Secure Shell
This chapter describes Secure Shell (SSH) commands.
SSH is a cryptographic protocol for secure data communication, remote login, remote command execution, and other secure network services between two networked computers.
Note: In OcNOS, the default Linux terminal type is "export TERM=xterm"
Note: The commands below are supported only on the “management” VRF.
This chapter contains these commands:
clear ssh host-key
Use these commands to remove SSH server host key.
Command syntax
clear ssh host-key ((dsa|rsa|ecdsa|ed25519)|) (vrf management|)
Parameters
dsa
dsa keys
rsa
rsa keys
ecdsa
ecdsa keys
ed25519
ed25519 keys
management
Management VRF
Default
If no keys are specified, all the host keys will be removed
Command Mode
Privilege exec mode
Applicability
This command was introduced in OcNOS version 5.0
Examples
OcNOS#clear ssh host-key vrf management
OcNOS#
OcNOS#clear ssh host-key rsa
OcNOS#
clear ssh hosts
Use this command to clear the known_hosts file.
This command clears all trusted relationships established with SSH servers during previous connections. When a client downloads a file from an external server the first time, the client stores the server keys in the known_hosts file. After that, other connections to the same server will use the server keys stored in the known_hosts file. In other words, a trusted relationship is created when a client accepts the server keys the first time.
An example of when you need to clear a trusted relationship is when SSH server keys are changed.
Command Syntax
clear ssh hosts
Parameters
None
Command Mode
Exec mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#clear ssh hosts
debug ssh server
Use this command to display SSH server debugging information.
Use the no form of this command to stop displaying SSH server debugging information.
Command Syntax
debug ssh server
no debug ssh server
Parameters
None
Default
By default, disabled.
Command Mode
Executive mode and configure mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#debug ssh server
feature ssh
Use this command to enable the SSH server.
Use the no form of this command to disable the SSH server.
Command Syntax
feature ssh (vrf management|)
no feature ssh (vrf management|)
Parameters
management
Virtual Routing and Forwarding name
Default
By default, feature ssh is enabled.
Command Mode
Configure mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#configure terminal
(config)feature ssh
show debug ssh-server
Use this command to display whether SSH debugging is enabled.
Command Syntax
show debug ssh-server
Parameters
None
Command Mode
Exec mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#show debug ssh-server
ssh server debugging is on
show running-config ssh server
Use this command to display SSH settings in the running configuration.
Command Syntax
show running-config ssh server
Parameters
None
Command Mode
Exec mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#show running-config ssh server
feature ssh vrf management
ssh server port 1024 vrf management
ssh login-attempts 2 vrf management
ssh server algorithm encryption 3des-cbc
show ssh host-key
Use this command to display the SSH server key.
By default, ssh feature is enabled in "management" vrf. Until and unless the same feature is explicitly enabled in "default" vrf, respective show command output will be empty.
