The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
The Secure Shell (SSH) feature is an application and a protocol that provides a secure replacement to the Berkeley r-tools. The protocol secures sessions using standard cryptographic mechanisms, and the application can be used similarly to the Berkeley rexec and rsh tools. Two versions of SSH are available: SSH Version 1 and SSH Version 2. Unless otherwise noted, the term “SSH” denotes “SSH Version 1” only. For information about SSH Version 2, see the “ Secure Shell Version 2 Support” feature module.
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Note | Unless otherwise noted, the term “SSH” denotes “SSH Version 1” only. |
Note | To delete the RSA key pair, use the crypto key zeroize rsa global configuration command. Once you delete the RSA key pair, you automatically disable the SSH server. |
Note | Unless otherwise noted, the term “SSH” denotes “SSH Version 1” only. |
Note | Unless otherwise noted, the term “SSH” denotes “SSH Version 1” only. |
Note | Unless otherwise noted, the term “SSH” denotes “SSH Version 1” only. |
The Secure Shell (SSH) Server feature enables an SSH client to make a secure, encrypted connection to a Cisco device. This connection provides functionality that is similar to that of an inbound Telnet connection. Before SSH, security was limited to Telnet security. SSH allows a strong encryption to be used with the Cisco software authentication. The SSH server in Cisco software works with publicly and commercially available SSH clients.
Note | Unless otherwise noted, the term “SSH” denotes “SSH Version 1” only. |
The Secure Shell (SSH) Integrated Client feature is an application that runs over the SSH protocol to provide device authentication and encryption. The SSH client enables a Cisco device to make a secure, encrypted connection to another Cisco device or to any other device running the SSH server. This connection provides functionality similar to that of an outbound Telnet connection except that the connection is encrypted. With authentication and encryption, the SSH client allows for secure communication over an unsecured network.
The SSH client in Cisco software works with publicly and commercially available SSH servers. The SSH client supports the ciphers of Data Encryption Standard (DES), 3DES, and password authentication. User authentication is performed like that in the Telnet session to the device. The user authentication mechanisms supported for SSH are RADIUS, TACACS+, and the use of locally stored usernames and passwords.
Note | The SSH client functionality is available only when the SSH server is enabled. |
Rivest, Shamir, and Adleman (RSA) authentication available in Secure Shell (SSH) clients is not supported on the SSH server for Cisco software by default. For more information about RSA authentication support, see the “Configuring a Router for SSH Version 2 Using RSA Pairs” section of the “Secure Shell Version 2 Support” module.
Note | Unless otherwise noted, the term “SSH” denotes “SSH Version 1” only. |
1.
enable
2.
configure
terminal
3.
ip
ssh
{timeout
seconds |
authentication-retries
integer}
4.
ip
ssh
rekey
{time
time |
volume
volume}
5.
exit
6.
show
ip
ssh
Note | Unless otherwise noted, the term “SSH” denotes “SSH Version 1” only. |
Perform this task to invoke the Secure Shell (SSH) client. The SSH client runs in user EXEC mode and has no specific configuration tasks.
1.
enable
2.
ssh
-l
username
-vrf
vrf-name
ip-address
Command or Action | Purpose |
---|
Note | Unless otherwise noted, the term “SSH” denotes “SSH Version 1” only. |
In the following example, SSH is configured on a Cisco 7200 with a timeout that is not to exceed 60 seconds and no more than 2 authentication retries. Before the SSH server feature is configured on the router, TACACS+ is specified as the method of authentication.
hostname Router72K aaa new-model aaa authentication login default tacacs+ aaa authentication login aaa7200kw none enable password password username username1 password 0 password1 username username2 password 0 password2 ip subnet-zero no ip domain-lookup ip domain-name cisco.com ! Enter the ssh commands. ip ssh timeout 60 ip ssh authentication-retries 2 controller E1 2/0 controller E1 2/1 interface Ethernet1/0 ip address 192.168.110.2 255.255.255.0 secondary ip address 192.168.109.2 255.255.255.0 no ip directed-broadcast no ip route-cache no ip mroute-cache no keepalive no cdp enable interface Ethernet1/1 no ip address no ip directed-broadcast no ip route-cache no ip mroute-cache shutdown no cdp enable interface Ethernet1/2 no ip address no ip directed-broadcast no ip route-cache no ip mroute-cache shutdown no cdp enable no ip classless ip route 192.168.1.0 255.255.255.0 10.1.10.1 ip route 192.168.9.0 255.255.255.0 10.1.1.1 ip route 192.168.10.0 255.255.255.0 10.1.1.1 map-list atm ip 10.1.10.1 atm-vc 7 broadcast no cdp run tacacs-server host 192.168.109.216 port 9000 tacacs-server key cisco radius-server host 192.168.109.216 auth-port 1650 acct-port 1651 radius-server key cisco line con 0 exec-timeout 0 0 login authentication aaa7200kw transport input none line aux 0 line vty 0 4 password password end
In the following example, SSH is configured on a Cisco 7500 with a timeout that is not to exceed 60 seconds and no more than 5 authentication retries. Before the SSH server feature is configured on the router, RADIUS is specified as the method of authentication.
