SSH Commands

ssh

Syntax

ssh

Context

config>system>security

Description

This command enables the context to configure the SSH server parameters on the system.

Quitting SSH while in the process of authentication is accomplished by either executing a ctrl-c or ‟~.” (tilde and dot), assuming the ‟~” is the default escape character for the SSH session.

Default

n/a

client-cipher-list

Syntax

client-cipher-list protocol-version version

Context

config>system>security>ssh

Description

This command enables the context to configure the list of allowed ciphers on the SSH client based on the SSH protocol version.

Default

2

Parameters

version

the protocol version for the list of allowed ciphers on the SSH client

Values

1 — SSH protocol version 1 (not supported on a 7705 SAR node running in FIPS-140-2 mode)

2 — SSH protocol version 2

cipher

Syntax

cipher index name cipher-name

no cipher index

Context

config>system>security>ssh>client-cipher-list

config>system>security>ssh>server-cipher-list

Description

This command configures the allowed SSH protocol version 1 or version 2 ciphers that are available on the SSH client or server. Client cipher and server cipher lists are used to negotiate the best compatible cipher between the SSH client and SSH server. Client ciphers are used when the 7705 SAR node is acting as an SSH client; server ciphers are used when the 7705 SAR node is acting as an SSH server.

Each list contains ciphers and their corresponding index values, where a lower index has a higher preference in the SSH negotiation. The list is ordered by preference from highest to lowest.

The no form of this command deletes the specified cipher index.

Default

n/a

Parameters

index

the index of the cipher in the list

Values: 1 to 255

cipher-name

the allowed cipher name

Values: For SSHv1: client ciphers: des, 3des, blowfish server ciphers: 3des, blowfish Table: SSHv1 Default Index Values lists the default index values used for SSHv1, in order of preference.

Table: SSHv1 Default Index Values
Cipher Index Value	Cipher Name
10	3des
20	blowfish
30	des

Values: For SSHv2: client ciphers: aes128-ctr, aes192-ctr, aes256-ctr, 3des-cbc, blowfish-cbc, cast128-cbc, arcfour, aes128-cbc, aes192-cbc, aes256-cbc, rijndael-cbc server ciphers: aes128-ctr, aes192-ctr, aes256-ctr, 3des-cbc, blowfish-cbc, cast128-cbc, arcfour, aes128-cbc, aes192-cbc, aes256-cbc, rijndael-cbc Table: SSHv2 Default Index Values lists the default index values used for SSHv2, in order of preference.

Table: SSHv2 Default Index Values
Cipher Index Value	Cipher Name
2	aes256-ctr
4	aes192-ctr
6	aes128-ctr
10	aes128-cbc
20	3des-cbc
30	blowfish-cbc
40	cast128-cbc
50	arcfour
60	aes192-cbc
70	aes256-cbc
80	rijndael-cbc

Note:

The blowfish-cbc, cast128-cbc, arcfour, and rijndael-cbc ciphers are not available if the 7705 SAR node is running in FIPS-140-2 mode.

client-kex-list

Syntax

client-kex-list

Context

config>system>security>ssh

Description

This command enables the context to configure a list of preferred KEX algorithms to be used by an SSHv2 client.

Default

n/a

kex

Syntax

kex index name kex-name

no kex index

Context

config>system>security>ssh>client-kex-list

config>system>security>ssh>server-kex-list

Description

This command configures the list of preferred KEX algorithms that are negotiated by the client and server using an SSHv2 phase one handshake.

By default, a KEX client and KEX server each have a hard-coded list that contains the default indexes and their corresponding algorithms. Table: Default KEX Index Values lists the default index values and algorithms, in order of preference.

