ssh

Required Command-Line Mode = Configure

Use the ssh command to enable, disable, and configure the GigaVUE® HC Series node’s SSH server for access to the Mgmt port.

The ssh command has the following syntax:

ssh
   client

        ciphers <aes128-cbc | aes128-ctr | aes128-gcm@openssh.com | aes192-ctr | aes256-cbc | aes256-ctr | aes256-gcm@openssh.com>
        global <host-key-check <yes | no | ask> | known-host <known host entry>>

hostkey-algo < ecdsa-sha2-nistp256 | ecdsa-sha2-nistp384 | ecdsa-sha2-nistp521 | rsa-sha2- 256 | rsa-sha2-512 >

kex < diffie-hellman-group14-sha256 | ecdh-sha2-nistp256 | ecdh-sha2-nistp384 | ecdh-sha2-nistp521 >

macs < hmac-sha2-256 | hmac-sha2-512 >

        user <username> <authorized-key sshv2 <public key> | identity <rsa2 | ecdsa> <generate | private-key
         [private key] | public-key <public-key>>| known-host <known host> remove >
   server

        ciphers <aes128-cbc | aes128-ctr | aes128-gcm@openssh.com | aes192-ctr | aes256-cbc | aes256-ctr | aes256-gcm@openssh.com>
        enable
        host-key
                rsa2 <private-key [private key] | public-key <public-key>>
        ecdsa <private-key [private key] | public-key <public-key>>
         generate

hostkey-algo < rsa-sha2-256 | rsa-sha2-512 >

kex < diffie-hellman-group14-sha256 | ecdh-sha2-nistp256 | ecdh-sha2-nistp384 | ecdh-sha2-nistp521 >

macs < hmac-sha2-256 | hmac-sha2-512 >
        ports <port> [port] [port] [port]..

The following table describes the arguments for the ssh command:

Argument

Description

client ciphers

Configures the ciphers to be used by the ssh client in the machine.

The following ciphers are allowed in the "classic mode":

  • aes128-cbc *

  • aes128-ctr

  • aes128-gcm@openssh.com

  • aes192-ctr

  • aes256-cbc*

  • aes256-ctr

  • aes256-gcm@openssh.com

Note:  The CBC ciphers are disabled in normal mode and are available only in "secure crypto mode". You can utilize the CTR ciphers in normal mode.

The following ciphers are allowed in the "secure crypto mode":

  • aes128-cbc

  • aes128-gcm@openssh.com

  • aes256-cbc

  • aes256-gcm@openssh.com

The following ciphers are allowed in the "FIPS mode":

  • aes128-cbc

  • aes128-gcm@openssh.com

  • aes256-cbc

  • aes256-gcm@openssh.com

client global <host-key-check <yes | no | ask>>

Sets SSH client configuration to control how host key checking is done, as follows:

yes—Specifies strict host key checking, which only permits connection if a matching host key is in the known hosts file and which does not access systems without pre-configured host keys.
ask—Prompts the user to accept new host keys.
no—Specifies non-strict host key checking, which always permits connection and accepts any new or changed host keys without checking.

For example:

(config) # ssh client global host-key-check yes

client global <known-host <known host entry>>

Adds an entry to the global known-hosts configuration file.

client hostkey-algo

Configures the hostkey algos to be used by the ssh client in the machine.

The following hostkey algos are allowed in the "classic mode":

  • ecdsa-sha2-nistp256

  • ecdsa-sha2-nistp384

  • ecdsa-sha2-nistp521

  • rsa-sha2-256

  • rsa-sha2-512

The following hostkey algos are allowed in the "secure crypto mode":

  • ecdsa-sha2-nistp256

  • ecdsa-sha2-nistp384

  • ecdsa-sha2-nistp521

The following hostkey algos are allowed in the secure " FIPS mode":

  • ecdsa-sha2-nistp256

  • ecdsa-sha2-nistp384

  • ecdsa-sha2-nistp521

client kex

Configures the kex to be used by the ssh client in the machine.

The following kex are allowed in the "classic mode":

  • diffie-hellman-group14-sha256

  • ecdh-sha2-nistp256

  • ecdh-sha2-nistp384

  • ecdh-sha2-nistp521

The following kex are allowed in the "secure crypto mode":

  • ecdh-sha2-nistp256

  • ecdh-sha2-nistp384

  • ecdh-sha2-nistp521

The following kex are allowed in the "FIPS mode":

  • ecdh-sha2-nistp256

  • ecdh-sha2-nistp384

  • ecdh-sha2-nistp521

client macs

Configures the macs to be used by the ssh client in the machine.

