Configuring SSH and Telnet

This chapter describes how to configure Secure Shell Protocol (SSH) and Telnet on Cisco NX-OS devices.

This chapter includes the following sections:

• Finding Feature Information, on page 1

• Information About SSH and Telnet, on page 1

• Virtualization Support for SSH and Telnet, on page 3

• Prerequisites for SSH and Telnet, on page 3

• Guidelines and Limitations for SSH and Telnet, on page 3

• Default Settings for SSH and Telnet, on page 4

• Configuring SSH , on page 4

• Configuring Telnet, on page 17

• Verifying the SSH and Telnet Configuration, on page 19

• Configuration Example for SSH, on page 19

• Configuration Example for SSH Passwordless File Copy, on page 21

• Additional References for SSH and Telnet, on page 22

Finding Feature Information

Your software release might not support all the features documented in this module. For the latest caveats

and feature information, see the Bug Search Tool at https://tools.cisco.com/bugsearch/ and the release notes

for your software release. To find information about the features documented in this module, and to see a list

of the releases in which each feature is supported, see the "New and Changed Information"chapter or the

Feature History table in this chapter.

Information About SSH and Telnet

This section includes information about SSH and Telnet.

SSH Server

You can use the SSH server to enable an SSH client to make a secure, encrypted connection to a Cisco NX-OS

device. SSH uses strong encryption for authentication. The SSH server in the Cisco NX-OS software can

interoperate with publicly and commercially available SSH clients.

Configuring SSH and Telnet

The user authentication mechanisms supported for SSH are RADIUS, TACACS+, LDAP, and the use of

locally stored usernames and passwords.

SSH Client

The SSH client feature is an application that runs over the SSH protocol to provide device authentication and

encryption. The SSH client enables a Cisco NX-OS device to make a secure, encrypted connection to another

Cisco NX-OS device or to any other device that runs the SSH server. This connection provides an outbound

connection that is encrypted. With authentication and encryption, the SSH client allows for a secure

communication over an insecure network.

The SSH client in the Cisco NX-OS software works with publicly and commercially available SSH servers.

SSH Server Keys

SSH requires server keys for secure communications to the Cisco NX-OS device. You can use SSH server

keys for the following SSH options:

• SSH version 2 using Rivest, Shamir, and Adelman (RSA) public-key cryptography

• SSH version 2 using the Digital System Algrorithm (DSA)

Be sure to have an SSH server key-pair with the appropriate version before enabling the SSH service. You

can generate the SSH server key-pair according to the SSH client version used. The SSH service accepts two

types of key-pairs for use by SSH version 2:

• The dsa option generates the DSA key-pair for the SSH version 2 protocol.

• The rsa option generates the RSA key-pair for the SSH version 2 protocol.

By default, the Cisco NX-OS software generates an RSA key using 1024 bits.

SSH supports the following public key formats:

• OpenSSH

• IETF Secure Shell (SECSH)

• Public Key Certificate in Privacy-Enhanced Mail (PEM)

If you delete all of the SSH keys, you cannot start the SSH services.

Caution

SSH Authentication Using Digital Certificates

SSH authentication on Cisco NX-OS devices provide X.509 digital certificate support for host authentication.

An X.509 digital certificate is a data item that ensures the origin and integrity of a message. It contains

encryption keys for secured communications and is signed by a trusted certification authority (CA) to verify

the identity of the presenter. The X.509 digital certificate support provides either DSA or RSA algorithms for

authentication.

Configuring SSH and Telnet

SSH Client

The certificate infrastructure uses the first certificate that supports the Secure Socket Layer (SSL) and is

returned by the security infrastructure, either through a query or a notification. Verification of certificates is

successful if the certificates are from any of the trusted CAs configured and if not revoked or expired.

You can configure your device for either SSH authentication using an X.509 certificate or SSH authentication

using a Public Key Certificate, but not both. If either of them is configured and the authentication fails, you

are prompted for a password

Telnet Server

The Telnet protocol enables TCP/IP connections to a host. Telnet allows a user at one site to establish a TCP

connection to a login server at another site and then passes the keystrokes from one device to the other. Telnet

can accept either an IP address or a domain name as the remote device address.

