Configuring SSH for IPv6
By default, SSH is automatically enabled for IPv4 and IPv6 connections on a switch. Use the
ip ssh command options to reconfigure the default SSH settings used in SSH authentication for IPv4 and IPv6 connections:
TCP port number
timeout period
file transfer
MAC type
cipher type
Syntax:
ip ssh
no ip ssh
Enables SSH for on the switch for both IPv4 and IPv6, and activates the connection with a configured SSH server (RADIUS or TACACS+). The
no form of the command disables SSH on the switch.
[cipher
<cipher–type>]
: Specify a cipher type to use for connection. Valid types are:
aes128-cbc
3des-cbc
aes192-cbc
aes256-cbc
rijndael-cbc@lysator.liu.se
aes128-ctr
aes192-ctr
aes256-ctr
Default: All cipher types are available.
Use the
no form of the command to disable a cipher type.
[filetransfer] : Enables SSH on the switch to connect to an SCP or SFTP client application to transfer files to and from the switch over IPv4 or IPv6. Default: Disabled
Enabling
filetransfer automatically disables TFTP client and TFTP server functionality.
[mac
<MAC–type>]
: Allows configuration of the set of MACs that can be selected. Valid types are:
hmac-md5
hmac-sha1
hmac-sha1-96
hmac-md5-96
Default: All MAC types are available.
Use the
no form of the command to disable a MAC type.
[port <1–65535|default>] : TCP port number used for SSH sessions in IPv4 and IPv6 connections. Default: 22.
Valid port numbers are from 1 to 65535, except for port numbers 23, 49, 80, 280, 443, 1506, 1513, and 9999, which are reserved for other subsystems.
[public-key <manager|operator>
keystring
: Store a client-generated key for public-key authentication.
manager : Allows manager-level access using SSH public-key authentication.
operator : Allows operator-level access using SSH public-key authentication.
keystring : A legal SSHv2 (RSA or DSA) public key. The text string for the public key must be a single-quoted token. If the keystring contains double quotes, it can be quoted with single quotes ('keystring'). The following restrictions for a keystring apply:
A keystring cannot contain both single and double quotes.
A keystring cannot have extra characters, such as a blank space or a new line. (To improve readability, you can add a backlash at the end of each line.)
For more information on configuring and using SSH public keys to authenticate SSH clients connecting to the switch, see "configuring secure shell" in the latest ArubaOS-Switch Access Security Guide for your switch.
[timeout <5–120> : Time out value allowed to complete an SSH authentication and login on the switch. Default: 120 seconds.
[listen <data|both>] : The
listen parameter applies to the Switch 2920-series only and is not available on switches that do not have a separate out-of-band management port. Values for this parameter are:
datainbound or outbound SSH access is enabled only on the data ports.
bothinbound or outbound SSH access is enabled on both the out-of-band management port and on the data ports. This is the default value.
The
listen parameter applies to the 2920 switch series only and is not available on switches that do not have a separate out-of-band management port.
Example
Switch# ip ssh ?
cipher Specify a cipher to enable/disable.
filetransfer Enable/disable secure file transfer capability.
mac Specify a mac to enable/disable.
port Specify the TCP port on which the daemon should listen
for SSH connections.
public-key Configure a client public-key.
timeout Specify the maximum length of time (seconds) permitted
for protocol negotiation and authentication.
<cr>
For both IPv4 and IPv6, the switch supports only SSH version 2. You cannot set up an SSH session with a client device running SSH version 1.
For more information on how to configure SSH for encrypted, authenticated transactions between the switch and SSH-enabled client devices, see the latest ArubaOS-Switch Access Security Guide for your switch.