ssh --- .. osdx:cfgcmd:: service ssh .. raw:: html SDE M10-Smart M2 RS420 AresC640 Secure SHell (SSH) protocol .. osdx:cfgcmd:: service ssh aaa .. raw:: html SDE M10-Smart M2 RS420 AresC640 AAA options .. osdx:cfgcmd:: service ssh aaa accounting .. raw:: html SDE M10-Smart M2 RS420 AresC640 Accounting list name :ref Reference: system aaa list * .. osdx:cfgcmd:: service ssh aaa authentication .. raw:: html SDE M10-Smart M2 RS420 AresC640 Authentication list name :ref Reference: system aaa list * .. osdx:cfgcmd:: service ssh access-control .. raw:: html SDE M10-Smart M2 RS420 AresC640 Limit how roles and users can access the system through SSH .. osdx:cfgcmd:: service ssh access-control allow .. raw:: html SDE M10-Smart M2 RS420 AresC640 Allow access to specific roles/users .. osdx:cfgcmd:: service ssh access-control allow role .. raw:: html SDE M10-Smart M2 RS420 AresC640 :arg id: Role :instances: Multiple .. osdx:cfgcmd:: service ssh access-control allow user .. raw:: html SDE M10-Smart M2 RS420 AresC640 User :ref Reference: system login user * :instances: Multiple .. osdx:cfgcmd:: service ssh access-control deny .. raw:: html SDE M10-Smart M2 RS420 AresC640 Deny access to specific roles/users .. osdx:cfgcmd:: service ssh access-control deny role .. raw:: html SDE M10-Smart M2 RS420 AresC640 :arg id: Role :instances: Multiple .. osdx:cfgcmd:: service ssh access-control deny user .. raw:: html SDE M10-Smart M2 RS420 AresC640 User :ref Reference: system login user * :instances: Multiple .. osdx:cfgcmd:: service ssh agent-forwarding .. raw:: html SDE M10-Smart M2 RS420 AresC640 Enables SSH agent forwarding .. osdx:cfgcmd:: service ssh cipher .. raw:: html SDE M10-Smart M2 RS420 AresC640 :arg id: Ciphers to use for ongoing SSH connections It is possible to limit which ciphers will be used for ongoing SSH connections. A list of ciphers is accepted, and they will be sorted by their strength (strong-first based ordering). :instances: List of values .. osdx:cfgcmd:: service ssh disable-forwarding .. raw:: html SDE M10-Smart M2 RS420 AresC640 Disables all SSH forwarding features (X11, agent, TCP and stream local) This option overrides all other forwarding-related options, which may simplify restricted configurations .. osdx:cfgcmd:: service ssh disable-password-authentication .. raw:: html SDE M10-Smart M2 RS420 AresC640 Disables the login using password authentication .. osdx:cfgcmd:: service ssh disable-pubkey-authentication .. raw:: html SDE M10-Smart M2 RS420 AresC640 Disables the login using public key authentication .. osdx:cfgcmd:: service ssh disable-tty .. raw:: html SDE M10-Smart M2 RS420 AresC640 Specifies whether pty allocation is permitted .. osdx:cfgcmd:: service ssh host-key .. raw:: html SDE M10-Smart M2 RS420 AresC640 :arg file: Host key used when others connect to us through SSH :instances: Multiple .. osdx:cfgcmd:: service ssh keepalive-count-max .. raw:: html SDE M10-Smart M2 RS420 AresC640 Number of keepalive messages to be sent without any response from the client :arg u32: Disables connection termination (0) :arg u32: Number of messages to be sent (1-65535) .. osdx:cfgcmd:: service ssh keepalive-interval .. raw:: html SDE M10-Smart M2 RS420 AresC640 Timeout interval in seconds after which SSH will send a message requesting a response :arg u32: Seconds (0-65535) .. osdx:cfgcmd:: service ssh key-exchange .. raw:: html SDE M10-Smart M2 RS420 AresC640 :arg id: Specifies the available KEX (Key Exchange) algorithms :instances: List of values .. osdx:cfgcmd:: service ssh listen-address .. raw:: html SDE M10-Smart M2 RS420 AresC640 Listen address to listen to :arg ipv4: IP address to listen to :arg ipv6: IPv6 address to listen to :arg hostname: Hostname to listen to :Local IP address: :instances: Multiple .. osdx:cfgcmd:: service