Table: Default KEX Index Values
KEX Index Value	KEX Algorithm Name
200	diffie-hellman-group16-sha512
210	diffie-hellman-group14-sha256
215	diffie-hellman-group14-sha1
220	diffie-hellman-group-exchange-sha1
225	diffie-hellman-group1-sha1

The default list can be changed by manually removing a single index or as many indexes as required using the no kex index command. The default list can also be customized by first removing an index and then redefining it for each algorithm as required. To go back to using the original hard-coded list, the default KEX indexes must be manually re-entered with their corresponding algorithms.

In a KEX list, the algorithm with the lowest index value has the highest preference in the SSH negotiation. The list is ordered by preference from highest to lowest. When the client and server exchange their KEX lists, the first algorithm in the client list that is also supported by the server is the algorithm that is agreed upon.

Note:

If a 7705 SAR node is running in FIPS-140-2 mode:

SSHv1 is not supported
for SSHv2, the following KEX algorithm is not available: diffie-hellman-group1-sha1

The no form of this command removes the specified KEX index. Removing all the indexes from a client or server list results in an empty list, and any KEX algorithm the client or server brings to the SSHv2 negotiation will be rejected.

Default

no kex

Parameters

index

the index of the KEX algorithm in the list. The list is ordered from highest to lowest.

Values: 1 to 255

kex-name

the KEX algorithm for computing the shared secret key

Values: diffie-hellman-group16-sha512, diffie-hellman-group14-sha256, diffie-hellman-group14-sha1, diffie-hellman-group-exchange-sha1, diffie-hellman-group1-sha1

client-mac-list

Syntax

client-mac-list

Context

config>system>security>ssh

Description

This command enables the context to configure a list of preferred MAC algorithms to be used by an SSHv2 client.

Default

n/a

mac

Syntax

mac index name mac-name

no mac index

Context

config>system>security>ssh>client-mac-list

config>system>security>ssh>server-mac-list

Description

This command configures the list of preferred MAC algorithms that are negotiated by an SSHv2 server or client.

Each algorithm in the list has a corresponding index value, where a lower index has a higher preference in the SSH negotiation. The list is ordered by preference from highest to lowest.

The no form of this command removes the specified MAC index from the list.

Default

no mac

Parameters

index

the index of the MAC algorithm in the list

Values: 1 to 255

mac-name

the algorithm for calculating the message authentication code

Values

Table: Default SSHv2 MAC Algorithms lists the default client and server MAC algorithms used for SSHv2.

Table: Default SSHv2 MAC Algorithms
MAC Algorithm Index Value	MAC Algorithm Name
200	hmac-sha2-512
210	hmac-sha2-256
215	hmac-sha1
220	hmac-sha1-96
225	hmac-md5
230	hmac-ripemd160
235	hmac-ripemd160-openssh-com
240	hmac-md5-96

Note:

If a 7705 SAR node is running in FIPS-140-2 mode:

SSHv1 is not supported
for SSHv2, the following MAC algorithms are not available: hmac-sha1-96, hmac-md5, hmac-ripemd160, hmac-ripemd160-openssh-com, and hmac-mda5-96

key-re-exchange

Syntax

key-re-exchange

Context

config>system>security>ssh

Description

This command enables the context to configure key re-exchange parameters for an SSH client or server.

client

Syntax

client

Context

config>system>security>ssh>key-re-exchange

Description

This command enables the context to configure key re-exchange parameters for an SSH client.

mbytes

Syntax

mbytes {mbytes | disable}

no mbytes

Context

config>system>security>ssh>key-re-exchange>client

config>system>security>ssh>key-re-exchange>server

Description

This command configures the maximum number of megabytes that can be transmitted during an SSH session before an SSH client or server initiates the key re-exchange procedure.

If both the mbytes and minutes key re-exchange parameters are configured, the key re-exchange will occur at whatever limit is reached first.

The no form of this command returns the setting to the default value.