hostname Router75K aaa new-model aaa authentication login default radius aaa authentication login aaa7500kw none enable password password username username1 password 0 password1 username username2 password 0 password2 ip subnet-zero no ip cef no ip domain-lookup ip domain-name cisco.com ! Enter ssh commands. ip ssh timeout 60 ip ssh authentication-retries 5 controller E1 3/0 channel-group 0 timeslots 1 controller E1 3/1 channel-group 0 timeslots 1 channel-group 1 timeslots 2 interface Ethernet0/0/0 no ip address no ip directed-broadcast no ip route-cache distributed shutdown interface Ethernet0/0/1 no ip address no ip directed-broadcast no ip route-cache distributed shutdown interface Ethernet0/0/2 no ip address no ip directed-broadcast no ip route-cache distributed shutdown interface Ethernet0/0/3 no ip address no ip directed-broadcast no ip route-cache distributed shutdown interface Ethernet1/0 ip address 192.168.110.2 255.255.255.0 secondary ip address 192.168.109.2 255.255.255.0 no ip directed-broadcast no ip route-cache no ip mroute-cache interface Ethernet1/1 ip address 192.168.109.2 255.255.255.0 no ip directed-broadcast no ip route-cache no ip mroute-cache shutdown interface Ethernet1/2 no ip address no ip directed-broadcast no ip route-cache no ip mroute-cache interface Ethernet1/3 no ip address no ip directed-broadcast no ip route-cache no ip mroute-cache shutdown interface Ethernet1/4 no ip address no ip directed-broadcast no ip route-cache no ip mroute-cache shutdown interface Ethernet1/5 no ip address no ip directed-broadcast no ip route-cache no ip mroute-cache shutdown interface Serial2/0 ip address 10.1.1.2 255.0.0.0 no ip directed-broadcast encapsulation ppp no ip route-cache no ip mroute-cache ip classless ip route 192.168.9.0 255.255.255.0 10.1.1.1 ip route 192.168.10.0 255.255.255.0 10.1.1.1 tacacs-server host 192.168.109.216 port 9000 tacacs-server key cisco radius-server host 192.168.109.216 auth-port 1650 acct-port 1651 radius-server key cisco line con 0 exec-timeout 0 0 login authentication aaa7500kw transport input none line aux 0 transport input all line vty 0 4 end
In the following example, SSH is configured on a Cisco 12000 with a timeout that is not to exceed 60 seconds and no more than two authentication retries. Before the SSH server feature is configured on the router, TACACS+ is specified as the method of authentication.
hostname Router12K aaa new-model aaa authentication login default tacacs+ local aaa authentication login aaa12000kw local enable password password username username1 password 0 password1 username username2 password 0 password2 redundancy main-cpu auto-sync startup-config ip subnet-zero no ip domain-lookup ip domain-name cisco.com ! Enter ssh commands. ip ssh timeout 60 ip ssh authentication-retries 2 interface ATM0/0 no ip address no ip directed-broadcast no ip route-cache cef shutdown interface POS1/0 ip address 10.100.100.2 255.255.255.0 no ip directed-broadcast encapsulation ppp no ip route-cache cef no keepalive crc 16 no cdp enable interface POS1/1 no ip address no ip directed-broadcast no ip route-cache cef shutdown crc 32 interface POS1/2 no ip address no ip directed-broadcast no ip route-cache cef shutdown crc 32 interface POS1/3 no ip address no ip directed-broadcast no ip route-cache cef shutdown crc 32 interface POS2/0 ip address 10.1.1.1 255.255.255.0 no ip directed-broadcast encapsulation ppp no ip route-cache cef crc 16 interface Ethernet0 ip address 172.17.110.91 255.255.255.224 no ip directed-broadcast router ospf 1 network 0.0.0.0 255.255.255.255 area 0.0.0.0 ip classless ip route 0.0.0.0 0.0.0.0 172.17.110.65 logging trap debugging tacacs-server host 172.17.116.138 tacacs-server key cisco radius-server host 172.17.116.138 auth-port 1650 acct-port 1651 radius-server key cisco line con 0 exec-timeout 0 0 login authentication aaa12000kw transport input none line aux 0 line vty 0 4 no scheduler max-task-time no exception linecard slot 0 sqe-registers no exception linecard slot 1 sqe-registers no exception linecard slot 2 sqe-registers no exception linecard slot 3 sqe-registers no exception linecard slot 4 sqe-registers no exception linecard slot 5 sqe-registers no exception linecard slot 6 sqe-registers end
Note | Unless otherwise noted, the term “SSH” denotes “SSH Version 1” only. |
To verify that the Secure Shell (SSH) server is enabled and to display the version and configuration data for your SSH connection, use the show ip ssh command. The following example shows that SSH is enabled:
Device# show ip ssh SSH Enabled - version 1.5 Authentication timeout: 120 secs; Authentication retries: 3
The following example shows that SSH is disabled:
Device# show ip ssh %SSH has not been enabled
To verify the status of your SSH server connections, use the show ssh command. The following example shows the SSH server connections on the device when SSH is enabled:
Device# show ssh Connection Version Encryption State Username 0 1.5 3DES Session Started guest
The following example shows that SSH is disabled:
Device# show ssh %No SSH server connections running.
Related Topic |
Document Title |
---|---|
Cisco IOS commands |
|
Authentication, authorization, and accounting (AAA) |
Authentication, Authorization, and Accounting Configuration Guide |
IPsec |
“IPsec and Quality of Service” module |
SSH Version 2 |
“Secure Shell Version 2 Support” module |
Downloading a software image |
Loading and Managing System Images Configuration Guide |
Description |
Link |
---|---|
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password. |
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Feature Name |
Releases |
Feature Information |
---|---|---|
Secure Shell |
Cisco IOS 15.0(2)SE Cisco IOS 15.2(1)E |
The Secure Shell (SSH) feature is an application and a protocol that provides a secure replacement to the Berkeley r-tools. The protocol secures sessions using standard cryptographic mechanisms, and the application can be used similarly to the Berkeley rexec and rsh tools. Two versions of SSH are available: SSH Version 1 and SSH Version 2. This document describes SSH Version 1. This document also includes information about the Secure Shell SSH Version 1 Integrated Client feature and the Secure Shell SSH Version 1 Server Support feature. Both features are part of the Secure Shell functionality. |