ssh

service ssh
SDE M10-Smart M2 RS420 AresC640

Secure SHell (SSH) protocol

service ssh aaa
SDE M10-Smart M2 RS420 AresC640

AAA options

service ssh aaa accounting <id>
SDE M10-Smart M2 RS420 AresC640

Accounting list name

Reference:

system aaa list <id>

service ssh aaa authentication <id>
SDE M10-Smart M2 RS420 AresC640

Authentication list name

Reference:

system aaa list <id>

service ssh access-control
SDE M10-Smart M2 RS420 AresC640

Limit how roles and users can access the system through SSH

service ssh access-control allow
SDE M10-Smart M2 RS420 AresC640

Allow access to specific roles/users

service ssh access-control allow role <id>
SDE M10-Smart M2 RS420 AresC640
Values:

  • id – Role

Instances:

Multiple

service ssh access-control allow user <txt>
SDE M10-Smart M2 RS420 AresC640

User

Reference:

system login user <txt>

Instances:

Multiple

service ssh access-control deny
SDE M10-Smart M2 RS420 AresC640

Deny access to specific roles/users

service ssh access-control deny role <id>
SDE M10-Smart M2 RS420 AresC640
Values:

  • id – Role

Instances:

Multiple

service ssh access-control deny user <txt>
SDE M10-Smart M2 RS420 AresC640

User

Reference:

system login user <txt>

Instances:

Multiple

service ssh agent-forwarding
SDE M10-Smart M2 RS420 AresC640

Enables SSH agent forwarding

service ssh cipher <id>
SDE M10-Smart M2 RS420 AresC640
Values:

  • id

    Ciphers to use for ongoing SSH connections

    It is possible to limit which ciphers will be used for ongoing SSH connections. A list of ciphers is accepted, and they will be sorted by their strength (strong-first based ordering).

Instances:

List of values

service ssh disable-forwarding
SDE M10-Smart M2 RS420 AresC640

Disables all SSH forwarding features (X11, agent, TCP and stream local)

This option overrides all other forwarding-related options, which may simplify restricted configurations

service ssh disable-password-authentication
SDE M10-Smart M2 RS420 AresC640

Disables the login using password authentication

service ssh disable-pubkey-authentication
SDE M10-Smart M2 RS420 AresC640

Disables the login using public key authentication

service ssh disable-tty
SDE M10-Smart M2 RS420 AresC640

Specifies whether pty allocation is permitted

service ssh host-key <file>
SDE M10-Smart M2 RS420 AresC640
Values:

  • file – Host key used when others connect to us through SSH

Instances:

Multiple

service ssh keepalive-count-max <u32>
SDE M10-Smart M2 RS420 AresC640

Number of keepalive messages to be sent without any response from the client

Values:

  • u32 – Disables connection termination (0)

  • u32 – Number of messages to be sent (1-65535)

service ssh keepalive-interval <u32>
SDE M10-Smart M2 RS420 AresC640

Timeout interval in seconds after which SSH will send a message requesting a response

Values:

  • u32 – Seconds (0-65535)

service ssh key-exchange <id>
SDE M10-Smart M2 RS420 AresC640
Values:

  • id – Specifies the available KEX (Key Exchange) algorithms

Instances:

List of values

service ssh listen-address <ipv4|ipv6|id>
SDE M10-Smart M2 RS420 AresC640

Listen address to listen to

Values:

  • ipv4 – IP address to listen to

  • ipv6 – IPv6 address to listen to

  • hostname – Hostname to listen to

Local IP address:

Instances:

Multiple

service ssh log-level <txt>
SDE M10-Smart M2 RS420 AresC640

Specific log-level to use. Each level logs their own messages and “higher” levels ones

Values:

  • quiet – Log no messages

  • fatal – Fatal messages

  • error – Error messages

  • info – Informational messages

  • verbose – More informational messages

  • debug – Debugging messages

  • debug2 – More debugging messages

  • debug3 – Even more debugging messages

service ssh mac <id>
SDE M10-Smart M2 RS420 AresC640
Values:

  • id

    Specifies the available MAC (Message Authentication Code) algorithms

    The MAC algorithm is used for data integrity protection. The algorithms that contain “-etm” calculate the MAC after encryption (encrypt-then-mac). These are considered safer and their use recommended.

