Secure Shell
This chapter describes Secure Shell (SSH) commands.
SSH is a cryptographic protocol for secure data communication, remote login, remote command execution, and other secure network services between two networked computers.
Note: In OcNOS, the default Linux terminal type is "export TERM=xterm"
Note: The commands below are supported only on the “management” VRF.
This chapter contains these commands:
clear ssh host-key
Use this command to clear the host keys.
Command syntax
clear ssh host-key ((dsa|rsa|ecdsa|ed25519)|) (vrf management|)
Parameters
dsa
dsa keys
rsa
rsa keys
ecdsa
ecdsa keys
ed25519
ed25519 keys
management
Management VRF
Default
None
Command Mode
Privilege exec mode
Applicability
This command was introduced in OcNOS version 5.0
Examples
OcNOS#clear ssh host-key
clear ssh hosts
Use this command to clear the known_hosts file.
This command clears all trusted relationships established with SSH servers during previous connections. When a client downloads a file from an external server the first time, the client stores the server keys in the known_hosts file. After that, other connections to the same server will use the server keys stored in the known_hosts file. In other words, a trusted relationship is created when a client accepts the server keys the first time.
An example of when you need to clear a trusted relationship is when SSH server keys are changed.
Command Syntax
clear ssh hosts
Parameters
None
Command Mode
Exec mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#clear ssh hosts
clear ssh keypair
Use this command to clear RSA/DSA keypair generated for an user. This command can be executed only by networkadmin.
Command Syntax
clear ssh keypair user USERNAME
Parameters
None
Command Mode
Exec mode
Applicability
This command was introduced before OcNOS version 4.1.
Examples
#clear ssh keypair user test
debug ssh server
Use this command to display SSH server debugging information.
Use the no form of this command to stop displaying SSH server debugging information.
Command Syntax
debug ssh server
no debug ssh server
Parameters
None
Default
By default, disabled.
Command Mode
Executive mode and configure mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#debug ssh server
feature ssh
Use this command to enable the SSH server.
Use the no form of this command to disable the SSH server.
Command Syntax
feature ssh (vrf management|)
no feature ssh (vrf management|)
Parameters
management
Virtual Routing and Forwarding name
Default
No default value is specified
Command Mode
Configure mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#configure terminal
(config)#feature ssh
show debug ssh-server
Use this command to display whether SSH debugging is enabled.
Command Syntax
show debug ssh-server
Parameters
None
Command Mode
Exec mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#show debug ssh-server
ssh server debugging is on
show running-config ssh server
Use this command to display SSH settings in the running configuration.
Command Syntax
show running-config ssh server
Parameters
None
Command Mode
Exec mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#show running-config ssh server
feature ssh vrf management
ssh server port 1024 vrf management
ssh login-attempts 2 vrf management
ssh server algorithm encryption 3des-cbc
show ssh host-key
Use this command to display the SSH server key.
By default, ssh feature is enabled in "management" vrf. Until and unless the same feature is explicitly enabled in "default" vrf, respective show command output will be empty.