ssh log-level .. raw:: html SDE M10-Smart M2 RS420 AresC640 Specific log-level to use. Each level logs their own messages and "higher" levels ones :arg quiet: Log no messages :arg fatal: Fatal messages :arg error: Error messages :arg info: Informational messages :arg verbose: More informational messages :arg debug: Debugging messages :arg debug2: More debugging messages :arg debug3: Even more debugging messages .. osdx:cfgcmd:: service ssh mac .. raw:: html SDE M10-Smart M2 RS420 AresC640 :arg id: Specifies the available MAC (Message Authentication Code) algorithms The MAC algorithm is used for data integrity protection. The algorithms that contain "-etm" calculate the MAC after encryption (encrypt-then-mac). These are considered safer and their use recommended. :instances: List of values .. osdx:cfgcmd:: service ssh match .. raw:: html SDE M10-Smart M2 RS420 AresC640 Match directives to apply a given configuration to specific users or groups .. osdx:cfgcmd:: service ssh match address .. raw:: html SDE M10-Smart M2 RS420 AresC640 :arg ipv4cidr: Specific configuration for matched addresses :arg ipv6cidr: Specific configuration for matched addresses :instances: Multiple .. osdx:cfgcmd:: service ssh match address agent-forwarding .. raw:: html SDE M10-Smart M2 RS420 AresC640 Enables SSH agent forwarding .. osdx:cfgcmd:: service ssh match address disable-password-authentication .. raw:: html SDE M10-Smart M2 RS420 AresC640 Disables the login using password authentication .. osdx:cfgcmd:: service ssh match address disable-pubkey-authentication .. raw:: html SDE M10-Smart M2 RS420 AresC640 Disables the login using public key authentication .. osdx:cfgcmd:: service ssh match address disable-tty .. raw:: html SDE M10-Smart M2 RS420 AresC640 Specifies whether pty allocation is permitted .. osdx:cfgcmd:: service ssh match address keepalive-count-max .. raw:: html SDE M10-Smart M2 RS420 AresC640 Number of keepalive messages to be sent without any response from the client :arg u32: Disables connection termination (0) :arg u32: Number of messages to be sent (1-65535) .. osdx:cfgcmd:: service ssh match address keepalive-interval .. raw:: html SDE M10-Smart M2 RS420 AresC640 Timeout interval in seconds after which SSH will send a message requesting a response :arg u32: Seconds (0-65535) .. osdx:cfgcmd:: service ssh match address log-level .. raw:: html SDE M10-Smart M2 RS420 AresC640 Specific log-level to use. Each level logs their own messages and "higher" levels ones :arg quiet: Log no messages :arg fatal: Fatal messages :arg error: Error messages :arg info: Informational messages :arg verbose: More informational messages :arg debug: Debugging messages :arg debug2: More debugging messages :arg debug3: Even more debugging messages .. osdx:cfgcmd:: service ssh match address max-sessions .. raw:: html SDE M10-Smart M2 RS420 AresC640 Maximum number of open shell, login or subsystem sessions allowed per connection :arg u32: No shell, login and subsystem sessions are allowed (but forwarding allowed) (0) :arg u32: Disable session multiplexing (1) :arg u32: Maximum number of sessions allowed (2-65535) .. osdx:cfgcmd:: service ssh match address permit-empty-passwords .. raw:: html SDE M10-Smart M2 RS420 AresC640 Whether the server allows login to accounts with empty password strings This feature only takes place when password authentication is enabled. .. osdx:cfgcmd:: service ssh match address permit-open .. raw:: html SDE M10-Smart M2 RS420 AresC640 Specifies destinations to which TCP port forwarding is permitted :arg fqdn: Host to allow forwarding TCP connections to :arg ipv4: IPv4 address to allow forwarding TCP connections to :arg ipv6: IPv6 address to allow forwarding TCP connections to :instances: Multiple :ref Required: .. osdx:cfgcmd:: service