Instances:

List of values

service ssh match
SDE M10-Smart M2 RS420 AresC640

Match directives to apply a given configuration to specific users or groups

service ssh match address <ipv4cidr|ipv6cidr>
SDE M10-Smart M2 RS420 AresC640
Values:

  • ipv4cidr – Specific configuration for matched addresses

  • ipv6cidr – Specific configuration for matched addresses

Instances:

Multiple

service ssh match address <ipv4cidr|ipv6cidr> agent-forwarding
SDE M10-Smart M2 RS420 AresC640

Enables SSH agent forwarding

service ssh match address <ipv4cidr|ipv6cidr> disable-password-authentication
SDE M10-Smart M2 RS420 AresC640

Disables the login using password authentication

service ssh match address <ipv4cidr|ipv6cidr> disable-pubkey-authentication
SDE M10-Smart M2 RS420 AresC640

Disables the login using public key authentication

service ssh match address <ipv4cidr|ipv6cidr> disable-tty
SDE M10-Smart M2 RS420 AresC640

Specifies whether pty allocation is permitted

service ssh match address <ipv4cidr|ipv6cidr> keepalive-count-max <u32>
SDE M10-Smart M2 RS420 AresC640

Number of keepalive messages to be sent without any response from the client

Values:

  • u32 – Disables connection termination (0)

  • u32 – Number of messages to be sent (1-65535)

service ssh match address <ipv4cidr|ipv6cidr> keepalive-interval <u32>
SDE M10-Smart M2 RS420 AresC640

Timeout interval in seconds after which SSH will send a message requesting a response

Values:

  • u32 – Seconds (0-65535)

service ssh match address <ipv4cidr|ipv6cidr> log-level <txt>
SDE M10-Smart M2 RS420 AresC640

Specific log-level to use. Each level logs their own messages and “higher” levels ones

Values:

  • quiet – Log no messages

  • fatal – Fatal messages

  • error – Error messages

  • info – Informational messages

  • verbose – More informational messages

  • debug – Debugging messages

  • debug2 – More debugging messages

  • debug3 – Even more debugging messages

service ssh match address <ipv4cidr|ipv6cidr> max-sessions <u32>
SDE M10-Smart M2 RS420 AresC640

Maximum number of open shell, login or subsystem sessions allowed per connection

Values:

  • u32 – No shell, login and subsystem sessions are allowed (but forwarding allowed) (0)

  • u32 – Disable session multiplexing (1)

  • u32 – Maximum number of sessions allowed (2-65535)

service ssh match address <ipv4cidr|ipv6cidr> permit-empty-passwords
SDE M10-Smart M2 RS420 AresC640

Whether the server allows login to accounts with empty password strings

This feature only takes place when password authentication is enabled.

service ssh match address <ipv4cidr|ipv6cidr> permit-open <fqdn|ipv4|ipv6>
SDE M10-Smart M2 RS420 AresC640

Specifies destinations to which TCP port forwarding is permitted

Values:

  • fqdn – Host to allow forwarding TCP connections to

  • ipv4 – IPv4 address to allow forwarding TCP connections to

  • ipv6 – IPv6 address to allow forwarding TCP connections to

Instances:

Multiple

Required:

service ssh match address <ipv4cidr|ipv6cidr> permit-open <fqdn|ipv4|ipv6> port <u32>
SDE M10-Smart M2 RS420 AresC640

Port to allow forwarding TCP connections to

Values:

  • u32 – Port to allow forwarding connection to (1-65535)

Instances:

List of values

service ssh match address <ipv4cidr|ipv6cidr> tcp-forwarding
SDE M10-Smart M2 RS420 AresC640

Enables TCP forwarding

service ssh match address <ipv4cidr|ipv6cidr> x11-forwarding
SDE M10-Smart M2 RS420 AresC640

Enables X11 forwarding

When X11 forwarding is enabled, there may be additional exposure to the server and to client displays if the SSH proxy is configured to listen on the wildcard address (though this is not the default). Additionally, the authentication spoofing and authentication data verification and substitution occur on the client side. The security risk of using X11 forwarding is that the client’s X11 display server may be exposed to attach when the SSH client requests forwarding). A system administrator may have a stance in which they want to protect clients that may expose themselves to attack by unwittingly requesting X11 forwarding, which can warrant a “no” setting.

service ssh match host <ipv4|ipv6>
SDE M10-Smart M2 RS420 AresC640
Values:

  • ipv4 – Specific configuration for matched hosts

  • ipv6 – Specific configuration for matched hosts

Instances:

Multiple

service ssh match host <ipv4|ipv6> agent-forwarding
SDE M10-Smart M2 RS420 AresC640

Enables SSH agent forwarding

service ssh match host <ipv4|ipv6> disable-password-authentication
SDE M10-Smart M2 RS420 AresC640

Disables the login using password authentication

service ssh match host <ipv4|ipv6> disable-pubkey-authentication
SDE M10-Smart M2 RS420 AresC640

Disables the login using public key authentication

service ssh match host <ipv4|ipv6> disable-tty
SDE M10-Smart M2 RS420 AresC640

Specifies whether pty allocation is permitted

service ssh match host <ipv4|ipv6> keepalive-count-max <u32>
SDE M10-Smart M2 RS420 AresC640

