- DOC - Configuring Switch-Based Authentication
TELNET
(config)#line vty 0 15
(config-line)#transport input telnet or (config-line)#transport input all
SSH
(config)#line vty 0 15
(config-line)#transport input ssh or (config-line)#transport input all
Setting Up the Switch to Run SSH
|
Command
|
Purpose
|
|---|
Step 1
|
configure terminal
|
Enter global configuration mode.
|
Step 2
|
hostname hostname
|
Configure a hostname for your switch.
|
Step 3
|
ip domain-namedomain_name
|
Configure a host domain for your switch.
|
Step 4
|
crypto key generate rsa
|
Enable the SSH server for local and remote authentication on the switch and generate an RSA key pair.
We recommend that a minimum modulus size of 1024 bits.
When you generate RSA keys, you are prompted to enter a modulus length. A longer modulus length might be more secure, but it takes longer to generate and to use.
|
Step 5
|
end
|
Return to privileged EXEC mode.
|
Step 6
|
show ip ssh
or
show ssh
|
Show the version and configuration information for your SSH server.
Show the status of the SSH server on the switch.
|
Step 7
|
copy running-config startup-config
|
(Optional) Save your entries in the configuration file.
|
To delete the RSA key pair, use the crypto key zeroize rsa global configuration command. After the RSA key pair is deleted, the SSH server is automatically disabled.
Configuring the SSH Server
Beginning in privileged EXEC mode, follow these steps to configure the SSH server:
|
Command
|
Purpose
|
|---|
Step 1
|
configure terminal
|
Enter global configuration mode.
|
Step 2
|
ip ssh version [1 | 2]
|
(Optional) Configure the switch to run SSH Version 1 or SSH Version 2.
•  1—Configure the switch to run SSH Version 1.
• 2—Configure the switch to run SSH Version 2.
If you do not enter this command or do not specify a keyword, the SSH server selects the latest SSH version supported by the SSH client. For example, if the SSH client supports SSHv1 and SSHv2, the SSH server selects SSHv2.
|
Step 3
|
ip ssh {timeout seconds |authentication-retriesnumber}
|
Configure the SSH control parameters:
• Specify the time-out value in seconds; the default is 120 seconds. The range is 0 to 120 seconds. This parameter applies to the SSH negotiation phase. After the connection is established, the switch uses the default time-out values of the CLI-based sessions.
By default, up to five simultaneous, encrypted SSH connections for multiple CLI-based sessions over the network are available (session 0 to session 4). After the execution shell starts, the CLI-based session time-out value returns to the default of 10 minutes.
• Specify the number of times that a client can re-authenticate to the server. The default is 3; the range is 0 to 5.
Repeat this step when configuring both parameters.
|
Step 4
|
line vty line_number[ending_line_number]
transport input ssh
|
(Optional) Configure the virtual terminal line settings.
• Enter line configuration mode to configure the virtual terminal line settings. For line_number and ending_line_number, specify a pair of lines. The range is 0 to 15.
• Specify that the switch prevent non-SSH Telnet connections. This limits the router to only SSH connections. |
Step 5
|
end
|
Return to privileged EXEC mode.
|
Step 6
|
show ip ssh
or
show ssh
|
Show the version and configuration information for your SSH server.
Show the status of the SSH server connections on the switch.
|
Step 7
|
copy running-config startup-config
|
(Optional) Save your entries in the configuration file.
|
To return to the default SSH control parameters, use the no ip ssh {timeout | authentication-retries} global configuration command.
Displaying the SSH Configuration and Status
To display the SSH server configuration and status, use one or more of the privileged EXEC commands in
Table 9-5:
Table 9-5 Commands for Displaying the SSH Server Configuration and Status
Command
|
Purpose
|
|---|
show ip ssh
|
Shows the version and configuration information for the SSH server.
|
show ssh
|
Shows the status of the SSH server.
|