The Telnet server is disabled by default on the Cisco NX-OS device.

Virtualization Support for SSH and Telnet

SSH and Telnet configuration and operation are local to the virtual device context (VDC). For more information

on VDCs, see the Cisco Nexus 7000 Series NX-OS Virtual Device Context Configuration Guide.

Prerequisites for SSH and Telnet

SSH and Telnet have the following prerequisites:

• You have configured IP on a Layer 3 interface, out-of-band on the mgmt 0 interface, or inband on an

Ethernet interface.

Guidelines and Limitations for SSH and Telnet

SSH and Telnet have the following configuration guidelines and limitations:

• The Cisco NX-OS software supports only SSH version 2 (SSHv2).

• You can configure your device for either SSH authentication using an X.509 certificate or SSH

authentication using a public key certificate but not both. If either of them is configured and the

authentication fails, you are prompted for a password.

• Beginning in Cisco NX-OS Release 5.1, SSH runs in FIPS mode.

• The SFTP server feature does not support the regular SFTP chown and chgrp commands.

• When the SFTP server is enabled, only the admin user can use SFTP to access the switch.

• SSH public and private keys imported into user accounts that are remotely authenticated through a AAA

protocol (such as RADIUS or TACACS+) for the purpose of SSH Passwordless File Copy will not persist

when the Nexus device is reloaded unless a local user account with the same name as the remote user

account is configured on the device before the SSH keys are imported.

Configuring SSH and Telnet

Telnet Server

If you are familiar with the Cisco IOS CLI, be aware that the Cisco NX-OS commands for this feature might

differ from the Cisco IOS commands that you would use.

Note

Related Topics

Configuring FIPS

Default Settings for SSH and Telnet

This table lists the default settings for SSH and Telnet parameters.

Table 1: Default SSH and Telnet Parameters

DefaultParameters

EnabledSSH server

RSA key generated with 1024 bitsSSH server key

1024RSA key bits for generation

DisabledTelnet server

23Telnet port number

3Maximum number of SSH login attempts

DisabledSCP server

DisabledSFTP server

Configuring SSH

This section describes how to configure SSH.

Generating SSH Server Keys

You can generate an SSH server key based on your security requirements. The default SSH server key is an

RSA key that is generated using 1024 bits.

SUMMARY STEPS

1. configure terminal

2. no feature ssh

3. ssh key {dsa [force] | rsa [bits [force]]}

4. feature ssh

5. exit

Configuring SSH and Telnet

Default Settings for SSH and Telnet

6. (Optional) show ssh key

7. (Optional) copy running-config startup-config

DETAILED STEPS

PurposeCommand or Action

Enters global configuration mode.configure terminal

Example:

Step 1

switch# configure terminal

switch(config)#

Disables SSH.no feature ssh

Example:

Step 2

switch(config)# no feature ssh

Generates the SSH server key.ssh key {dsa [force] | rsa [bits [force]]}

Step 3

Example:

The bits argument is the number of bits used to generate

the RSA key. Beginning with Cisco NX-OS Release 5.1,

switch(config)# ssh key rsa 2048

the range is from 1024 to 2048. In Cisco NX-OS Release

5.0, The range is from 768 to 2048. The default value is

1024.

You cannot specify the size of the DSA key. It is always

set to 1024 bits.

Use the force keyword to replace an existing key.

Enables SSH.feature ssh

Example:

Step 4

switch(config)# feature ssh

Exits global configuration mode.exit

Example:

Step 5

switch(config)# exit

switch#

Displays the SSH server keys.(Optional) show ssh key

Example:

Step 6

switch# show ssh key

Copies the running configuration to the startup

configuration.

(Optional) copy running-config startup-config

Example:

Step 7

switch# copy running-config startup-config

Specifying the SSH Public Keys for User Accounts

You can configure an SSH public key to log in using an SSH client without being prompted for a password.

