ssh2 ipv6
Use ssh2 ipv6 to establish a connection to an IPv6 Stelnet server.
Syntax
In non-FIPS mode:
ssh2 ipv6 server [ port-number ] [ vpn-instance vpn-instance-name ] [ -i interface-type interface-number ] [ identity-key { dsa | ecdsa-sha2-nistp256 | ecdsa-sha2-nistp384 | rsa | { x509v3-ecdsa-sha2-nistp256 | x509v3-ecdsa-sha2-nistp384 } pki-domain domain-name| prefer-compress zlib | prefer-ctos-cipher { 3des-cbc |aes128-cbc | aes128-ctr | aes128-gcm | aes192-ctr | aes256-cbc | aes256-ctr | aes256-gcm | des-cbc } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 | sha2-256 | sha2-512 } | prefer-kex { dh-group-exchange-sha1 | dh-group1-sha1 | dh-group14-sha1 | ecdh-sha2-nistp256 | ecdh-sha2-nistp384 } | prefer-stoc-cipher { 3des-cbc |aes128-cbc | aes128-ctr | aes128-gcm | aes192-ctr | aes256-cbc | aes256-ctr | aes256-gcm | des-cbc } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 | sha2-256 | sha2-512 } ] * [ dscp dscp-value | escape character | { public-key keyname | server-pki-domain domain-name }| source { interface interface-type interface-number | ipv6 ipv6-address } ] *
In FIPS mode:
ssh2 ipv6 server [ port-number ] [ vpn-instance vpn-instance-name ] [ -i interface-type interface-number ] [ identity-key { ecdsa-sha2-nistp256 | ecdsa-sha2-nistp384 | rsa | { x509v3-ecdsa-sha2-nistp256 | x509v3-ecdsa-sha2-nistp384 } pki-domain domain-name } | prefer-compress zlib | prefer-ctos-cipher { aes128-cbc | aes128-ctr | aes128-gcm | aes192-ctr | aes256-cbc | aes256-ctr | aes256-gcm } | prefer-ctos-hmac { sha1 | sha1-96 | sha2-256 | sha2-512 } | prefer-kex { dh-group14-sha1 | ecdh-sha2-nistp256 | ecdh-sha2-nistp384 } | prefer-stoc-cipher { aes128-cbc | aes128-ctr | aes128-gcm | aes192-ctr | aes256-cbc | aes256-ctr | aes256-gcm } | prefer-stoc-hmac { sha1 | sha1-96 | sha2-256 | sha2-512 } ] * [ escape character | { public-key keyname | server-pki-domain domain-name }| source { interface interface-type interface-number | ipv6 ipv6-address } ] *
Views
User view
Predefined user roles
network-admin
mdc-admin
Parameters
server: Specifies a server by its IPv6 address or host name, a case-insensitive string of 1 to 253 characters.
port-number: Specifies the port number of the server, in the range 1 to 65535. The default is 22.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the server belongs. The vpn-instance-name argument represents the VPN instance name, a case-sensitive string of 1 to 31 characters.
-i interface-type interface-number: Specifies an output interface by its type and number for IPv6 SSH packets. This option is used only when the server uses a link-local address to provide the Stelnet service for the client. The specified output interface on the Stelnet client must have a link-local address.
identity-key: Specifies a public key algorithm for publickey authentication of the client. The default is DSA in non-FIPS mode and is RSA in FIPS mode. If the server uses publickey authentication, you must specify this keyword. The client generates the digital signature or certificate by using the local private key that is associated with the specified algorithm.
dsa: Specifies public key algorithm DSA.
ecdsa-sha2-nistp256: Specifies the ECDSA algorithm with 256-bit key strength.
ecdsa-sha2-nistp384: Specifies the ECDSA algorithm with 384-bit key strength.
rsa: Specifies public key algorithm RSA.
x509v3-ecdsa-sha2-nistp256: Specifies public key algorithm x509v3-ecdsa-sha2-nistp256.
x509v3-ecdsa-sha2-nistp384: Specifies public key algorithm x509v3-ecdsa-sha2-nistp384.
pki-domain domain-name: Specifies the PKI domain of the client's certificate. The domain-name argument is a case-insensitive string of 1 to 31 characters. When the x509v3 public key algorithm is used, you must specify this option for the client to get the correct local certificate.
prefer-compress: Specifies the preferred compression algorithm for data compression between the server and the client. By default, compression is not supported.
zlib: Specifies compression algorithm zlib.
prefer-ctos-cipher: Specifies the preferred client-to-server encryption algorithm. The default is AES128-CTR. Supported algorithms are DES-CBC, 3DES-CBC, AES128-CBC, AES128-CTR, AES128-GCM, AES192-CTR, AES256-CBC, AES256-CTR, and AES256-GCM, in ascending order of security strength and computation time.