ssh match address permit-open port .. raw:: html SDE M10-Smart M2 RS420 AresC640 Port to allow forwarding TCP connections to :arg u32: Port to allow forwarding connection to (1-65535) :instances: List of values .. osdx:cfgcmd:: service ssh match address tcp-forwarding .. raw:: html SDE M10-Smart M2 RS420 AresC640 Enables TCP forwarding .. osdx:cfgcmd:: service ssh match address x11-forwarding .. raw:: html SDE M10-Smart M2 RS420 AresC640 Enables X11 forwarding When X11 forwarding is enabled, there may be additional exposure to the server and to client displays if the SSH proxy is configured to listen on the wildcard address (though this is not the default). Additionally, the authentication spoofing and authentication data verification and substitution occur on the client side. The security risk of using X11 forwarding is that the client's X11 display server may be exposed to attach when the SSH client requests forwarding). A system administrator may have a stance in which they want to protect clients that may expose themselves to attack by unwittingly requesting X11 forwarding, which can warrant a "no" setting. .. osdx:cfgcmd:: service ssh match host .. raw:: html SDE M10-Smart M2 RS420 AresC640 :arg ipv4: Specific configuration for matched hosts :arg ipv6: Specific configuration for matched hosts :instances: Multiple .. osdx:cfgcmd:: service ssh match host agent-forwarding .. raw:: html SDE M10-Smart M2 RS420 AresC640 Enables SSH agent forwarding .. osdx:cfgcmd:: service ssh match host disable-password-authentication .. raw:: html SDE M10-Smart M2 RS420 AresC640 Disables the login using password authentication .. osdx:cfgcmd:: service ssh match host disable-pubkey-authentication .. raw:: html SDE M10-Smart M2 RS420 AresC640 Disables the login using public key authentication .. osdx:cfgcmd:: service ssh match host disable-tty .. raw:: html SDE M10-Smart M2 RS420 AresC640 Specifies whether pty allocation is permitted .. osdx:cfgcmd:: service ssh match host keepalive-count-max .. raw:: html SDE M10-Smart M2 RS420 AresC640 Number of keepalive messages to be sent without any response from the client :arg u32: Disables connection termination (0) :arg u32: Number of messages to be sent (1-65535) .. osdx:cfgcmd:: service ssh match host keepalive-interval .. raw:: html SDE M10-Smart M2 RS420 AresC640 Timeout interval in seconds after which SSH will send a message requesting a response :arg u32: Seconds (0-65535) .. osdx:cfgcmd:: service ssh match host log-level .. raw:: html SDE M10-Smart M2 RS420 AresC640 Specific log-level to use. Each level logs their own messages and "higher" levels ones :arg quiet: Log no messages :arg fatal: Fatal messages :arg error: Error messages :arg info: Informational messages :arg verbose: More informational messages :arg debug: Debugging messages :arg debug2: More debugging messages :arg debug3: Even more debugging messages .. osdx:cfgcmd:: service ssh match host max-sessions .. raw:: html SDE M10-Smart M2 RS420 AresC640 Maximum number of open shell, login or subsystem sessions allowed per connection :arg u32: No shell, login and subsystem sessions are allowed (but forwarding allowed) (0) :arg u32: Disable session multiplexing (1) :arg u32: Maximum number of sessions allowed (2-65535) .. osdx:cfgcmd:: service ssh match host permit-empty-passwords .. raw:: html SDE M10-Smart M2 RS420 AresC640 Whether the server allows login to accounts with empty password strings This feature only takes place when password authentication is enabled. .. osdx:cfgcmd:: service ssh match host permit-open .. raw:: html SDE M10-Smart M2 RS420 AresC640 Specifies destinations to which TCP port forwarding is permitted :arg fqdn: Host to allow forwarding TCP connections to :arg ipv4: IPv4 address to allow forwarding TCP