You can specify the SSH public key in one of these formats:

Configuring SSH and Telnet

Specifying the SSH Public Keys for User Accounts

• OpenSSH format

• IETF SECSH format

• Public Key Certificate in PEM format

Specifying the SSH Public Keys in IETF SECSH Format

You can specify the SSH public keys in IETF SECSH format for user accounts.

Before you begin

Generate an SSH public key in IETF SCHSH format.

SUMMARY STEPS

1. copy server-file bootflash:filename

2. configure terminal

3. username username sshkey file bootflash:filename

4. exit

5. (Optional) show user-account

6. (Optional) copy running-config startup-config

DETAILED STEPS

PurposeCommand or Action

Downloads the file containing the SSH key in IETF SECSH

format from a server. The server can be FTP, secure copy

(SCP), secure FTP (SFTP), or TFTP.

copy server-file bootflash:filename

Example:

switch# copy tftp://10.10.1.1/secsh_file.pub

bootflash:secsh_file.pub

Step 1

Enters global configuration mode.configure terminal

Example:

Step 2

switch# configure terminal

switch(config)#

Configures the SSH public key in IETF SECSH format.username username sshkey file bootflash:filename

Example:

Step 3

switch(config)# username User1 sshkey file

bootflash:secsh_file.pub

Exits global configuration mode.exit

Example:

Step 4

switch(config)# exit

switch#

Displays the user account configuration.(Optional) show user-account

Example:

Step 5

switch# show user-account

Configuring SSH and Telnet

Specifying the SSH Public Keys in IETF SECSH Format

PurposeCommand or Action

Copies the running configuration to the startup

configuration.

(Optional) copy running-config startup-config

Example:

Step 6

switch# copy running-config startup-config

Specifying the SSH Public Keys in OpenSSH Format

You can specify the SSH public keys in OpenSSH format for user accounts.

Before you begin

Generate an SSH public key in OpenSSH format.

SUMMARY STEPS

1. configure terminal

2. username username sshkey ssh-key

3. exit

4. (Optional) show user-account

5. (Optional) copy running-config startup-config

DETAILED STEPS

PurposeCommand or Action

Enters global configuration mode.configure terminal

Example:

Step 1

switch# configure terminal

switch(config)#

Configures the SSH public key in OpenSSH format.username username sshkey ssh-key

Example:

Step 2

switch(config)# username User1 sshkey

ssh-rsa

AAAAB3NzaC1yc2EAAAABIwAAAIEAy19oF6QaZl9G+3f1XswK3OiW4H7YyUyuA50rv7gsEPj

hOBYmsi6PAVKui1nIf/DQhum+lJNqJP/eLowb7ubO+lVKRXFY/G+lJNIQW3g9igG30c6k6+

XVn+NjnI1B7ihvpVh7dLddMOXwOnXHYshXmSiH3UD/vKyziEh5S4Tplx8=

Exits global configuration mode.exit

Example:

Step 3

switch(config)# exit

switch#

Displays the user account configuration.(Optional) show user-account

Example:

Step 4

switch# show user-account

Configuring SSH and Telnet

Specifying the SSH Public Keys in OpenSSH Format

PurposeCommand or Action

Copies the running configuration to the startup

configuration.

(Optional) copy running-config startup-config

Example:

Step 5

switch# copy running-config startup-config

Configuring a Maximum Number of SSH Login Attempts

You can configure the maximum number of SSH login attempts. If the user exceeds the maximum number

of permitted attempts, the session disconnects.

The total number of login attempts includes attempts through public-key authentication, certificate-based

authentication, and password-based authentication. If public-key authentication is enabled, it takes priority.

If only certificate-based and password-based authentication are enabled, certificate-based authentication takes

priority. If you exceed the configured number of login attempts through all of these methods, a message

appears indicating that too many authentication failures have occurred.

Note

SUMMARY STEPS

1. configure terminal

2. ssh login-attempts number

3. (Optional) show running-config security all

4. (Optional) copy running-config startup-config

DETAILED STEPS

PurposeCommand or Action

Enters global configuration mode.configure terminal

Example:

Step 1

switch# configure terminal

switch(config)#

Configures the maximum number of times that a user can

attempt to log into an SSH session. The default maximum

number of login attempts is 3. The range is from 1 to 10.

ssh login-attempts number

Example:

switch(config)# ssh login-attempts 5

Step 2

The no form of this command removes the

previous login attempts value and sets the

maximum number of login attempts to the default

value of 3.