Command syntax
show ssh host-key ((dsa|rsa|ecdsa|ed25519)|) (vrf management|)
Parameters
dsa
dsa keys
rsa
rsa keys
ecdsa
ecdsa keys
ed25519
ed25519 keys
management
Management VRF
Default
If no keys are specified, all host keys will be displayed
Command Mode
Exec mode
Applicability
This command was introduced in OcNOS version 5.0
Examples
#sh ssh host-key
**************************************************
dsa public key :
ssh-dss AAAAB3NzaC1kc3MAAACBANgq+TZPkmKOn7ot7PBO9TOCV/+GPyHCz9Wq39+6veigQ2CWmLNo
uqZb1B05LfeU2MuRz4rtO6mcX81nAygqDLNZaRsirYdWTsJ40HAOZYr9765w+M8TAcKmBYbuWSIkqnYQ
J1h5bj6UrJ7dW4LgaSxmVmrkXoYrr5gnxfEVgw8HAAAAFQC//BVHnTWh8Iizbk0mvOyNzqtfMwAAAIBQ
Ca9X0qbL66Js0ul+7LMmLvWkC4Fy1Y/3igZORZ+NsNP4CJIJ1JCLwj7nj/NeUfUuyG1/dnDVdki4FngL
LjbVa5XrK5VbsEj4sZBfebkLVZKd8h880FqNhfc3iZjCGqdYrWWlRYdNqNvq7zVa6YC7Vvo0sEC5/rDm
aNygbx0iCAAAAIEAoZHk+5cqaYptqYBPGPMRynpWyWJPJQjoiy+p1BRNk7E/kwInQaqmtFQuM/YaTOoN
nz5skwQ1dJmdJGq+h7bfmab0atzaaVjkcTjz0rtSBO3JID2G6KqG55yhr03bC8BY+A6g9Qm8TuWZU68D
NIZGj28GZSbkIpQgqSD9VUAxEHs=
dsa fingerprint :
1024 SHA256:Qzd8n4RjsxeW9+AnUP+zc59oPRTl2FBwdwDfVBq0DdQ
**************************************************
**************************************************
rsa public key :
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC706mz0GQvdEaqK/2zUUtCOh/kEUkZpQ7d8gie4jf1
yV4nV2g1u7oIbdnoBBI0a5bIwbUGDHPUvfTpoJntpryY7G/QIWuBJVDiu6QteoB4u5byNVbSqA3fljbF
MISYfLxK3i3S07htadDfUIpYTyx/D5PCf8DDxmdf7UkhOM4Quj8GgGW3PacE2YyJASBq5x7MaWEUiStu
NgtemWqR/DTw+OO8l3gZzHhWBcmHLzo3jdkH/8ffLGEWqEb78wR4lxckVlja4suFB0GEa7vFLucYO3Tp
GzZARf7iY5A0bB0fi7Zi1yQ3RN7+di28lSNWsFCzZm8vWS7GyLUFn1xttlqJ
rsa fingerprint :
2048 SHA256:YVX+zlrDk8bqzF+HPKpFW0BttbLoiQ5IBDVI/VMYhbs
**************************************************
**************************************************
ecdsa public key :
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBCN/XoG
uZGwNfKCE+cuQOULrSHomRSmkDp0u6MsoNIVLhtRe9+r8Ak7G8taE55D7NgugnEDzdLKBmeCZWcww64=
ecdsa fingerprint :
256 SHA256:T7KOgXyrU/38EvO6z/apgYDANf+q9YhqCiYoocD5Ajg
**************************************************
**************************************************
ed25519 public key :
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII/jNFIYKbUk/ePbp4wu/AjhP5gERqn6F+4tH39idbh7
ed25519 fingerprint :
256 SHA256:1MU6iy03eEQBj099GERLjkMCPDoUwkdCwGh8bgYZbeo
**************************************************
#
show ssh server
Use this command to display the SSH server status.
Command Syntax
show ssh server
Parameters
None
Command Mode
Exec mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#show ssh server
VRF MANAGEMENT:
ssh server enabled port: 22
authentication-retries 3
VRF DEFAULT:
ssh server enabled port: 22
authentication-retries 3
#
show username
Use this command to display the RSA or DSA key pair for a user.
