enable ssh and set the recommended parameters

In contrast to NX-OS, IOS seldom had ssh already active on the routers and switches by default or not all recommended parameters were activated. With the following simple steps, there is a chance to activate ssh and/or adapt it to your own security needs.

CSR-1000v

With the command sh ip ssh you have the chance to get a quick overview of the current configuration status. For a freshly commissioned switch with IOS version 15.5, this should look something like this:

csr1000v-1#sh ip ssh
SSH Enabled - version 1.99
Authentication methods:publickey,keyboard-interactive,password
Authentication Publickey Algorithms:x509v3-ssh-rsa,ssh-rsa
Hostkey Algorithms:x509v3-ssh-rsa,ssh-rsa
Encryption Algorithms:aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
MAC Algorithms:hmac-sha1,hmac-sha1-96
Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 1024 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded): TP-self-signed-2857816614
ssh-rsa „removed rsa key“

With the following configuration lines I activate the ssh service and adapt the settings to my needs.

csr1000v-1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
csr1000v-1(config)#ip domain-name je-ru.de
csr1000v-1(config)#hostname csr100v
csr100v(config)#crypto key generate rsa modulus 2048
The name for the keys will be: csr100v.je-ru.de

% The key modulus size is 2048 bits
% Generating 2048 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 0 seconds)

csr100v(config)#ip ssh version 2
csr100v(config)#ip ssh dh min size 2048
csr100v(config)#ip ssh time-out 10
csr100v(config)#ip ssh stricthostkeycheck
csr100v(config)#ip ssh server algorithm encryption ?
3des-cbc Three-key 3DES in CBC mode
aes128-cbc AES with 128-bit key in CBC mode
aes128-ctr AES with 128-bit key in CTR mode
aes192-cbc AES with 192-bit key in CBC mode
aes192-ctr AES with 192-bit key in CTR mode
aes256-cbc AES with 256-bit key in CBC mode
aes256-ctr AES with 256-bit key in CTR mode

csr100v(config)#ip ssh server algorithm encryption aes256-ctr
csr100v(config)#ip ssh server algorithm mac ?
hmac-sha1 HMAC-SHA1 (digest length = key length = 160 bits)
hmac-sha1-96 HMAC-SHA1-96 (digest length = 96 bits, key length = 160 bits)

csr100v(config)#ip ssh server algorithm mac hmac-sha1
csr100v(config)#^Z

After the changes, it should now look like this.

csr100v#
*Jun 19 23:58:00.407: %SYS-5-CONFIG_I: Configured from console by console
csr100v#sh ip ssh
SSH Enabled - version 2.0
Authentication methods:publickey,keyboard-interactive,password
Authentication Publickey Algorithms:x509v3-ssh-rsa,ssh-rsa
Hostkey Algorithms:x509v3-ssh-rsa,ssh-rsa
Encryption Algorithms:aes256-ctr
MAC Algorithms:hmac-sha1
Authentication timeout: 10 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 2048 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded): TP-self-signed-2857816614
ssh-rsa „removed rsa key“

NX-OS

On the Nexus, SSH access is activated by default in version 2, so you only need to make a few adjustments to your own needs. The commands sh ssh server and sh run security all give you a quick overview of the current configuration status.

nx-osv# sh ssh server
ssh version 2 is enabled

nx-osv# sh run security all

!Command: show running-config security all
!Time: Fri Jun 19 23:17:00 2015

version 7.2(0)D1(1)
feature telnet
no feature scp-server
no feature sftp-server
feature ssh
ssh login-gracetime 120
ssh login-attempts 3
ssh key rsa 1024
no ssh key dsa

With the following adjustments, one can adapt ssh to the recommended parameters.

nx-osv(config)# no feature ssh
XML interface to system may become unavailable since ssh is disabled
nx-osv(config)# ssh key rsa 2048 force
deleting old rsa key.....
generating rsa key(2048 bits).....
.
generated rsa key
nx-osv(config)# feature scp-server
nx-osv(config)# feature sftp-server
nx-osv(config)# feature ssh

The configuration should now look like this

nx-osv# sh ssh key
**************************************
rsa Keys generated:Fri Jun 19 23:28:54 2015

ssh-rsa „removed rsa key“

bitcount:2048
fingerprint:
6f:86:85:7e:bd:01:0d:b8:79:2e:0d:02:d7:6b:87:4b
**************************************
could not retrieve dsa key information
bitcount: 0
**************************************
nx-osv#
nx-osv# sh run security all | grep ssh
feature ssh
ssh login-gracetime 120
ssh login-attempts 3
ssh key rsa 2048
no ssh key dsa
nx-osv# sh ssh server
ssh version 2 is enabled
nx-osv#

IOS-Switch

The command sh ip ssh gives you the chance to get a quick overview of the current configuration status. For a freshly commissioned switch with IOS version 15.2, this should look something like this:

SW-1#sh ip ssh
SSH Disabled - version 1.99
%Please create RSA keys to enable SSH (and of atleast 768 bits for SSH v2).
Authentication methods:publickey,keyboard-interactive,password
Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 1024 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded): NONE
SW-1#

With the next exemplary steps, ssh is activated and the timer values and DH settings are optimised.

