Ssh server

(SSH) server sends its own certificate to the SSH client for verification. This server certificate is associated with the trustpoint configured in the server certificate profile (ssh-server-cert-profile-server configuration mode). For user authentication, the SSH client sends the user's certificate to the SSH server for verification. The SSH server validates the incoming user certificate using public key infrastructure (PKI) trustpoints configured in the server certificate profile (ssh-server-cert-profile-user configuration mode). By default, certificate-based authentication is enabled for server and user at the SSH server end. How to Configure X.509v3 Certificates for SSH Authentication The following section provides information about how to configure X.509v3 Certificates for SSH Authentication. Configuring the SSH Server to Use Digital Certificates for Server Authentication To configure the SSH server to use digital certificates for server authentication, perform this procedure: Procedure Command or Action Purpose Step 1 enable Example: Device> enable Enables privileged EXEC mode. Enter your password, if prompted. Step 2 configure terminal Example: Device# configure terminal Enters global configuration mode. Step 3 ip ssh server algorithm hostkey {x509v3-ssh-rsa [ssh-rsa] | ssh-rsa [x509v3-ssh-rsa]} Example: Device(config)# ip ssh server algorithm hostkey x509v3-ssh-rsa Defines the order of host key algorithms. Only the configured algorithm is negotiated with the secure shell (SSH) client. Note The IOS SSH server must have at least one configured host key algorithm: ssh-rsa: public key based authentication x509v3-ssh-rsa: certificate-based authentication Step 4 ip ssh server certificate profile Example: Device(config)# ip ssh server certificate profile Configures server certificate profile and user certificate profile and enters SSH certificate profile configuration mode. Step 5 server Example: Device(ssh-server-cert-profile)# server Configures server certificate profile and enters SSH server certificate profile server configuration mode. Step 6 trustpoint sign PKI-trustpoint-name Example: Device(ssh-server-cert-profile-server)# trustpoint sign trust1 Attaches the public key infrastructure (PKI) trustpoint to the server certificate profile. The SSH server uses the certificate associated with this PKI trustpoint for server authentication. Step 7 ocsp-response include Example: Device(ssh-server-cert-profile-server)# ocsp-response include (Optional) Sends the Online Certificate Status Protocol (OCSP) response or OCSP stapling along with the server certificate. Note By default the no form of this command is configured and no OCSP response is sent

Along with the server certificate. Step 8 end Example: Device(ssh-server-cert-profile-server)# end Exits SSH server certificate profile server configuration mode and returns to privileged EXEC mode. Configuring the SSH Server to Verify Digital Certificates for User Authentication To configure the SSH Server to use digital certificates for user authentication, perform this procedure: Procedure Command or Action Purpose Step 1 enable Example: Device> enable Enables privileged EXEC mode. Enter your password, if prompted. Step 2 configure terminal Example: Device# configure terminal Enters global configuration mode. Step 3 ip ssh server algorithm authentication {publickey | keyboard | password} Example: Device(config)# ip ssh server algorithm authentication publickey Defines the order of user authentication algorithms. Only the configured algorithm is negotiated with the secure shell (SSH) client. Note The SSH server must have at least one configured user authentication algorithm. To use the certificate method for user authentication, the publickey keyword must be configured. The ip ssh server algorithm authentication command replaces the ip ssh server authenticate user command. Step 4 ip ssh server algorithm publickey {x509v3-ssh-rsa [ssh-rsa] | ssh-rsa [x509v3-ssh-rsa]} Example: Device(config)# ip ssh server algorithm publickey x509v3-ssh-rsa Defines the order of public key algorithms. Only the configured algorithm is accepted by the SSH client for user authentication. Note The SSH client must have at least one configured public key algorithm: ssh-rsa: public-key-based authentication x509v3-ssh-rsa: certificate-based authentication Step 5 ip ssh server certificate profile Example: Device(config)# ip ssh server certificate profile Configures server certificate profile and user certificate profile and enters SSH certificate profile configuration mode. Step 6 user Example: Device(ssh-server-cert-profile)# user Configures user certificate profile and enters SSH server certificate profile user configuration mode. Step 7 trustpoint verify PKI-trustpoint-name Example: Device(ssh-server-cert-profile-user)# trustpoint verify trust2 Configures the public key infrastructure (PKI) trustpoint that is used to verify the incoming user certificate. Note Configure multiple trustpoints by executing the same command multiple times. A maximum of 10 trustpoints can be configured. Step 8 ocsp-response required Example: Device(ssh-server-cert-profile-user)# ocsp-response required (Optional) Mandates the presence of the Online Certificate Status Protocol (OCSP) response with the incoming user certificate. Note By default the no form of this command

Is enabled. Step 3 switch(config)# exit Exits global configuration mode. Step 4 (Optional) switch# show ssh server (Optional) Displays the SSH server configuration. Step 5 (Optional) switch# copy running-config startup-config (Optional) Copies the running configuration to the startup configuration. Deleting SSH Server Keys You can delete SSH server keys after you disable the SSH server. Note To reenable SSH, you must first generate an SSH server key. Procedure Command or Action Purpose Step 1 switch# configure terminal Enters global configuration mode. Step 2 switch(config)# no feature ssh Disables the SSH server. Step 3 switch(config)# no ssh key [dsa | rsa] Deletes the SSH server key. The default is to delete all the SSH keys. Step 4 switch(config)# exit Exits global configuration mode. Step 5 (Optional) switch# show ssh key (Optional) Displays the SSH server configuration. Step 6 (Optional) switch# copy running-config startup-config (Optional) Copies the running configuration to the startup configuration. Clearing SSH Sessions You can clear SSH sessions from the Cisco Nexus device. Procedure Command or Action Purpose Step 1 switch# show users Displays user session information. Step 2 switch# clear line vty-line Clears a user SSH session. Configuration Examples for SSH The following example shows how to configure SSH: Procedure Step 1 Generate an SSH server key. switch(config)# ssh key rsa generating rsa key(1024 bits)..... . generated rsa key Step 2 Enable the SSH server. switch# configure terminal switch(config)# feature ssh Note This step should not be required because the SSH server is enabled by default. Step 3