Command Syntax
show username USERNAME keypair
Parameters
USERNAME
User identifier
Command Mode
Exec mode
Applicability
This command was introduced before OcNOS version 1.3
Examples
#show username kedar keypair
***************RSA KEY*******************
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDCnWo/3Y7LlVkw/Z43dbVIm+I3o25JlgUTmwa9ll
T35+2gNvDbIPfYAqUKYgrmXKDc9vg7f4SAsmXS+4ZwrrQSTTsHk8PNLA+4lEcufFNl3jpfXTuhphN9N9
i+uFHGYIIviWZksiRqpMZmDlALyzAIOzyCfG44hlRm3/pYfhBNhHruvxYVhbP4wHsmrWfcFb+HZCWQGM
CJupxu8bouGd2UW5/BlVy1yuYNIhdo2NHjUI+ameETV+Wroki8+OLVA6eXp5/KY3Bj9x2+AxOCiKcpU0
axwFSoCbP3+29wrp4JJhl4ssSqM+19+VbUtpuXAM0cR7VQ7mJ0JDZ9tBvK4l8/
bitcount: 2048 fingerprint: 2b:ac:17:a4:ef:1d:79:4e:2d:17:af:72:4c:c7:e4:2f
**************************************
***************DSA KEY*******************
ssh-dss AAAAB3NzaC1kc3MAAACBAP0npAm+Pw8t7OpO+KQ0Vx3ayXavHHVPPAKOo8RTmquE8zUSjn
/XiZ+vP2343RpXu9/jLwAcCUMfNBZyE8NbmGKxMMk2PqMz10VtfvDOn5LSNurXL4lypZLG2hR2PNva4w
6b4Adpd+E1fEoUncIgOun2i4SO8N5TCMYVyusKjYzDAAAAFQCWeAzeahZeoIzBlnSo87madxfL3QAAAI
EA4b86l/nHoWobRoYBrkeOGtjyWLRKk1P2T+rGH+j0rqqJiD0sh2PVfppylliNvqLtYSmXyMCxzEEeFd
HH1cVXgrgQjtUOeCPhF+2We2ummmlCwg4v71Z358FRjsi9VgJ/vQUpOq1hRDhwjJHtEHSA+NkX/ccW9J
ww8YOoNhCI7DcAAACANuYiP6tKGSU9LeClF1F65Tq1blVHfLp3TSeZYPldqonDoZ1qo3NNvOOH5KN8Lj
MRtTCN1GaXow1QccS941XFy3efuWXxC00HZ64FhmjCyOYYv2Wsvn4UGCAG3ikiu6M1xjOLl6b53H4mB3
w7O6bkcjH1GnytwrgR0D/nlsZ/9fs=
bitcount: 1024 fingerprint: c1:0a:e5:e1:a1:78:ae:c2:4a:07:4a:50:07:4b:d5:84
**************************************
ssh
Use this command to open an ssh session to a IPv4 address or host name resolved to an IPv4 address.
Command Syntax
ssh WORD (vrf (NAME | management))
ssh WORD <1-65535> (vrf (NAME | management))
ssh (cipher (aes128-ctr | aes192-ctr | aes256-ctr | aes128-cbc |aes192-cbc| aes256-cbc | 3des-cbc)) WORD (vrf (NAME | management))
ssh (cipher (aes128-ctr | aes192-ctr | aes256-ctr | aes128-cbc |aes192-cbc | aes256-cbc | 3des-cbc)) WORD <1-65535> (vrf (NAME | management))
Parameters
WORD
User and destination host name to resolve into IPv4 address to open a SSH session as user@ipv4-address/hostname
1-65535
Destination Port to open a SSH session. Default is 22.
cipher
Specify algorithm to encrypt SSH session
aes128-ctr
Advanced Encryption Standard 128 bit Counter Mode
aes192-ctr
Advanced Encryption Standard 192 bit Counter Mode
aes256-ctr
Advanced Encryption Standard 256 bit Counter Mode
aes128-cbc
Advanced Encryption 128 bit Standard Cipher Block Chaining
aes192-cbc
Advanced Encryption Standard 192 bit Cipher Block Chaining
aes256-cbc
Advanced Encryption Standard 256 bit Cipher Block Chaining
3des-cbc
Triple Data Encryption Standard Cipher Block Chaining
vrf
VPN routing/forwarding instance.
NAME
Name of the VPN routing/forwarding instance.
management
Management VPN routing/forwarding instance.
Default
The default destination port is 22.
Command Mode
Privileged Exec mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#ssh cipher aes128-ctr 10.12.16.17 22 vrf management
The authenticity of host '10.12.16.17 (10.12.16.17)' can't be established.
