted SSH relationship with that server.
| Command or Action | Purpose |
|---|---|
|
switch# clear ssh hosts |
Clears the SSH host sessions. |
By default, the SSH server is enabled on the Cisco Nexus device.
| Command or Action | Purpose | |
|---|---|---|
| Step 1 |
switch# configure terminal |
Enters global configuration move. |
| Step 2 |
switch(config)# [no] feature ssh |
Enables/disables the SSH server. The default is enabled. |
| Step 3 |
switch(config)# exit |
Exits global configuration mode. |
| Step 4 |
(Optional) switch# show ssh server |
(Optional)
Displays the SSH server configuration. |
| Step 5 |
(Optional) switch# copy running-config startup-config |
(Optional)
Copies the running configuration to the startup configuration. |
You can delete SSH server keys after you disable the SSH server.
Note |
To reenable SSH, you must first generate an SSH server key. |
| Command or Action | Purpose | |
|---|---|---|
| Step 1 |
switch# configure terminal |
Enters global configuration move. |
| Step 2 |
switch(config)# no feature ssh |
Disables the SSH server. |
| Step 3 |
switch(config)# no ssh key [dsa | rsa] |
Deletes the SSH server key. The default is to delete all the SSH keys. |
| Step 4 |
switch(config)# exit |
Exits global configuration mode. |
| Step 5 |
(Optional) switch# show ssh key |
(Optional)
Displays the SSH server configuration. |
| Step 6 |
(Optional) switch# copy running-config startup-config |
(Optional)
Copies the running configuration to the startup configuration. |
You can clear SSH sessions from the Cisco Nexus device.
| Command or Action | Purpose | |
|---|---|---|
| Step 1 |
switch# show users |
Displays user session information. |
| Step 2 |
switch# clear line vty-line |
Clears a user SSH session. |
The following example shows how to configure SSH:
| Step 1 |
Generate an SSH server key. |
||
| Step 2 |
Enable the SSH server.
|
||
| Step 3 |
Display the SSH server key. |
||
| Step 4 |
Specify the SSH public key in Open SSH format. |
||
| Step 5 |
Save the configuration. |
You can configure SSH authentication using X.509v3 certificates.
Enable the SSH server on the remote device.
| Command or Action | Purpose | |||||
|---|---|---|---|---|---|---|
| Step 1 |
configure terminal Example: |
Enters global configuration mode. |
||||
| Step 2 |
username user-id [password [0 | 5] password] Example: |
Configures a user account. The user-id argument is a case-sensitive, alphanumeric character string with a maximum length of 28 characters. Valid characters are uppercase letters A through Z, lowercase letters a through z, numbers 0 through 9, hyphen (-), period (.), underscore (_), plus sign (+), and equal sign (=). The at symbol (@) is supported in remote usernames but not in local usernames. Usernames must begin with an underscore (_), which is supported starting with Cisco NX-OS Release 7.0(3)I2(2), or an alphanumeric character. The default password is undefined. The 0 option indicates that the password is clear text, and the 5 option indicates that the password is encrypted. The default is 0 (clear text).
|
||||
| Step 3 |
username user-id ssh-cert-dn dn-name {dsa | rsa} Example: |
Specifies an SSH X.509 certificate distinguished name and DSA or RSA algorithm to use for authentication for an existing user account. The distinguished name can be up to 512 characters and must follow the format shown in the examples. Make sure the email address and state are configured as emailAddress and ST, respectively. |
||||
| Step 4 |
[no] crypto ca trustpoint trustpoint Example: |
Configures a trustpoint. |
||||
| Step 5 |
[no] crypto ca authentication trustpoint Example: |
Configures a certificate chain for the trustpoint. |
||||
| Step 6 |
crypto ca crl request trustpoint bootflash:static-crl.crl Example: |
Configures the certificate revocation list (CRL) for the trustpoint. The CRL file is a snapshot of the list of revoked certificates by the trustpoint. This static CRL list is manually copied to the device from the Certification Authority (CA).