Command syntax
show ssh host-key ((dsa|rsa|ecdsa|ed25519)|) (vrf management|)
Parameters
dsa
dsa keys
rsa
rsa keys
ecdsa
ecdsa keys
ed25519
ed25519 keys
management
Management VRF
Default
If no keys are specified, all host keys will be displayed
Command Mode
Exec mode
Applicability
This command was introduced in OcNOS version 5.0
Examples
#sh ssh host-key
**************************************************
dsa public key :
ssh-dss AAAAB3NzaC1kc3MAAACBANgq+TZPkmKOn7ot7PBO9TOCV/+GPyHCz9Wq39+6veigQ2CWmLNo
uqZb1B05LfeU2MuRz4rtO6mcX81nAygqDLNZaRsirYdWTsJ40HAOZYr9765w+M8TAcKmBYbuWSIkqnYQ
J1h5bj6UrJ7dW4LgaSxmVmrkXoYrr5gnxfEVgw8HAAAAFQC//BVHnTWh8Iizbk0mvOyNzqtfMwAAAIBQ
Ca9X0qbL66Js0ul+7LMmLvWkC4Fy1Y/3igZORZ+NsNP4CJIJ1JCLwj7nj/NeUfUuyG1/dnDVdki4FngL
LjbVa5XrK5VbsEj4sZBfebkLVZKd8h880FqNhfc3iZjCGqdYrWWlRYdNqNvq7zVa6YC7Vvo0sEC5/rDm
aNygbx0iCAAAAIEAoZHk+5cqaYptqYBPGPMRynpWyWJPJQjoiy+p1BRNk7E/kwInQaqmtFQuM/YaTOoN
nz5skwQ1dJmdJGq+h7bfmab0atzaaVjkcTjz0rtSBO3JID2G6KqG55yhr03bC8BY+A6g9Qm8TuWZU68D
NIZGj28GZSbkIpQgqSD9VUAxEHs=
dsa fingerprint :
1024 SHA256:Qzd8n4RjsxeW9+AnUP+zc59oPRTl2FBwdwDfVBq0DdQ
**************************************************
**************************************************
rsa public key :
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC706mz0GQvdEaqK/2zUUtCOh/kEUkZpQ7d8gie4jf1
yV4nV2g1u7oIbdnoBBI0a5bIwbUGDHPUvfTpoJntpryY7G/QIWuBJVDiu6QteoB4u5byNVbSqA3fljbF
MISYfLxK3i3S07htadDfUIpYTyx/D5PCf8DDxmdf7UkhOM4Quj8GgGW3PacE2YyJASBq5x7MaWEUiStu
NgtemWqR/DTw+OO8l3gZzHhWBcmHLzo3jdkH/8ffLGEWqEb78wR4lxckVlja4suFB0GEa7vFLucYO3Tp
GzZARf7iY5A0bB0fi7Zi1yQ3RN7+di28lSNWsFCzZm8vWS7GyLUFn1xttlqJ
rsa fingerprint :
2048 SHA256:YVX+zlrDk8bqzF+HPKpFW0BttbLoiQ5IBDVI/VMYhbs
**************************************************
**************************************************
ecdsa public key :
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBCN/XoG
uZGwNfKCE+cuQOULrSHomRSmkDp0u6MsoNIVLhtRe9+r8Ak7G8taE55D7NgugnEDzdLKBmeCZWcww64=
ecdsa fingerprint :
256 SHA256:T7KOgXyrU/38EvO6z/apgYDANf+q9YhqCiYoocD5Ajg
**************************************************
**************************************************
ed25519 public key :
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII/jNFIYKbUk/ePbp4wu/AjhP5gERqn6F+4tH39idbh7
ed25519 fingerprint :
256 SHA256:1MU6iy03eEQBj099GERLjkMCPDoUwkdCwGh8bgYZbeo
**************************************************
#
show ssh server
Use this command to display the SSH server status.
Command Syntax
show ssh server
Parameters
None
Command Mode
Exec mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#show ssh server
VRF MANAGEMENT:
ssh server enabled port: 22
authentication-retries 3
VRF DEFAULT:
ssh server enabled port: 22
authentication-retries 3
#
show username
Use this command to display the RSA or DSA key pair for a user.