RSA key fingerprint is 93:82:98:ce:b7:20:1a:85:a5:9a:2e:93:13:84:ea:9e.
Are you sure you want to continue connecting (yes/no)?
ssh6
Use this command to open an ssh session to an IPv6 address or host name resolved to an IPv6 address.
Command Syntax
ssh6 (X:X::X:X | HOSTNAME) (vrf (NAME | management))
ssh6 (X:X::X:X | HOSTNAME) <1-65535> (vrf (NAME | management))
ssh6 (cipher (aes128-ctr | aes192-ctr | aes256-ctr | aes128-cbc |aes192-cbc | aes256-cbc | 3des-cbc)) (X:X::X:X | HOSTNAME) (vrf (NAME | management))
ssh6 (cipher (aes128-ctr | aes192-ctr | aes256-ctr | aes128-cbc |aes192-cbc | aes256-cbc | 3des-cbc)) (X:X::X:X | HOSTNAME) <1-65535> (vrf (NAME | management))
Parameters
X:XX::X:X
User and destination IPv6 address to open an SSH session as user@ipv6-address
HOSTNAME
User and destination host name to resolve into IPv6 address to open an SSH session as user@ipv4-address/hostname
1-65535
Destination Port to open a SSH session. Default is 22.
cipher
Algorithm to encrypt SSH session
aes128-ctr
Advanced Encryption Standard 128 bit Counter Mode
aes192-ctr
Advanced Encryption Standard 192 bit Counter Mode
aes256-ctr
Advanced Encryption Standard 256 bit Counter Mode
aes128-cbc
Advanced Encryption 128 bit Standard Cipher Block Chaining
aes192-cbc
Advanced Encryption Standard 192 bit Cipher Block Chaining
aes256-cbc
Advanced Encryption Standard 256 bit Cipher Block Chaining
3des-cbc
Triple Data Encryption Standard Cipher Block Chaining
vrf
VPN routing/forwarding instance.
NAME
Name if the VPN routing/forwarding instance.
management
Management VPN routing/forwarding instance.
Default
The default destination port is 22.
Command Mode
Privileged Exec mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#ssh6 cipher aes128-ctr 2:2::2:2 22 vrf management
The authenticity of host '2:2::2:2 (2:2::2:2)' can't be established.
RSA key fingerprint is 93:82:98:ce:b7:20:1a:85:a5:9a:2e:93:13:84:ea:9e.
Are you sure you want to continue connecting (yes/no)?
ssh server algorithm encryption
Use this command to set an encryption algorithm for SSH sessions.
An SSH server authorizes connection of only those algorithms from the list below. If a client tries to establish a connection to the server with the algorithm encryption not in the list, the connection fails.
SSH supports these encryption algorithms:
• Advanced Encryption Standard Counter:
• aes128-ctr
• aes192-ctr
• aes256-ctr
• aes128-cbc
• Advanced Encryption Standard Cipher Block Chaining:
• aes192-cbc
• aes256-cbc
• Triple Data Encryption Standard Cipher Block Chaining:
• 3des-cbc
Use the no form of this command to not encrypt SSH sessions.
Command Syntax:
ssh server algorithm encryption {aes128-ctr | aes192-ctr | aes256-ctr | aes128-cbc |aes192-cbc | aes256-cbc | 3des-cbc} (vrf management|)
no ssh server algorithm encryption {aes128-ctr | aes192-ctr | aes256-ctr | aes128-cbc |aes192-cbc | aes256-cbc | 3des-cbc} (vrf management|)
Parameters
aes18-ctr
AES 128 bit Counter Mode
aes192-ctr
AES 192 bit Counter Mode
aes256-ctr
AES 256 bit Counter Mode
aes128-cbc
AES 128 bit Cipher block chaining
aes192-cbc
AES 192 bit Cipher block chaining
aes256-cbc
AES 256 bit Cipher block chaining
3des-cbc
Triple DES Cipher block chaining
vrf management
Management VPN routing/forwarding instance.