Note

Displays the configured maximum number of SSH login

attempts.

(Optional) show running-config security all

Example:

Step 3

switch(config)# show running-config security all

Configuring SSH and Telnet

Configuring a Maximum Number of SSH Login Attempts

PurposeCommand or Action

(Optional) Copies the running configuration to the startup

configuration.

(Optional) copy running-config startup-config

Example:

Step 4

switch(config)# copy running-config startup-config

Configuring a Login Grace Time for SSH Connections

You can configure the login grace time for SSH connections from remote devices to your Cisco NX-OS

device. This configures the grace time for clients to authenticate themselves. If the time to login to the SSH

session exceeds the specified grace time, the session disconnects and you will need to attempt logging in

again.

Enable the SSH server on the remote device.

Note

SUMMARY STEPS

1. configure terminal

2. feature ssh

3. ssh login-gracetime number

4. (Optional) exit

5. (Optional) show running-config security

6. (Optional) show running-config security all

7. (Optional) copy running-config startup-config

DETAILED STEPS

PurposeCommand or Action

Enters global configuration mode.configure terminal

Example:

Step 1

switch# configure terminal

switch(config)#

Enables SSH.feature ssh

Example:

Step 2

switch# feature ssh

switch(config)#

Configures the login grace time in seconds for SSH

connections from remote devices to your Cisco NX-OS

ssh login-gracetime number

Example:

Step 3

device. The default login grace time is 120 seconds. The

range is from 1 to 2147483647.

switch(config)# ssh login-gracetime 120

The no form of this command removes the

configured login grace time and resets it to the

default value of 120 seconds.

Note

Configuring SSH and Telnet

Configuring a Login Grace Time for SSH Connections

PurposeCommand or Action

Exits global configuration mode.(Optional) exit

Example:

Step 4

switch(config)# exit

Displays the configured SSH login grace time.(Optional) show running-config security

Example:

Step 5

switch(config)# show running-config security

Displays the configured or default SSH login grace time.(Optional) show running-config security all

Example:

Step 6

switch(config)# show running-config security all

(Optional) Copies the running configuration to the startup

configuration.

(Optional) copy running-config startup-config

Example:

Step 7

switch(config)# copy running-config startup-config

Starting SSH Sessions

You can start SSH sessions using IPv4 or IPv6 to connect to remote devices from the Cisco NX-OS device.

Before you begin

Obtain the hostname for the remote device and, if needed, the username on the remote device.

Enable the SSH server on the remote device.

SUMMARY STEPS

1. ssh [username@]{ipv4-address | hostname} [vrf vrf-name]

2. ssh6 [username@]{ipv6-address | hostname} [vrf vrf-name]

DETAILED STEPS

PurposeCommand or Action

Creates an SSH IPv4 session to a remote device using IPv4.

The default VRF is the default VRF.

ssh [username@]{ipv4-address | hostname} [vrf vrf-name]

Example:

Step 1

switch# ssh 10.10.1.1

Creates an SSH IPv6 session to a remote device using IPv6.ssh6 [username@]{ipv6-address | hostname} [vrf

vrf-name]

Step 2

Example:

switch# ssh6 HostA

Configuring SSH and Telnet

Starting SSH Sessions

Starting SSH Sessions from Boot Mode

You can start SSH sessions from the boot mode of the Cisco NX-OS device to connect to remote devices.

Before you begin

Obtain the hostname for the remote device and, if needed, the username on the remote device.

Enable the SSH server on the remote device.

Ensure that the Cisco NX-OS device is loaded with only the kickstart image.