Command Syntax
show username USERNAME keypair
Parameters
USERNAME
User identifier
Command Mode
Exec mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#show username OcNOS keypair
***************RSA KEY*******************
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDCnWo/3Y7LlVkw/Z43dbVIm+I3o25JlgUTmwa9ll
T35+2gNvDbIPfYAqUKYgrmXKDc9vg7f4SAsmXS+4ZwrrQSTTsHk8PNLA+4lEcufFNl3jpfXTuhphN9N9
i+uFHGYIIviWZksiRqpMZmDlALyzAIOzyCfG44hlRm3/pYfhBNhHruvxYVhbP4wHsmrWfcFb+HZCWQGM
CJupxu8bouGd2UW5/BlVy1yuYNIhdo2NHjUI+ameETV+Wroki8+OLVA6eXp5/KY3Bj9x2+AxOCiKcpU0
axwFSoCbP3+29wrp4JJhl4ssSqM+19+VbUtpuXAM0cR7VQ7mJ0JDZ9tBvK4l8/
bitcount: 2048 fingerprint: 2b:ac:17:a4:ef:1d:79:4e:2d:17:af:72:4c:c7:e4:2f
**************************************
***************DSA KEY*******************
ssh-dss AAAAB3NzaC1kc3MAAACBAP0npAm+Pw8t7OpO+KQ0Vx3ayXavHHVPPAKOo8RTmquE8zUSjn
/XiZ+vP2343RpXu9/jLwAcCUMfNBZyE8NbmGKxMMk2PqMz10VtfvDOn5LSNurXL4lypZLG2hR2PNva4w
6b4Adpd+E1fEoUncIgOun2i4SO8N5TCMYVyusKjYzDAAAAFQCWeAzeahZeoIzBlnSo87madxfL3QAAAI
EA4b86l/nHoWobRoYBrkeOGtjyWLRKk1P2T+rGH+j0rqqJiD0sh2PVfppylliNvqLtYSmXyMCxzEEeFd
HH1cVXgrgQjtUOeCPhF+2We2ummmlCwg4v71Z358FRjsi9VgJ/vQUpOq1hRDhwjJHtEHSA+NkX/ccW9J
ww8YOoNhCI7DcAAACANuYiP6tKGSU9LeClF1F65Tq1blVHfLp3TSeZYPldqonDoZ1qo3NNvOOH5KN8Lj
MRtTCN1GaXow1QccS941XFy3efuWXxC00HZ64FhmjCyOYYv2Wsvn4UGCAG3ikiu6M1xjOLl6b53H4mB3
w7O6bkcjH1GnytwrgR0D/nlsZ/9fs=
bitcount: 1024 fingerprint: c1:0a:e5:e1:a1:78:ae:c2:4a:07:4a:50:07:4b:d5:84
**************************************
ssh
Use this command to open an ssh session to a ipv4 address or host name resolved to an ipv4 address.
Command Syntax
ssh WORD (vrf (NAME | management))
ssh WORD <1-65535> (vrf (NAME | management))
ssh (cipher (aes128-ctr | aes192-ctr | aes256-ctr | aes128-cbc |aes192-cbc| aes256-cbc | 3des-cbc)) WORD (vrf (NAME | management))
ssh (cipher (aes128-ctr | aes192-ctr | aes256-ctr | aes128-cbc |aes192-cbc | aes256-cbc | 3des-cbc)) WORD <1-65535> (vrf (NAME | management))
Parameters
WORD
User and Destination Host name to resolve into IPV4 Address or IPv4 Address to open a ssh session as user@ipv4-address/Hostname
1-65535
Destination Port to open a ssh session. Default is 22
cipher
Specify algorithm to encrypt ssh session
aes128-ctr
Advanced Encryption Standard 128 bit Counter Mode
aes192-ctr
Advanced Encryption Standard 192 bit Counter Mode
aes256-ctr
Advanced Encryption Standard 256 bit Counter Mode
aes128-cbc
Advanced Encryption 128 bit Standard Cipher Block Chaining
aes192-cbc
Advanced Encryption Standard 192 bit Cipher Block Chaining
aes256-cbc
Advanced Encryption Standard 256 bit Cipher Block Chaining
3des-cbc
Triple Data Encryption Standard Cipher Block Chaining
vrf
Specify the VPN routing/forwarding instance.
NAME
Specify the name if the VPN routing/forwarding instance.
management
Management VPN routing/forwarding instance name.
Default
By default, ssh WORD option is 22
Command Mode
Privileged Exec mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#ssh cipher aes128-ctr 10.12.16.17 22 vrf management
The authenticity of host '10.12.16.17 (10.12.16.17)' can't be established.