Default
No encryption.
By default, all the ciphers are supported for a new SSH client to connect to the SSH server.
Command Mode
Configure mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#configure terminal
(config)#ssh server algorithm encryption aes128-ctr
ssh keygen host
Use these commands to create SSH server host, and public keys. These host keys are added in the SSH clients known_hosts file after user's acceptance.
Once entry is added in known_hosts, for the subsequent attempt login to the server will be validated against the host key and if there is key mismatch user will be prompted about the change in server identity.
Command syntax
ssh keygen host dsa (vrf management|) (force|)
ssh keygen host rsa (length <1024-4096>|) (vrf management|) (force|)
ssh keygen host ecdsa (length (256|384|521)|) (vrf management|) (force|)
ssh keygen host ed25519 (vrf management|) (force|)
Parameters
dsa
dsa keys
rsa
rsa keys
ecdsa
ecdsa keys
ed25519
ed25519 keys
management
Management VRF
force
Replace the old host-key with newly generated host-key
<1024-4096>
Number of bits to use when creating the SSH server key; this parameter is only valid for RSA keys (DSA keys have a default length of 1024)
Default
DSA key has length of 1024 bits
RSA key has default length of 2048 bits
ECDSA key has default length of 521 bits
ED25519 key has length of 256 bits
Command Mode
Privilege exec mode
Applicability
This command was introduced in OcNOS version 5.0
Examples
OcNOS#ssh keygen host rsa vrf management
OcNOS#
OcNOS#ssh keygen host ecdsa vrf management
OcNOS#
OcNOS#ssh keygen host ecdsa
%% ssh host key exists, use force option to overwrite
OcNOS#
OcNOS#ssh keygen host ecdsa force
ssh login-attempts
Use this command to set the number of times that a user can try to log in to a SSH session.
Use the no form of this command to set the number of login attempts to its default (3).
Enable the
feature ssh command to configure this command on default vrf port.
You can only give this command when the SSH server is enabled for default vrf. See the
feature ssh command.
Command Syntax
ssh login-attempts RETRIES (vrf management|)
no ssh login-attempts (vrf management|)
Parameters
RETRIES
Number of retries <1-3>
management
Management VPN routing/forwarding instance.
Default
By default, the device attempts to negotiate a connection with the connecting host three times.
Command Mode
Configure mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#configure terminal
(config)#ssh login-attempts 3
ssh server port
Use this command to set the port number on which the SSH server listens for connections. The default port on which the SSH server listens is 22.
Use the no form of this command to set the default port number (22).
Command Syntax
ssh server port <1024-65535> (vrf management|)
no ssh server port (vrf management|)
Parameters
<1024-65535>
Port number
management
Management VPN routing/forwarding instance.
Default
By default, the SSH server port is 22.
Command Mode
Configure mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#configure terminal
(config)#ssh server port 1720
ssh server session-limit
Use this command to limit number of SSH sessions. Only 40 sessions allowed including Telnet and SSH.
Use no form of this command to set to default value.
Note: Few Terminal application (Ex: Mobaxterm) where user run SSH Client has limits to use this SSH session limit option.
Command Syntax
ssh server session-limit <1-40> (vrf management|)
no ssh server session-limit (vrf management|)
Parameters
<1-40>
Number of sessions
management
Virtual Routing and Forwarding name
Default
By default, 40 sessions are allowed.
Command Mode
Configure mode
Applicability
This command was introduced in OcNOS-SP version 4.2
Examples
#configure terminal
(config)#ssh server session-limit 4 vrf management
username sshkey
Use this command to create a user account.
Command Syntax
username USERNAME sshkey LINE
Parameters
USERNAME
User identifier
LINE
Digital System Algorithm (DSA) key or Rivest, Shamir, and Adelman (RSA) key in OpenSSH format; this key is written to the authorized_keys file
Default
By default, SSHKEY is 1024.