connections to :arg ipv6: IPv6 address to allow forwarding TCP connections to :instances: Multiple :ref Required: .. osdx:cfgcmd:: service ssh match host permit-open port .. raw:: html SDE M10-Smart M2 RS420 AresC640 Port to allow forwarding TCP connections to :arg u32: Port to allow forwarding connection to (1-65535) :instances: List of values .. osdx:cfgcmd:: service ssh match host tcp-forwarding .. raw:: html SDE M10-Smart M2 RS420 AresC640 Enables TCP forwarding .. osdx:cfgcmd:: service ssh match host x11-forwarding .. raw:: html SDE M10-Smart M2 RS420 AresC640 Enables X11 forwarding When X11 forwarding is enabled, there may be additional exposure to the server and to client displays if the SSH proxy is configured to listen on the wildcard address (though this is not the default). Additionally, the authentication spoofing and authentication data verification and substitution occur on the client side. The security risk of using X11 forwarding is that the client's X11 display server may be exposed to attach when the SSH client requests forwarding). A system administrator may have a stance in which they want to protect clients that may expose themselves to attack by unwittingly requesting X11 forwarding, which can warrant a "no" setting. .. osdx:cfgcmd:: service ssh match role .. raw:: html SDE M10-Smart M2 RS420 AresC640 :arg id: Specific configuration for matched roles :instances: Multiple .. osdx:cfgcmd:: service ssh match role agent-forwarding .. raw:: html SDE M10-Smart M2 RS420 AresC640 Enables SSH agent forwarding .. osdx:cfgcmd:: service ssh match role disable-password-authentication .. raw:: html SDE M10-Smart M2 RS420 AresC640 Disables the login using password authentication .. osdx:cfgcmd:: service ssh match role disable-pubkey-authentication .. raw:: html SDE M10-Smart M2 RS420 AresC640 Disables the login using public key authentication .. osdx:cfgcmd:: service ssh match role disable-tty .. raw:: html SDE M10-Smart M2 RS420 AresC640 Specifies whether pty allocation is permitted .. osdx:cfgcmd:: service ssh match role keepalive-count-max .. raw:: html SDE M10-Smart M2 RS420 AresC640 Number of keepalive messages to be sent without any response from the client :arg u32: Disables connection termination (0) :arg u32: Number of messages to be sent (1-65535) .. osdx:cfgcmd:: service ssh match role keepalive-interval .. raw:: html SDE M10-Smart M2 RS420 AresC640 Timeout interval in seconds after which SSH will send a message requesting a response :arg u32: Seconds (0-65535) .. osdx:cfgcmd:: service ssh match role log-level .. raw:: html SDE M10-Smart M2 RS420 AresC640 Specific log-level to use. Each level logs their own messages and "higher" levels ones :arg quiet: Log no messages :arg fatal: Fatal messages :arg error: Error messages :arg info: Informational messages :arg verbose: More informational messages :arg debug: Debugging messages :arg debug2: More debugging messages :arg debug3: Even more debugging messages .. osdx:cfgcmd:: service ssh match role max-sessions .. raw:: html SDE M10-Smart M2 RS420 AresC640 Maximum number of open shell, login or subsystem sessions allowed per connection :arg u32: No shell, login and subsystem sessions are allowed (but forwarding allowed) (0) :arg u32: Disable session multiplexing (1) :arg u32: Maximum number of sessions allowed (2-65535) .. osdx:cfgcmd:: service ssh match role permit-empty-passwords .. raw:: html SDE M10-Smart M2 RS420 AresC640 Whether the server allows login to accounts with empty password strings This feature only takes place when password authentication is enabled. .. osdx:cfgcmd:: service ssh match role permit-open .. raw:: html SDE M10-Smart M2 RS420 AresC640 Specifies destinations to which TCP port forwarding is permitted :arg fqdn: Host to allow forwarding TCP