60-64
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 60 Router Device Administration
Secure Shell Policy Page
(Policy view) Select Router Platform > Device Admin > Device Access > Secure Shell from the
Policy Type selector. Select an existing policy or create a new one.
The Secure Shell page is displayed. See Table 60-28 on page 60-65 for a description of the fields on this
page.
Step 2 (Optional) Modify the following default settings:
a. The version of SSH to support.
b. The timeout for completing the negotiation phase of the SSH connection.
c. The number of times to attempt authentication of the SSH client.
Step 3 (Optional) In the Source Interface field, enter the name of the interface or interface role whose address
should be used as the source interface for all SSH packets sent to SSH clients, or click Select to select
an interface role object from a list or to create a new one. The source interface must have an IP address.
If you do not enter a value in this field, the address of the closest interface to the destination is used.
Step 4 (Optional) Enter the name of the RSA key pair to use for SSH connections. If you do not enter a value
in this field, the router uses the key pair that is based on the hostname and domain name.
Tip Use the CLI command show crypto key mypubkey rsa to display the names and values of each
key pair configured on the device.
Step 5 (Optional) Select the Regenerate Key During Deployment check box if you want the router to
regenerate the RSA key pair used for SSH. This option is useful if you believe that the secrecy of the
keys might be compromised. Enter the size of the modulus to use to regenerate the keys.
Note You must remember to return to this policy after deployment to deselect the check box. If you
do not do this, a new key is generated during each deployment.
Note This option requires interaction with the device during deployment. Therefore, you should use
it only when deploying to live devices, not when deploying to a file.
Note A key pair must already exist on the device before you select this option; otherwise, deployment
will fail. (This will typically be the case, since IOS routers must have SSH enabled to be added
to Security Manager.)
Secure Shell Policy Page
Use the Secure Shell page to change the default SSH settings on the router and to define additional
optional settings, if required.
For more information, see Optional SSH Settings on Cisco IOS Routers, page 60-63.