Command Mode
Configure mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#configure terminal
(config)#username fred sshkey ssh-rsa AAAAB3NzaC1kc3MAAAEBAIirweZzCdyITqbMWB8Wly9ivGxY1JBVnWTVtcWKi6uc
CPZyw3I6J6/+69LEkPUSAyO+SK8zj0NF2f25FFc2YDMh1KKHi5gK7iXF3/ran54j
nP2byyLeo8rnuVqfEDLaBI1qQaWBcDQvsZc14t5SEJfsOQSfR03PDqPYAisrZRvM
5pWfzo486Rh33J3+17OuARQtZFDP4wA5zZoFxhl4U3RK42JzKNUiYBDrH3lSgfkv
XLWLXz9WcxY6zuKvXFwUpOA9PRXwUsKQqWuyywZQLNavENqFyoQ8oZnNKLCYE0h8
QnUe62NGxb3jQXKLflOL04JFNiii9sACG1Y/ut4ANysAAAAVAJbM7Z4chRgiVahN
iwXFJNkBmWGZAAABAAuF1FlI6xy0L/pBaIlFw34uUL/mh4SR2Di2X52eK70VNj+m
y5eQdRC6cxpaVqpS3Q4xTN+W/kaBbIlX40xJP5lcjMvfn/nqiuIeEodmVIJMWxOD
fh3egeGuSW614Vzd1RGrxpYInIOygMULRcxhmbX+rPliuUIvhg36iH0UR7XBln6h
uyKFvEmaL7bGlRvELjqaj0y6iiCfP1yGBc5vavH5X+jOWqdsJHsCgcIzPF5D1Ybp
w0nZmGsqO+P55mjMuj0O2uI7Ns1sxyirbnGhd+ZZ1u03QDy6MBcUspai8U5CIe6X
WqvXY+yJjpuvlW9GTHowCcGd6Z/e9IC6VE/kNEAAAAEAFIe6kLGTALR0F3AfapYY
/M+bvkmkkhOJUZVdLiwMjcvtJb9fQpPxqXElS3ZvUNIEElUPS/V7KgSsj8eg3FKN
iUGICkTwHIK7RTLC8k4IE6U3V3866JtxW+Znv1DB7uwnbZgoIZuVt3r1+h8O0ah8
UKwDUMJT0fwu9cuuS3G8Ss/gKi1HgByrcxXoK51/r4Bc4QmR2VQ8sXOREv/SHJeY
JGbEX3OxjRgXC7GlpbrdPiL8zs0dPiZ0ovAswsBOYlKYhd7JvfCcvWRjgP5h55aw
GNSmNs3STKufbIqYGeDAISYNYY4F2JzR593KIBnWgyhokyYybyEBh8NwTTO4J5rT
ZA==
username keypair
Use this command to generate the key for users.
Command Syntax
username USERNAME keypair rsa
username USERNAME keypair dsa
username USERNAME keypair rsa length <1024-4096>
username USERNAME keypair rsa length <1024-4096> force
username USERNAME keypair rsa force
username USERNAME keypair dsa force
Parameters
USERNAME
User identifier
rsa
Rivest, Shamir, and Adelman (RSA) public-key cryptography SSH server key
dsa
Digital System Algorithm (DSA) SSH key
<1024-4096>
Number of bits to use when creating the SSH server key; this parameter is only valid for RSA keys (DSA keys have a default length of 1024)
force
Forces the replacement of an SSH key
Default
DSA keys have a default value of 1024.
RSA keys have a minimum key length of 1024 bits and the default length is 4096.
By default the system has RSA/DSA public/private key pair placed in /etc/ssh/. The force option is used if the user wants to regenerate the ssh rsa keys. The same thing applies for dsa also.
Command Mode
Execute mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#configure terminal
(config)#username fred keypair rsa