SUMMARY STEPS

1. ssh [username@]hostname

2. exit

3. copy scp://[username@]hostname/filepath directory

DETAILED STEPS

PurposeCommand or Action

Creates an SSH session to a remote device from the boot

mode of the Cisco NX-OS device. The default VRF is

always used.

ssh [username@]hostname

Example:

switch(boot)# ssh [email protected]

Step 1

Exits boot mode.exit

Example:

Step 2

switch(boot)# exit

Copies a file from the Cisco NX-OS device to a remote

device using the Secure Copy Protocol (SCP). The default

VRF is always used.

copy scp://[username@]hostname/filepath directory

Example:

switch# copy scp://[email protected]/users abc

Step 3

Configuring SSH Passwordless File Copy

You can copy files from a Cisco NX-OS device to a secure copy (SCP) or secure FTP (SFTP) server without

a password. To do so, you must create an RSA or DSA identity that consists of public and private keys for

authentication with SSH.

SUMMARY STEPS

1. configure terminal

2. [no] username username keypair generate {rsa [bits [force]] | dsa [force]}

3. (Optional) show username username keypair

4. username username keypair export {bootflash:filename | volatile:filename} {rsa | dsa} [force]

5. username username keypair import {bootflash:filename | volatile:filename} {rsa | dsa} [force]

Configuring SSH and Telnet

Starting SSH Sessions from Boot Mode

DETAILED STEPS

PurposeCommand or Action

Enters global configuration mode.configure terminal

Example:

Step 1

switch# configure terminal

switch(config)#

Generates the SSH public and private keys and stores them

in the home directory ($HOME/.ssh) of the Cisco NX-OS

[no] username username keypair generate {rsa [bits

[force]] | dsa [force]}

Step 2

device for the specified user. The Cisco NX-OS device uses

Example:

the keys to communicate with the SSH server on the remote

machine.

switch(config)# username user1 keypair generate

rsa 2048 force

The bits argument is the number of bits used to generate

the key. Beginning with Cisco NX-OS Release 5.1, the

range is from 1024 to 2048. In Cisco NX-OS Release 5.0,

the range is from 768 to 2048. The default value is 1024.

Use the force keyword to replace an existing key. The SSH

keys are not generated if the force keyword is omitted and

SSH keys are already present.

Displays the public key for the specified user.(Optional) show username username keypair

Step 3

Example:

For security reasons, this command does not

show the private key.

Note

switch(config)# show username user1 keypair

Exports the public and private keys from the home directory

of the Cisco NX-OS device to the specified bootflash or

volatile directory.

Required: username username keypair export

{bootflash:filename | volatile:filename} {rsa | dsa} [force]

Example:

Step 4

Use the force keyword to replace an existing key. The SSH

keys are not exported if the force keyword is omitted and

SSH keys are already present.

switch(config)# username user1 keypair export

bootflash:key_rsa rsa

To export the generated key pair, you are prompted to enter

a passphrase that encrypts the private key. The private key

is exported as the file that you specify, and the public key

is exported with the same filename followed by a .pub

extension. You can now copy this key pair to any Cisco

NX-OS device and use SCP or SFTP to copy the public key

file (*.pub) to the home directory of the server.

For security reasons, this command can be

executed only from global configuration mode.

Note

Imports the exported public and private keys from the

specified bootflash or volatile directory to the home

directory of the Cisco NX-OS device.

Required: username username keypair import

{bootflash:filename | volatile:filename} {rsa | dsa} [force]

Example:

Step 5

Use the force keyword to replace an existing key. The SSH

keys are not imported if the force keyword is omitted and

SSH keys are already present.

switch(config)# username user1 keypair import

bootflash:key_rsa rsa

Configuring SSH and Telnet

Configuring SSH Passwordless File Copy

PurposeCommand or Action

To import the generated key pair, you are prompted to enter

a passphrase that decrypts the private key. The private key

is imported as the file that you specify, and the public key

is imported with the same filename followed by a .pub

extension.

For security reasons, this command can be

executed only from global configuration mode.

Note

Only the users whose keys are configured on the

server are able to access the server without a

password.

Note

What to do next

On the SCP or SFTP server, use the following command to append the public key stored in the *.pub file (for

example, key_rsa.pub) to the authorized_keys file:

$ cat key_rsa.pub >> $HOME/.ssh/ authorized_keys

You can now copy files from the Cisco NX-OS device to the server without a password using standard SSH

and SCP commands.