Default

1024

Parameters

mbytes

specifies the number of megabytes that can be transmitted during an SSH session before the key re-exchange occurs

Values: 1 to 64000

disable: specifies that a session will never time out

minutes

Syntax

minutes {minutes | disable}

no minutes

Context

config>system>security>ssh>key-re-exchange>client

config>system>security>ssh>key-re-exchange>server

Description

This command configures the maximum time that an SSH session can be up before an SSH client or server initiates the key re-exchange procedure.

If both the mbytes and minutes key re-exchange parameters are configured, the key re-exchange will occur at whatever limit is reached first.

The no form of this command returns the setting to the default value.

Default

60

Parameters

minutes

specifies the number of minutes before an SSH client or server initiates the key re-exchange

Values: 1 to 1440

disable: specifies that a session will never time out

shutdown

Syntax

[no] shutdown

Context

config>system>security>ssh>key-re-exchange>client

config>system>security>ssh>key-re-exchange>server

Description

This command enables or disables initiating of the key re-exchange procedure when the configured thresholds are reached.

Default

no shutdown

server

Syntax

server

Context

config>system>security>ssh>key-re-exchange

Description

This command enables the context to configure key re-exchange parameters for an SSH server.

preserve-key

Syntax

[no] preserve-key

Context

config>system>security>ssh

Description

This command specifies the persistence of the SSH server host key. When enabled, the host key will be saved by the server and restored following a system reboot. This command can only be enabled or disabled when no SSH session is running.

The no form of the command specifies that the host key will be held in memory by the SSH server and not be restored following a system reboot.

Default

no preserve-key

server-cipher-list

Syntax

server-cipher-list protocol-version version

Context

config>system>security>ssh

Description

This command enables the context to configure the list of allowed ciphers on the SSH server based on the SSH protocol version.

Default

2

Parameters

version

the protocol version for the list of allowed ciphers on the SSH server

Values

1 — SSH protocol version 1 (not supported on a 7705 SAR node running in FIPS-140-2 mode)

2 — SSH protocol version 2

server-kex-list

Syntax

server-kex-list

Context

config>system>security>ssh

Description

This command enables the context to configure a list of preferred KEX algorithms to be used by an SSHv2 server.

Default

n/a

server-mac-list

Syntax

server-mac-list

Context

config>system>security>ssh

Description

This command enables the context to configure a list of preferred MAC algorithms to be used by an SSHv2 server.

Default

n/a

server-shutdown

Syntax

[no] server-shutdown

Context

config>system>security>ssh

Description

This command disables the SSH server running on the system. The no version of the command enables the SSH server.

When the no server-shutdown command is executed, an SSH security key is generated. Unless the preserve-key command is enabled, this key is valid until either the node is restarted or the SSH server is stopped with the server-shutdown command and restarted. The key size is non-configurable and is set to 2048 for SSHv2 RSA and to 1024 for SSHv2 DSA and SSHv1 RSA1. Only SSHv2 RSA is supported in FIPS-140-2 mode.

Default

no server-shutdown

version

Syntax

version ssh-version

no version

Context

config>system>security>ssh

Description

This command specifies the SSH protocol version that will be supported by the SSH server. The server an be configured as Secure Shell version 1 (SSHv1), version 2 (SSHv2), or both. SSHv1 and SSHv2 are different protocols and encrypt at different parts of the packets. SSHv1 uses the server as well as host keys to authenticate systems, whereas SSHv2 only uses host keys. SSHv2 does not use the same networking implementation that SSHv1 does and is considered a more secure, efficient, and portable version of SSH.

Parameters

ssh-version

specifies the SSH version

Values

1 — specifies that the SSH server will only accept connections from clients supporting SSH protocol version 1 (not supported on a 7705 SAR running in FIPS-140-2 mode)

2 — specifies that the SSH server will only accept connections from clients supporting SSH protocol version 2

1-2 — specifies that the SSH server will accept connections from clients supporting either SSH protocol version 1, or SSH protocol version 2, or both (not supported on a 7705 SAR running in FIPS-140-2 mode)

Default: 2