RSA key fingerprint is 93:82:98:ce:b7:20:1a:85:a5:9a:2e:93:13:84:ea:9e.
Are you sure you want to continue connecting (yes/no)?
ssh6
Use this command to open an ssh session to an ipv6 address or host name resolved to an ipv6 address.
Command Syntax
ssh6 (X:X::X:X | HOSTNAME) (vrf (NAME | management))
ssh6 (X:X::X:X | HOSTNAME) <1-65535> (vrf (NAME | management))
ssh6 (cipher (aes128-ctr | aes192-ctr | aes256-ctr | aes128-cbc |aes192-cbc | aes256-cbc | 3des-cbc)) (X:X::X:X | HOSTNAME) (vrf (NAME | management))
ssh6 (cipher (aes128-ctr | aes192-ctr | aes256-ctr | aes128-cbc |aes192-cbc | aes256-cbc | 3des-cbc)) (X:X::X:X | HOSTNAME) <1-65535> (vrf (NAME | management))
Parameters
X:XX::X:X
User and Destination IPv6 Address to open a ssh session as user@ipv6-address
HOSTNAME
User and Destination Host name to resolve into IPv6 Address to open an ssh session as user@ipv4-address/Hostname
1-65535
Destination Port to open a ssh session. Default is 22
cipher
Specify algorithm to encrypt ssh session
aes128-ctr
Advanced Encryption Standard 128 bit Counter Mode
aes192-ctr
Advanced Encryption Standard 192 bit Counter Mode
aes256-ctr
Advanced Encryption Standard 256 bit Counter Mode
aes128-cbc
Advanced Encryption 128 bit Standard Cipher Block Chaining
aes192-cbc
Advanced Encryption Standard 192 bit Cipher Block Chaining
aes256-cbc
Advanced Encryption Standard 256 bit Cipher Block Chaining
3des-cbc
Triple Data Encryption Standard Cipher Block Chaining
vrf
Specify the VPN routing/forwarding instance.
NAME
Specify the name if the VPN routing/forwarding instance.
management
Management VPN routing/forwarding instance name.
Default
No default value is specified.
Command Mode
Privileged Exec mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#ssh6 cipher aes128-ctr 2:2::2:2 22 vrf management
The authenticity of host '2:2::2:2 (2:2::2:2)' can't be established.
RSA key fingerprint is 93:82:98:ce:b7:20:1a:85:a5:9a:2e:93:13:84:ea:9e.
Are you sure you want to continue connecting (yes/no)?
ssh algorithm encryption
SSH server authorizes connection of only those algorithms that are configured from the list below. If a client tries establishing a connection to the server with the algorithm encryption that are not part of the list, the connection will not established.
SSH server supports the encryption algorithms Advanced Encryption Standard Counter Mode [AES-CTR], Advanced Encryption Standard Cipher Block Chaining [AES-CBC], and Triple Data Encryption Standard [3DES].
and they are as follows:
1. aes128-ctr
2. aes192-ctr
3. aes256-ctr
4. aes128-cbc
5. 3des-cbc
6. aes192-cbc
7. aes256-cbc
Use this command to set an algorithm encryption to establish ssh session.
Use the no form of this command to remove an algorithm encryption.
Command Syntax:
ssh server algorithm encryption {aes128-ctr | aes192-ctr | aes256-ctr | aes128-cbc |aes192-cbc | aes256-cbc | 3des-cbc} (vrf management|)
no ssh server algorithm encryption {aes128-ctr | aes192-ctr | aes256-ctr | aes128-cbc |aes192-cbc | aes256-cbc | 3des-cbc} (vrf management|)
Parameters
aes18-ctr
AES 128 bit Counter Mode
aes192-ctr
AES 192 bit Counter Mode
aes256-ctr
AES 256 bit Counter Mode
aes128-cbc
AES 128 bit Cipher block chaining
aes192-cbc
AES 192 bit Cipher block chaining
aes256-cbc
AES 256 bit Cipher block chaining
3des-cbc
Triple DES Cipher block chaining
vrf
Virtual Routing and Forwarding
NAME
Virtual Routing and Forwarding name
Default
No default value is specified.