connections to :arg ipv4: IPv4 address to allow forwarding TCP connections to :arg ipv6: IPv6 address to allow forwarding TCP connections to :instances: Multiple :ref Required: .. osdx:cfgcmd:: service ssh match role permit-open port .. raw:: html SDE M10-Smart M2 RS420 AresC640 Port to allow forwarding TCP connections to :arg u32: Port to allow forwarding connection to (1-65535) :instances: List of values .. osdx:cfgcmd:: service ssh match role tcp-forwarding .. raw:: html SDE M10-Smart M2 RS420 AresC640 Enables TCP forwarding .. osdx:cfgcmd:: service ssh match role x11-forwarding .. raw:: html SDE M10-Smart M2 RS420 AresC640 Enables X11 forwarding When X11 forwarding is enabled, there may be additional exposure to the server and to client displays if the SSH proxy is configured to listen on the wildcard address (though this is not the default). Additionally, the authentication spoofing and authentication data verification and substitution occur on the client side. The security risk of using X11 forwarding is that the client's X11 display server may be exposed to attach when the SSH client requests forwarding). A system administrator may have a stance in which they want to protect clients that may expose themselves to attack by unwittingly requesting X11 forwarding, which can warrant a "no" setting. .. osdx:cfgcmd:: service ssh match user .. raw:: html SDE M10-Smart M2 RS420 AresC640 Specific configuration for matched users :ref Reference: system login user * :instances: Multiple .. osdx:cfgcmd:: service ssh match user agent-forwarding .. raw:: html SDE M10-Smart M2 RS420 AresC640 Enables SSH agent forwarding .. osdx:cfgcmd:: service ssh match user disable-password-authentication .. raw:: html SDE M10-Smart M2 RS420 AresC640 Disables the login using password authentication .. osdx:cfgcmd:: service ssh match user disable-pubkey-authentication .. raw:: html SDE M10-Smart M2 RS420 AresC640 Disables the login using public key authentication .. osdx:cfgcmd:: service ssh match user disable-tty .. raw:: html SDE M10-Smart M2 RS420 AresC640 Specifies whether pty allocation is permitted .. osdx:cfgcmd:: service ssh match user keepalive-count-max .. raw:: html SDE M10-Smart M2 RS420 AresC640 Number of keepalive messages to be sent without any response from the client :arg u32: Disables connection termination (0) :arg u32: Number of messages to be sent (1-65535) .. osdx:cfgcmd:: service ssh match user keepalive-interval .. raw:: html SDE M10-Smart M2 RS420 AresC640 Timeout interval in seconds after which SSH will send a message requesting a response :arg u32: Seconds (0-65535) .. osdx:cfgcmd:: service ssh match user log-level .. raw:: html SDE M10-Smart M2 RS420 AresC640 Specific log-level to use. Each level logs their own messages and "higher" levels ones :arg quiet: Log no messages :arg fatal: Fatal messages :arg error: Error messages :arg info: Informational messages :arg verbose: More informational messages :arg debug: Debugging messages :arg debug2: More debugging messages :arg debug3: Even more debugging messages .. osdx:cfgcmd:: service ssh match user max-sessions .. raw:: html SDE M10-Smart M2 RS420 AresC640 Maximum number of open shell, login or subsystem sessions allowed per connection :arg u32: No shell, login and subsystem sessions are allowed (but forwarding allowed) (0) :arg u32: Disable session multiplexing (1) :arg u32: Maximum number of sessions allowed (2-65535) .. osdx:cfgcmd:: service ssh match user permit-empty-passwords .. raw:: html SDE M10-Smart M2 RS420 AresC640 Whether the server allows login to accounts with empty password strings This feature only takes place when password authentication is enabled. .. osdx:cfgcmd:: service ssh match user permit-open .. raw:: html SDE M10-Smart M2 RS420 AresC640 Specifies destinations