ssh

Required Command-Line Mode = Configure

Use the ssh command to enable, disable, and configure the GigaVUE H Series node’s SSH server for access to the Mgmt port.

The ssh command has the following syntax:

ssh
   client

     ciphers <aes128-cbc | aes128-ctr | aes128-gcm | aes192-ctr | aes256-cbc | aes256-ctr | aes256-gcm>
        global <host-key-check <yes | no | ask> | known-host <known host entry>>

        user <username> <authorized-key sshv2 <public key> | identity <rsa2 | ecdsa> <generate | private-key
         [private key] | public-key <public-key>>| known-host <known host> remove >
   server

     ciphers <aes128-cbc | aes128-ctr | aes128-gcm | aes192-ctr | aes256-cbc | aes256-ctr | aes256-gcm>
      enable
      host-key
                rsa2 <private-key [private key] | public-key <public-key>>
        ecdsa <private-key [private key] | public-key <public-key>>
         generate
      ports <port> [port] [port] [port]..

The following table describes the arguments for the ssh command:

Argument

Description

client ciphers

Configures the ciphers to be used by the ssh client in the machine.

The following ciphers are allowed in classic/legacy mode:

aes128-cbc *

aes128-ctr

aes128-gcm@openssh.com

aes192-ctr

aes256-cbc*

aes256-ctr aes256-gcm@openssh.com

Note:  The CBC ciphers are disabled in normal mode and are available only in secured crypto mode. You can utilize the CTR ciphers in normal mode.

The following ciphers are allowed in secured crypto mode:

aes128-cbc

aes128-gcm@openssh.com

aes256-cbc

aes256-gcm@openssh.com

client global <host-key-check <yes | no | ask>>

Sets SSH client configuration to control how host key checking is done, as follows:

yes—Specifies strict host key checking, which only permits connection if a matching host key is in the known hosts file and which does not access systems without pre-configured host keys.
ask—Prompts the user to accept new host keys.
no—Specifies non-strict host key checking, which always permits connection and accepts any new or changed host keys without checking.

For example:

(config) # ssh client global host-key-check yes

client global <known-host <known host entry>>

Adds an entry to the global known-hosts configuration file.

client user <username> <authorized-key sshv2 <public key>>

Adds the specified key to the list of authorized SSHv2 RSA or DSA public keys for this user account.

client user <username> <identity <rsa2 | ecdsa> generate>>

Generates a new identity (private and public keys) for the specified user. When the keys are generated, the private key is written to the user's .ssh directory in a file, for example, id_dsa. The rsa2 and ecdsa arguments specify generation of ECDSA and RSA v2 keys for SSHv2.

client user <username> <identity <rsa2 | ecdsa> <private-key [private key] | public-key <public-key>>

Specifies the public or private key (of the specified type) for the specified user. This is an alternative to generating the key. The rsa2 and ecdsa arguments specify generation of RSA v2 and ECDSA keys for SSHv2. If private-key or public-key is specified without a key, the user is prompted for the key.

client user <username> <known-host <known host> remove>

Removes a known host from a specified user’s .ssh known_hosts file.

server enable

Enables the SSH server on the GigaVUE H Series node for connections to the Mgmt port. You can also disable SSH access with the no ssh server enable command.

For example:

(config) # ssh server enable

server ciphers

Configures the ciphers in the sshd server running in our device.

The following ciphers are allowed in the classic/legacy mode : aes128-cbc

aes128-ctr

aes128-gcm@openssh.com

aes192-ctr

aes256-cbc

aes256-ctr

aes256-gcm@openssh.com

 

The following ciphers are allowed in the secured crypto mode: aes128-cbc

aes128-gcm@openssh.com

aes256-cbc

aes256-gcm@openssh.com

server host-key
   rsa2 <private-key [private key] |       public-key <public-key>>
   ecdsa2 <private-key [private key] |       public-key <public-key>>
   generate

Changes the SSH server host keys provided with the GigaVUE H Series node, as follows:

generate—Generates new RSA and DSA host keys.
rsa2, or ecdsa2—Supplies a specific value for a public or private key of the specified type.
private-key or public-key>—Specifies whether you are generating a private key or a public key.

For example, to generate new RSA and DSA host keys for SSH:

(config) # ssh server host-key generate

For example, to set a new private-key for host keys of type rsa2:

(config) # ssh server host-key rsa2 private-key

You will be prompted to enter the key.

server ports <port> [port] [port] [port]..

Specifies the TCP port(s) on which the SSH server listens. Multiple ports can be specified. The default is 22.

For example:

(config) # ssh server ports 23

Related Commands

The following table summarizes other commands related to the ssh command:

Task

Command

Displays SSH client settings.

# show ssh client

Displays SSH server settings.

# show ssh server

Displays SSH server settings with full host keys.

# show ssh server host-keys

Resets global SSH client host key check settings.

(config) # no ssh client global host-key-check

Deletes a global SSH client known host entry by host.

(config) # no ssh client global known-host <known-host-entry>

Deletes a public key from an authorized key list for a specified user.

(config) # no ssh client user monitor authorized-key sshv2 <public key ID>

Deletes all SSH client identity keys for a specified user.

(config) # no ssh client user monitor identity

Deletes SSH client identity keys for a specified user and for a specified type of identity.

(config) # no ssh client user monitor identity rsa2

Disables the SSH server.

(config) # no ssh server enable

Note:  GigaVUE‑HC2 and GigaVUE-HC2-Plus devices have 4GB RAM and can go into a low memory condition when the devices have scaled conditions. It is always recommended not to have more than two ssh sessions on the device.