By default, all the ciphers are supported for a new ssh client to connect to the ssh server.
Command Mode
Configure mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#configure terminal
(config)#ssh server algorithm encryption aes128-ctr
ssh keygen host
Use these commands to create SSH server host, and public keys. These host keys are added in the SSH clients known_hosts file after user's acceptance.
Once entry is added in known_hosts, for the subsequent attempt login to the server will be validated against the host key and if there is key mismatch user will be prompted about the change in server identity.
Command syntax
ssh keygen host dsa (vrf management|) (force|)
ssh keygen host rsa (length <1024-4096>|) (vrf management|) (force|)
ssh keygen host ecdsa (length (256|384|521)|) (vrf management|) (force|)
ssh keygen host ed25519 (vrf management|) (force|)
Parameters
dsa
dsa keys
rsa
rsa keys
ecdsa
ecdsa keys
ed25519
ed25519 keys
management
Management VRF
force
Replace the old host-key with newly generated host-key
<1024-4096>
Number of bits to use when creating the SSH server key; this parameter is only valid for RSA keys (DSA keys have a default length of 1024)
Default
DSA key has length of 1024 bits
RSA key has default length of 2048 bits
ECDSA key has default length of 521 bits
ED25519 key has length of 256 bits
Command Mode
Privilege exec mode
Applicability
This command was introduced in OcNOS version 5.0
Examples
OcNOS#ssh keygen host rsa vrf management
OcNOS#
OcNOS#ssh keygen host ecdsa vrf management
OcNOS#
OcNOS#ssh keygen host ecdsa
%% ssh host key exists, use force option to overwrite
OcNOS#
OcNOS#ssh keygen host ecdsa force
OcNOS#
ssh login-attempts
Use this command to set the number of times SSH client would try to authenticate to establish the SSH session.
Use the no form of this command to set the number of authentication attempts to its default (3).
Note: By default, SSH clients may send the keys to authenticate, such a implicit authentication failures would also decrease authentication attempt count. Hence the configured value is not directly proportional to the user's password based authentication attempt.
Command Syntax
ssh login-attempts <1-3> (vrf management|)
no ssh login-attempts (vrf management|)
Parameters
<1-3>
Retries attempts, default is 3 attempts
management
Virtual Routing and Forwarding name
Default
By default, the device attempts to negotiate a connection with the connecting host three times.
Command Mode
Configure mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#configure terminal
(config)#ssh login-attempts 3
ssh server port
Use this command to set the port number on which the SSH server listens for connections. The default port on which the SSH server listens is 22.
Use the no form of this command to set the default port number (22).
Command Syntax
ssh server port <1024-65535> (vrf management|)
no ssh server port (vrf management|)
Parameters
<1024-65535>
Port number
management
Virtual Routing and Forwarding name
Default
By default, SSH server port is 22.
Command Mode
Configure mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#configure terminal
(config)#ssh server port 1720
ssh server session-limit
Use this command to limit number of SSH sessions. Only 40 sessions allowed including Telnet and SSH.
Use no form of this command to set to default value.
Note: Few Terminal application (Ex: Mobaxterm) where user run SSH Client has limits to use this SSH session limit option.
Command Syntax
ssh server session-limit <1-40> (vrf management|)
no ssh server session-limit (vrf management|)
Parameters
<1-40>
Number of sessions
management
Virtual Routing and Forwarding name
Default
By default, 40 sessions are allowed.
Command Mode
Configure mode
Applicability
This command was introduced in OcNOS version 4.2
Examples
#configure terminal
(config)#ssh server session-limit 4 vrf management
username sshkey
Use this command to add public key of the ssh clients to perform pasword-less login into the switch.
