7-40
Cisco ME 3400 EthernetAccess Switch SoftwareConfiguration Guide
78-17058-01
Chapter7 Configuring Switch-Based Authentication
Configuring the Switch for Secure Shell
To delete the RSA key pair, use the crypto key zeroize rsa global configuration command. After the
RSA key pair is deleted, the SSH server is automatically disabled.
Configuring the SSH Server
Beginning in privileged EXEC mode, follow these steps to configure the SSH server:
Step4 crypto key generate rsa Enable the SSH server for local and remote authentication on the switch
and generate an RSA key pair.
We recommend that a minimum modulus size of 1024 bits.
When you generate RSA keys, you are prompted to enter a modulus
length. A longer modulus length might be more secure, but it takes longer
to generate and to use.
Step5 end Return to privileged EXEC mode.
Step6 show ip ssh
or
show ssh
Show the version and configuration information for your SSH server.
Show the status of the SSH server on the switch.
Step7 copy running-config startup-config (Optional) Save your entries in the configuration file.
Command Purpose
Command Purpose
Step1 configure terminal Enter global configuration mode.
Step2 ip ssh version [1 | 2] (Optional) Configure the switch to run SSH Version 1 or SSH Version 2.
1—Configure the switch to run SSH Version 1.
2—Configure the switch to run SSH Version 2.
If you do not enter this command or do not specify a keyword, the SSH
server selects the latest SSH version supported by the SSH client. For
example, if the SSH client supports SSHv1 and SSHv2, the SSH server
selects SSHv2.
Step3 ip ssh {timeout seconds |
authentication-retries number}Configure the SSH control parameters:
Specify the time-out value in seconds; the default is 120 seconds. The
range is 0 to 120 seconds. This parameter applies to the SSH
negotiation phase. After the connection is established, the switch uses
the default time-out values of the CLI-based sessions.
By default, up to five simultaneous, encrypted SSH connections for
multiple CLI-based sessions over the network are available (session 0
to session 4). After the execution shell starts, the CLI-based session
time-out value returns to the default of 10 minutes.
Specify the number of times that a client can re-authenticate to the
server. The default is 3; the range is 0 to 5.
Repeat this step when configuring both parameters.
Step4 end Return to privileged EXEC mode.