The following macs are allowed in the "classic mode":

  • hmac-sha2-256

  • hmac-sha2-512

The following macs are allowed in the "secure crypto mode":

  • hmac-sha2-256

  • hmac-sha2-512

The following macs are allowed in the "FIPS mode":

  • hmac-sha2-256

  • hmac-sha2-512

client user <username> <authorized-key sshv2 <public key>>

Adds the specified key to the list of authorized SSHv2 RSA or DSA public keys for this user account.

client user <username> <identity <rsa2 | ecdsa> generate>>

Generates a new identity (private and public keys) for the specified user. When the keys are generated, the private key is written to the user's .ssh directory in a file, for example, id_dsa. The rsa2 and ecdsa arguments specify generation of ECDSA and RSA v2 keys for SSHv2.

client user <username> <identity <rsa2 | ecdsa> <private-key [private key] | public-key <public-key>>

Specifies the public or private key (of the specified type) for the specified user. This is an alternative to generating the key. The rsa2 and ecdsa arguments specify generation of RSA v2 and ECDSA keys for SSHv2. If private-key or public-key is specified without a key, the user is prompted for the key.

client user <username> <known-host <known host> remove>

Removes a known host from a specified user’s .ssh known_hosts file.

server enable

Enables the SSH server on theGigaVUE HC Series node for connections to the Mgmt port. You can also disable SSH access with the no ssh server enable command.

For example:

(config) # ssh server enable

server ciphers

Configures the ciphers in the ssh server running in our device.

The following ciphers are allowed in the "classic mode" :

  • aes128-cbc

  • aes128-ctr

  • aes128-gcm@openssh.com

  • aes192-ctr

  • aes256-cbc

  • aes256-ctr

  • aes256-gcm@openssh.com

The following ciphers are allowed in the "secure crypto mode":

  • aes128-cbc

  • aes128-gcm@openssh.com

  • aes256-cbc

  • aes256-gcm@openssh.com

The following ciphers are allowed in the "FIPS mode":

  • aes128-cbc

  • aes128-gcm@openssh.com

  • aes256-cbc

  • aes256-gcm@openssh.com

server host-key
   rsa2 <private-key [private key] |       public-key <public-key>>
   ecdsa2 <private-key [private key] |       public-key <public-key>>
   generate

Changes the SSH server host keys provided with the GigaVUE HC Series node, as follows:

generate—Generates new RSA and DSA host keys.
rsa2, or ecdsa2—Supplies a specific value for a public or private key of the specified type.
private-key or public-key>—Specifies whether you are generating a private key or a public key.

For example, to generate new RSA and DSA host keys for SSH:

(config) # ssh server host-key generate

For example, to set a new private-key for host keys of type rsa2:

(config) # ssh server host-key rsa2 private-key

You will be prompted to enter the key.

server hostkey-algo

Configures the hostkey algos to be used by the ssh server in the machine.

The following hostkey algos are allowed in the "classic mode":

  • rsa-sha2-256

  • rsa-sha2-512

The following hostkey algo is allowed in the "secure crypto mode":

  • ecdsa-sha2-nistp384

The following hostkey algo is allowed in the "FIPS mode":

  • ecdsa-sha2-nistp384

server kex

Configures the kex to be used by the ssh server in the machine.

The following kex are allowed in the "classic mode":

diffie-hellman-group14-sha256

  • ecdh-sha2-nistp256

  • ecdh-sha2-nistp384

  • ecdh-sha2-nistp521

The following kex are allowed in the "secure crypto mode":

  • ecdh-sha2-nistp256

  • ecdh-sha2-nistp384

  • ecdh-sha2-nistp521

The following kex are allowed in the "FIPS mode":

  • ecdh-sha2-nistp256

  • ecdh-sha2-nistp384

  • ecdh-sha2-nistp521

server macs

Configures the macs to be used by the ssh server in the machine.

The following macs are allowed in the "classic mode":

  • hmac-sha2-256

  • hmac-sha2-512

The following macs are allowed in the "secure crypto mode":

  • hmac-sha2-256

  • hmac-sha2-512

The following macs are allowed in the "FIPS mode":

  • hmac-sha2-256

  • hmac-sha2-512

server ports <port> [port] [port] [port]..

Specifies the TCP port(s) on which the SSH server listens. Multiple ports can be specified. The default is 22.

For example:

(config) # ssh server ports 23

Related Commands

The following table summarizes other commands related to the ssh command:

Task

Command

Displays SSH client settings.

# show ssh client

Displays SSH server settings.

# show ssh server

Displays SSH server settings with full host keys.

# show ssh server host-keys

Resets global SSH client host key check settings.

(config) # no ssh client global host-key-check

Deletes the client SSH configurations and reset to the default values.

(config) # no ssh client <ciphers/kex/macs/hostkey-algo>

Deletes the server SSH configurations and reset to the default values.

(config) # no ssh server <ciphers/kex/macs/hostkey-algo>

Deletes a global SSH client known host entry by host.

(config) # no ssh client global known-host <known-host-entry>

Deletes a public key from an authorized key list for a specified user.

(config) # no ssh client user monitor authorized-key sshv2 <public key ID>

Deletes all SSH client identity keys for a specified user.

(config) # no ssh client user monitor identity

Deletes SSH client identity keys for a specified user and for a specified type of identity.

(config) # no ssh client user monitor identity rsa2

Disables the SSH server.

(config) # no ssh server enable