to which TCP port forwarding is permitted :arg fqdn: Host to allow forwarding TCP connections to :arg ipv4: IPv4 address to allow forwarding TCP connections to :arg ipv6: IPv6 address to allow forwarding TCP connections to :instances: Multiple :ref Required: .. osdx:cfgcmd:: service ssh match user permit-open port .. raw:: html SDE M10-Smart M2 RS420 AresC640 Port to allow forwarding TCP connections to :arg u32: Port to allow forwarding connection to (1-65535) :instances: List of values .. osdx:cfgcmd:: service ssh match user tcp-forwarding .. raw:: html SDE M10-Smart M2 RS420 AresC640 Enables TCP forwarding .. osdx:cfgcmd:: service ssh match user x11-forwarding .. raw:: html SDE M10-Smart M2 RS420 AresC640 Enables X11 forwarding When X11 forwarding is enabled, there may be additional exposure to the server and to client displays if the SSH proxy is configured to listen on the wildcard address (though this is not the default). Additionally, the authentication spoofing and authentication data verification and substitution occur on the client side. The security risk of using X11 forwarding is that the client's X11 display server may be exposed to attach when the SSH client requests forwarding). A system administrator may have a stance in which they want to protect clients that may expose themselves to attack by unwittingly requesting X11 forwarding, which can warrant a "no" setting. .. osdx:cfgcmd:: service ssh max-sessions .. raw:: html SDE M10-Smart M2 RS420 AresC640 Maximum number of open shell, login or subsystem sessions allowed per connection :arg u32: No shell, login and subsystem sessions are allowed (but forwarding allowed) (0) :arg u32: Disable session multiplexing (1) :arg u32: Maximum number of sessions allowed (2-65535) .. osdx:cfgcmd:: service ssh permit-empty-passwords .. raw:: html SDE M10-Smart M2 RS420 AresC640 Whether the server allows login to accounts with empty password strings This feature only takes place when password authentication is enabled. .. osdx:cfgcmd:: service ssh permit-open .. raw:: html SDE M10-Smart M2 RS420 AresC640 Specifies destinations to which TCP port forwarding is permitted :arg fqdn: Host to allow forwarding TCP connections to :arg ipv4: IPv4 address to allow forwarding TCP connections to :arg ipv6: IPv6 address to allow forwarding TCP connections to :instances: Multiple :ref Required: .. osdx:cfgcmd:: service ssh permit-open port .. raw:: html SDE M10-Smart M2 RS420 AresC640 Port to allow forwarding TCP connections to :arg u32: Port to allow forwarding connection to (1-65535) :instances: List of values .. osdx:cfgcmd:: service ssh port .. raw:: html SDE M10-Smart M2 RS420 AresC640 Port for SSH service :arg u32: Numeric IP port (1-32767) :arg u32: Numeric IP port (60000-65535) .. osdx:cfgcmd:: service ssh tcp-forwarding .. raw:: html SDE M10-Smart M2 RS420 AresC640 Enables TCP forwarding .. osdx:cfgcmd:: service ssh vrf .. raw:: html SDE M10-Smart M2 RS420 AresC640 VRF interface to run SSH on :ref Reference: system vrf * .. osdx:cfgcmd:: service ssh x11-forwarding .. raw:: html SDE M10-Smart M2 RS420 AresC640 Enables X11 forwarding When X11 forwarding is enabled, there may be additional exposure to the server and to client displays if the SSH proxy is configured to listen on the wildcard address (though this is not the default). Additionally, the authentication spoofing and authentication data verification and substitution occur on the client side. The security risk of using X11 forwarding is that the client's X11 display server may be exposed to attach when the SSH client requests forwarding). A system administrator may have a stance in which they want to protect clients that may expose themselves to attack by unwittingly requesting X11 forwarding, which can warrant a "no" setting.