3des-cbc: Specifies encryption algorithm 3DES-CBC.
aes128-cbc: Specifies encryption algorithm AES128-CBC.
aes128-ctr: Specifies encryption algorithm AES128-CTR.
aes128-gcm: Specifies encryption algorithm AES128-GCM.
aes192-ctr: Specifies encryption algorithm AES192-CTR.
aes256-cbc: Specifies encryption algorithm AES256-CBC.
aes256-ctr: Specifies encryption algorithm AES256-CTR.
aes256-gcm: Specifies encryption algorithm AES256-GCM.
des-cbc: Specifies encryption algorithm DES-CBC.
prefer-ctos-hmac: Specifies the preferred client-to-server HMAC algorithm. The default is SHA2-256. Supported algorithms are MD5, MD5-96, SHA1, SHA1-96, SHA2-256, SHA2-512, in ascending order of security strength and computation time.
md5: Specifies HMAC algorithm HMAC-MD5.
md5-96: Specifies HMAC algorithm HMAC-MD5-96.
sha1: Specifies HMAC algorithm HMAC-SHA1.
sha1-96: Specifies HMAC algorithm HMAC-SHA1-96.
sha2-256: Specifies HMAC algorithm HMAC-SHA2-256.
sha2-512: Specifies HMAC algorithm HMAC-SHA2-512.
prefer-kex: Specifies the preferred key exchange algorithm. The default is ecdh-sha2-nistp256. Supported algorithms are diffie-hellman-group-exchange-sha1, diffie-hellman-group1-sha1, diffie-hellman-group14-sha1, ecdh-sha2-nistp256, and ecdh-sha2-nistp384, in ascending order of security strength and computation time.
dh-group-exchange-sha1: Specifies key exchange algorithm diffie-hellman-group-exchange-sha1.
dh-group1-sha1: Specifies key exchange algorithm diffie-hellman-group1-sha1.
dh-group14-sha1: Specifies key exchange algorithm diffie-hellman-group14-sha1.
ecdh-sha2-nistp256: Specifies key exchange algorithm ecdh-sha2-nistp256.
ecdh-sha2-nistp384: Specifies key exchange algorithm ecdh-sha2-nistp384.
prefer-stoc-cipher: Specifies the preferred server-to-client encryption algorithm. The default is AES128-CTR. Supported algorithms are the same as the client-to-server encryption algorithms (see the prefer-ctos-cipher keyword).
prefer-stoc-hmac: Specifies the preferred server-to-client HMAC algorithm. The default is SHA2-256. Supported algorithms are the same as the client-to-server HMAC algorithms (see the prefer-ctos-hmac keyword).
dscp dscp-value: Specifies the DSCP value in the IPv6 SSH packets. The value range for the dscp-value argument is 0 to 63, and the default value is 48. The DSCP value determines the transmission priority of the packet.
escape character: Specifies a case-sensitive escape character. By default, the escape character is a tilde (~).
public-key keyname: Specifies the server by its host public key that the client uses to authenticate the server. The keyname argument is a case-insensitive string of 1 to 64 characters.
server-pki-domain domain-name: Specifies the PKI domain for verifying the server's certificate. The domain-name argument represents the PKI domain name, a case-insensitive string of 1 to 31 characters. Invalid characters are tildes (~), asterisks (*), backslashes (\), vertical bars (|), colons (:), dots (.), angle brackets (< >), quotation marks ("), and apostrophes (').
source: Specifies a source IPv6 address or source interface for IPv6 SSH packets. By default, the device automatically selects a source address for IPv6 SSH packets in compliance with RFC 3484. As a best practice to ensure successful Stelnet connections, specify a loopback interface as the source interface or specify that interface's IPv6 address as the source IPv6 address.
interface interface-type interface-number: Specifies a source interface by its type and number. The IPv6 address of this interface is the source IPv6 address of the IPv6 SSH packets.
ipv6 ipv6-address: Specifies a source IPv6 address.
Usage guidelines
The combination of an escape character and a dot (.) works as an escape sequence. This escape sequence is typically used to quickly terminate an SSH connection when the server reboots or malfunctions.
For the escape sequence to take effect, you must enter it at the very beginning of a line. If you have entered other characters or performed operations in a line, enter the escape sequence in the next line.
As a best practice, use the default escape character (~). Do not use any characters in SSH usernames as the escape character.
If the client and the server have negotiated to use certificate authentication, the client must verify the server's certificate. For the client to correctly get the server's certificate, you must specify the server's PKI domain on the client by using the server-pki-domain domain-name option. The client uses the CA certificate stored in the specified PKI domain to verify the server's certificate and does not need to save the server's public key before authentication. If you do not specify the server's PKI domain, the client uses the PKI domain of its own certificate to verify the server's certificate.
Examples
# Establish a connection to Stelnet server 2000::1 and specify the public key of the server as svkey. The SSH client uses publickey authentication. Specify the dollar sign ($) as the escape character. Use the following algorithms:
Preferred key exchange algorithm: dh-group14-sha1.
Preferred server-to-client encryption algorithm: aes128-cbc.
Preferred client-to-server HMAC algorithm: sha1.
Preferred server-to-client HMAC algorithm: sha1-96.
Preferred compression algorithm: zlib.
<Sysname> ssh2 ipv6 2000::1 prefer-kex dh-group14-sha1 prefer-stoc-cipher aes128-cbc prefer-ctos-hmac sha1 prefer-stoc-hmac sha1-96 prefer-compress zlib public-key svkey escape $