Configuring SCP and SFTP Servers

You can configure an SCP or SFTP server on the Cisco NX-OS device in order to copy files to and from a

remote device. After you enable the SCP or SFTP server, you can execute an SCP or SFTP command on the

remote device to copy the files to or from the Cisco NX-OS device.

The arcfour and blowfish cipher options are not supported for the SCP server.

Note

SUMMARY STEPS

1. configure terminal

2. [no] feature scp-server

3. [no] feature sftp-server

4. exit

5. (Optional) show running-config security

6. (Optional) copy running-config startup-config

DETAILED STEPS

PurposeCommand or Action

Enters global configuration mode.configure terminal

Example:

Step 1

Configuring SSH and Telnet

Configuring SCP and SFTP Servers

PurposeCommand or Action

switch# configure terminal

switch(config)#

Enables or disables the SCP server on the Cisco NX-OS

device.

[no] feature scp-server

Example:

Step 2

switch(config)# feature scp-server

Enables or disables the SFTP server on the Cisco NX-OS

device.

Required: [no] feature sftp-server

Example:

Step 3

switch(config)# feature sftp-server

Exits global configuration mode.Required: exit

Example:

Step 4

switch(config)# exit

switch#

Displays the configuration status of the SCP and SFTP

servers.

(Optional) show running-config security

Example:

Step 5

switch# show running-config security

Copies the running configuration to the startup

configuration.

(Optional) copy running-config startup-config

Example:

Step 6

switch# copy running-config startup-config

Clearing SSH Hosts

When you download a file from a server using SCP or SFTP, or when you start an SSH session from this

device to a remote host, you establish a trusted SSH relationship with that server. You can clear the list of

trusted SSH servers for your user account.

SUMMARY STEPS

1. clear ssh hosts

DETAILED STEPS

PurposeCommand or Action

Clears the SSH host sessions and the known host file.clear ssh hosts

Example:

Step 1

switch# clear ssh hosts

Disabling the SSH Server

By default, the SSH server is enabled on the Cisco NX-OS device. You can disable the SSH server to prevent

SSH access to the switch.

Configuring SSH and Telnet

Clearing SSH Hosts

SUMMARY STEPS

1. configure terminal

2. no feature ssh

3. exit

4. (Optional) show ssh server

5. (Optional) copy running-config startup-config

DETAILED STEPS

PurposeCommand or Action

Enters global configuration mode.configure terminal

Example:

Step 1

switch# configure terminal

switch(config)#

Disables SSH.no feature ssh

Example:

Step 2

switch(config)# no feature ssh

Exits global configuration mode.exit

Example:

Step 3

switch(config)# exit

switch#

Displays the SSH server configuration.(Optional) show ssh server

Example:

Step 4

switch# show ssh server

Copies the running configuration to the startup

configuration.

(Optional) copy running-config startup-config

Example:

Step 5

switch# copy running-config startup-config

Deleting SSH Server Keys

You can delete SSH server keys on the Cisco NX-OS device after you disable the SSH server.

To reenable SSH, you must first generate an SSH server key.

Note

SUMMARY STEPS

1. configure terminal

2. no feature ssh

3. no ssh key [dsa | rsa]

4. exit

Configuring SSH and Telnet

Deleting SSH Server Keys

5. (Optional) show ssh key

6. (Optional) copy running-config startup-config

DETAILED STEPS

PurposeCommand or Action

Enters global configuration mode.configure terminal

Example:

Step 1

switch# configure terminal

switch(config)#

Disables SSH.no feature ssh

Example:

Step 2

switch(config)# no feature ssh

Deletes the SSH server key.no ssh key [dsa | rsa]

Step 3

Example:

The default is to delete all the SSH keys.

switch(config)# no ssh key rsa

Exits global configuration mode.exit

Example:

Step 4

switch(config)# exit

switch#

Displays the SSH server key configuration.(Optional) show ssh key

Example:

Step 5

switch# show ssh key

Copies the running configuration to the startup

configuration.

(Optional) copy running-config startup-config

Example:

Step 6

switch# copy running-config startup-config