|
||||
| Step 7 |
(Optional) show crypto ca certificates Example: |
(Optional)
Displays the configured certificate chain and associated trustpoint. |
||||
| Step 8 |
(Optional) show crypto ca crl trustpoint Example: |
(Optional)
Displays the contents of the CRL list of the specified trustpoint. |
||||
| Step 9 |
(Optional) show user-account Example: |
(Optional)
Displays configured user account details. |
||||
| Step 10 |
(Optional) show users Example: |
(Optional)
Displays the users logged into the device. |
||||
| Step 11 |
(Optional) copy running-config startup-config Example: |
(Optional)
Copies the running configuration to the startup configuration. |
The following example shows how to configure SSH authentication using X.509v3 certificates:
configure terminal
username jsmith password 4Ty18Rnt
username jsmith ssh-cert-dn "/O = ABCcompany, OU = ABC1,
emailAddress = jsmith@ABCcompany.com, L = Metropolis, ST = New York, C = US, CN = jsmith" rsa
crypto ca trustpoint tp1
crypto ca authentication tp1
crypto ca crl request tp1 bootflash:crl1.crl
show crypto ca certificates
Trustpoint: tp1
CA certificate 0:
subject= /CN=SecDevCA
issuer= /CN=SecDevCA
serial=01AB02CD03EF04GH05IJ06KL07MN
notBefore=Jun 29 12:36:26 2016 GMT
notAfter=Jun 29 12:46:23 2021 GMT
SHA1 Fingerprint=47:29:E3:00:C1:C1:47:F2:56:8B:AC:B2:1C:64:48:FC:F4:8D:53:AF
purposes: sslserver sslclient
show crypto ca crl tp1
Trustpoint: tp1 CRL: Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: /CN=SecDevCA
Last Update: Aug 8 20:03:15 2016 GMT
Next Update: Aug 16 08:23:15 2016 GMT
CRL extensions:
X509v3 Authority Key Identifier:
keyid:30:43:AA:80:10:FE:72:00:DE:2F:A2:17:E4:61:61:44:CE:78:FF:2A
show user-account
user:user1
this user account has no expiry date
roles:network-operator
ssh cert DN : /C = US, ST = New York, L = Metropolis, O = cisco , OU = csg, CN = user1; Algo: x509v3-sign-rsa
show users
NAME LINE TIME IDLE PID COMMENT
user1 pts/1 Jul 27 18:43 00:03 18796 (10.10.10.1) session=ssh
Configuring Telnet
By default, the Telnet server is enabled. You can disable the Telnet server on your Cisco Nexus device.
| Command or Action | Purpose | |
|---|---|---|
| Step 1 |
switch# configure terminal |
Enters global configuration move. |
| Step 2 |
switch(config)# [no] feature telnet |
Enables/disables the Telnet server. The default is enabled. |
If the Telnet server on your Cisco Nexus device has been disabled, you can reenable it.
| Command or Action | Purpose |
|---|---|
|
switch(config)# [no] feature telnet |
Reenables the Telnet server. |
You can configure Telnet to use a specific interface.
| Command or Action | Purpose | |
|---|---|---|
| Step 1 |
switch# configure terminal |
Enters global configuration move. |
| Step 2 |
switch(config)# ip telnet source-interface type slot/port |
Configures the source interface for all Telnet packets. The following list contains the valid values for interface.
|
This example shows how to configure the Telnet source interface:
switch# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
switch(config)# ip telnet source-interface ethernet 1/6
switch(config)# show ip telnet source-interface
VRF Name Interface
default Ethernet1/6
switch(config)#
Before you start a Telnet session to connect to remote devices, you should do the following:
Obtain the hostname for the remote device and, if needed, obtain the username on the remote device.
Enable the Telnet server on the Cisco Nexus device.
Enable the Telnet server on the remote device.
| Command or Action | Purpose |
|---|---|
|
switch# telnet hostname |
Creates a Telnet session to a remote device. The hostname argument can be an IPv4 address, an IPv6 address, or a device name. |
The following example shows how to start a Telnet session to connect to a remote device:
switch# telnet 10.10.1.1
Trying 10.10.1.1...
Connected to 10.10.1.1.
Escape character is '^]'.
switch login:
You can clear Telnet sessions from the Cisco Nexus device.
| Command or Action | Purpose | |
|---|---|---|
| Step 1 |
switch# show users |
Displays user session information. |
| Step 2 |
switch# clear line vty-line |
Clears a user Telnet session. |
To display the SSH configuration information, perform one of the following tasks:
| Command or Action | Purpose |
|---|---|
| switch# show ssh key [dsa | rsa][md5] |
Displays SSH server keys. For Cisco NX-OS Release 7.0(3)I4(6) and any later 7.0(3)I4(x) release, this command displays the fingerprint in SHA256 format by default. SHA256 is more secure than the old default format of MD5. However, the md5 option has been added, if you want to see the fingerprint in MD5 format for backward compatibility. |
| switch# show running-config security [all] |
Displays the SSH and user account configuration in the running configuration. The all keyword displays the default values for the SSH and user accounts. |
| switch# show ssh server |
Displays the SSH server configuration. |
| switch# show user-account |
Displays user account information. |
| switch# show users |
Displays the users logged into the device. |
| switch# show crypto ca certificates |
Displays the configured certificate chain and associated trustpoint for X.509v3 certificate-based SSH authentication. |
| switch# show crypto ca crl trustpoint |
Displays the contents of the CRL list of the specified trustpoint for X.509v3 certificate-based SSH authentication. |
The following table lists the default settings for SSH parameters.
|
Parameters |
Default |
|---|---|
|
SSH server |
Enabled |
|
SSH server key |
RSA key generated with 1024 bits |
|
RSA key bits for generation |
1024 |
|
Telnet server |
Enabled |
Feedback