Command Syntax
username USERNAME sshkey LINE
Parameters
USERNAME
User identifier
LINE
Digital System Algorithm (DSA) key or Rivest, Shamir, and Adelman (RSA) key in OpenSSH format; this key is written to the authorized_keys file
Default
By default, SSHKEY is 1024.
Command Mode
Configure mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#configure terminal
(config)#username fred
(config)#username fred sshkey
ssh-rsa AAAAB3NzaC1kc3MAAAEBAIirweZzCdyITqbMWB8Wly9ivGxY1JBVnWTVtcWKi6uc
CPZyw3I6J6/+69LEkPUSAyO+SK8zj0NF2f25FFc2YDMh1KKHi5gK7iXF3/ran54j
nP2byyLeo8rnuVqfEDLaBI1qQaWBcDQvsZc14t5SEJfsOQSfR03PDqPYAisrZRvM
5pWfzo486Rh33J3+17OuARQtZFDP4wA5zZoFxhl4U3RK42JzKNUiYBDrH3lSgfkv
XLWLXz9WcxY6zuKvXFwUpOA9PRXwUsKQqWuyywZQLNavENqFyoQ8oZnNKLCYE0h8
QnUe62NGxb3jQXKLflOL04JFNiii9sACG1Y/ut4ANysAAAAVAJbM7Z4chRgiVahN
iwXFJNkBmWGZAAABAAuF1FlI6xy0L/pBaIlFw34uUL/mh4SR2Di2X52eK70VNj+m
y5eQdRC6cxpaVqpS3Q4xTN+W/kaBbIlX40xJP5lcjMvfn/nqiuIeEodmVIJMWxOD
fh3egeGuSW614Vzd1RGrxpYInIOygMULRcxhmbX+rPliuUIvhg36iH0UR7XBln6h
uyKFvEmaL7bGlRvELjqaj0y6iiCfP1yGBc5vavH5X+jOWqdsJHsCgcIzPF5D1Ybp
w0nZmGsqO+P55mjMuj0O2uI7Ns1sxyirbnGhd+ZZ1u03QDy6MBcUspai8U5CIe6X
WqvXY+yJjpuvlW9GTHowCcGd6Z/e9IC6VE/kNEAAAAEAFIe6kLGTALR0F3AfapYY
/M+bvkmkkhOJUZVdLiwMjcvtJb9fQpPxqXElS3ZvUNIEElUPS/V7KgSsj8eg3FKN
iUGICkTwHIK7RTLC8k4IE6U3V3866JtxW+Znv1DB7uwnbZgoIZuVt3r1+h8O0ah8
UKwDUMJT0fwu9cuuS3G8Ss/gKi1HgByrcxXoK51/r4Bc4QmR2VQ8sXOREv/SHJeY
JGbEX3OxjRgXC7GlpbrdPiL8zs0dPiZ0ovAswsBOYlKYhd7JvfCcvWRjgP5h55aw
GNSmNs3STKufbIqYGeDAISYNYY4F2JzR593KIBnWgyhokyYybyEBh8NwTTO4J5rT
ZA==
username keypair
Use this command to generate the key for users.
Command Syntax
username USERNAME keypair rsa
username USERNAME keypair dsa
username USERNAME keypair rsa length <1024-4096>
username USERNAME keypair rsa length <1024-4096> force
username USERNAME keypair rsa force
username USERNAME keypair dsa force
Parameters
USERNAME
User identifier
rsa
Rivest, Shamir, and Adelman (RSA) public-key cryptography SSH server key
dsa
Digital System Algorithm (DSA) SSH key
<1024-4096>
Number of bits to use when creating the SSH server key; this parameter is only valid for RSA keys (DSA keys have a default length of 1024)
force
Forces the replacement of an SSH key
Default
DSA keys have a default value of 1024.
RSA keys have a minimum key length of 1024 bits and the default length is 4096.
By default the system has RSA/DSA public/private key pair placed in /etc/ssh/. The force option is used if the user wants to regenerate the ssh rsa keys. The same thing applies for dsa also.
Command Mode
Execute mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#configure terminal
(config)#username fred keypair rsa