SW-1(config)#ip domain-name je-ru.de
SW-1(config)#crypt key generate rsa modulus 2048
The name for the keys will be: SW-1.je-ru.de
% The key modulus size is 2048 bits
% Generating 2048 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 1 seconds)
SW-1(config)#
*Jun 19 20:42:36.095: %SSH-5-ENABLED: SSH 1.99 has been enabled
SW-1(config)#ip ssh version 2
SW-1(config)#ip ssh authentication-retries 3
SW-1(config)#ip ssh dh min size ?
1024 Diffie Group 1 1024-bit key
2048 Diffie Group 14 2048-bit key
4096 Diffie Group 16 4096-bit key
SW-1(config)#ip ssh dh min size 2048
SW-1(config)#ip ssh time-out 10
SW-1(config)#

After another query using sh ip ssh, it should now look something like this.

SW-1#sh ip ssh
SSH Enabled - version 2.0
Authentication methods:publickey,keyboard-interactive,password
Authentication timeout: 10 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 2048 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded):
ssh-rsa „removed rsa key“
SW-1#

IOS-Router

The command sh ip ssh gives you the chance to get a quick overview of the current configuration status. For a freshly commissioned router with IOS version 15.2, this should look something like this:

RTR-1#sh ip ssh
SSH Disabled - version 1.99
%Please create RSA keys to enable SSH (and of atleast 768 bits for SSH v2).
Authentication methods:publickey,keyboard-interactive,password
Authentication Publickey Algorithms:x509v3-ssh-rsa,ssh-rsa
Hostkey Algorithms:x509v3-ssh-rsa,ssh-rsa
Encryption Algorithms:aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
MAC Algorithms:hmac-sha1,hmac-sha1-96
Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 1024 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded): NONE

With the next exemplary steps, ssh is activated and the timer values and DH settings are optimised.

RTR-1(config)#ip domain-name je-ru.de
RTR-1(config)#crypto key generate rsa modulus 2048
The name for the keys will be: RTR-1.je-ru.de

% The key modulus size is 2048 bits
% Generating 2048 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 5 seconds)

RTR-1(config)#ip ssh version 2
RTR-1(config)#ip ssh dh min size 2048
RTR-1(config)#ip ssh time-out 10
RTR-1(config)#ip ssh stricthostkeycheck
RTR-1(config)#ip ssh server algorithm encryption ?
3des-cbc Three-key 3DES in CBC mode
aes128-cbc AES with 128-bit key in CBC mode
aes128-ctr AES with 128-bit key in CTR mode
aes192-cbc AES with 192-bit key in CBC mode
aes192-ctr AES with 192-bit key in CTR mode
aes256-cbc AES with 256-bit key in CBC mode
aes256-ctr AES with 256-bit key in CTR mode

RTR-1(config)#ip ssh server algorithm encryption aes256-ctr
RTR-1(config)#ip ssh server algorithm mac ?
hmac-sha1 HMAC-SHA1 (digest length = key length = 160 bits)
hmac-sha1-96 HMAC-SHA1-96 (digest length = 96 bits, key length = 160 bits)

RTR-1(config)#ip ssh server algorithm mac hmac-sha1

After another query using sh ip ssh, it should now look something like this.

RTR-1#sh ip ssh
SSH Enabled - version 2.0
Authentication methods:publickey,keyboard-interactive,password
Authentication Publickey Algorithms:x509v3-ssh-rsa,ssh-rsa
Hostkey Algorithms:x509v3-ssh-rsa,ssh-rsa
Encryption Algorithms:aes256-ctr
MAC Algorithms:hmac-sha1
Authentication timeout: 10 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 2048 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded): Berlin.je-ru.de
ssh-rsa „removed rsa key“
RTR-1#

CSR-1000v

NX-OS

IOS-Switch

IOS-Router

Search

Categories

Period

Name and contact details of the person(s) responsible

Types of data, purposes of processing and categories of data subjects

Legal basis for the processing of personal data

Disclosure of personal data to third parties and order processors

Data transfer to third countries

Deletion of data and storage period

Existence of automated decision making

Provision of our website and creation of log files

Contacting us via contact form / email / fax / post

Rights of the person concerned

Data security

Disclaimer - legal information

§ 1 Warning about content

§ 2 External links

§ 3 Copyrights and ancillary copyrights

§ 4 Special terms of use