Number of keepalive messages to be sent without any response from the client

Values:

  • u32 – Disables connection termination (0)

  • u32 – Number of messages to be sent (1-65535)

service ssh match host <ipv4|ipv6> keepalive-interval <u32>
SDE M10-Smart M2 RS420 AresC640

Timeout interval in seconds after which SSH will send a message requesting a response

Values:

  • u32 – Seconds (0-65535)

service ssh match host <ipv4|ipv6> log-level <txt>
SDE M10-Smart M2 RS420 AresC640

Specific log-level to use. Each level logs their own messages and “higher” levels ones

Values:

  • quiet – Log no messages

  • fatal – Fatal messages

  • error – Error messages

  • info – Informational messages

  • verbose – More informational messages

  • debug – Debugging messages

  • debug2 – More debugging messages

  • debug3 – Even more debugging messages

service ssh match host <ipv4|ipv6> max-sessions <u32>
SDE M10-Smart M2 RS420 AresC640

Maximum number of open shell, login or subsystem sessions allowed per connection

Values:

  • u32 – No shell, login and subsystem sessions are allowed (but forwarding allowed) (0)

  • u32 – Disable session multiplexing (1)

  • u32 – Maximum number of sessions allowed (2-65535)

service ssh match host <ipv4|ipv6> permit-empty-passwords
SDE M10-Smart M2 RS420 AresC640

Whether the server allows login to accounts with empty password strings

This feature only takes place when password authentication is enabled.

service ssh match host <ipv4|ipv6> permit-open <fqdn|ipv4|ipv6>
SDE M10-Smart M2 RS420 AresC640

Specifies destinations to which TCP port forwarding is permitted

Values:

  • fqdn – Host to allow forwarding TCP connections to

  • ipv4 – IPv4 address to allow forwarding TCP connections to

  • ipv6 – IPv6 address to allow forwarding TCP connections to

Instances:

Multiple

Required:

service ssh match host <ipv4|ipv6> permit-open <fqdn|ipv4|ipv6> port <u32>
SDE M10-Smart M2 RS420 AresC640

Port to allow forwarding TCP connections to

Values:

  • u32 – Port to allow forwarding connection to (1-65535)

Instances:

List of values

service ssh match host <ipv4|ipv6> tcp-forwarding
SDE M10-Smart M2 RS420 AresC640

Enables TCP forwarding

service ssh match host <ipv4|ipv6> x11-forwarding
SDE M10-Smart M2 RS420 AresC640

Enables X11 forwarding

When X11 forwarding is enabled, there may be additional exposure to the server and to client displays if the SSH proxy is configured to listen on the wildcard address (though this is not the default). Additionally, the authentication spoofing and authentication data verification and substitution occur on the client side. The security risk of using X11 forwarding is that the client’s X11 display server may be exposed to attach when the SSH client requests forwarding). A system administrator may have a stance in which they want to protect clients that may expose themselves to attack by unwittingly requesting X11 forwarding, which can warrant a “no” setting.

service ssh match role <id>
SDE M10-Smart M2 RS420 AresC640
Values:

  • id – Specific configuration for matched roles

Instances:

Multiple

service ssh match role <id> agent-forwarding
SDE M10-Smart M2 RS420 AresC640

Enables SSH agent forwarding

service ssh match role <id> disable-password-authentication
SDE M10-Smart M2 RS420 AresC640

Disables the login using password authentication

service ssh match role <id> disable-pubkey-authentication
SDE M10-Smart M2 RS420 AresC640

Disables the login using public key authentication

service ssh match role <id> disable-tty
SDE M10-Smart M2 RS420 AresC640

Specifies whether pty allocation is permitted

service ssh match role <id> keepalive-count-max <u32>
SDE M10-Smart M2 RS420 AresC640

Number of keepalive messages to be sent without any response from the client

Values:

  • u32 – Disables connection termination (0)

  • u32 – Number of messages to be sent (1-65535)

service ssh match role <id> keepalive-interval <u32>
SDE M10-Smart M2 RS420 AresC640

Timeout interval in seconds after which SSH will send a message requesting a response

Values:

  • u32 – Seconds (0-65535)

service ssh match role <id> log-level <txt>
SDE M10-Smart M2 RS420 AresC640

Specific log-level to use. Each level logs their own messages and “higher” levels ones

Values:

  • quiet – Log no messages

  • fatal – Fatal messages

  • error – Error messages

  • info – Informational messages

  • verbose – More informational messages

  • debug – Debugging messages

  • debug2 – More debugging messages

  • debug3 – Even more debugging messages

service ssh match role <id> max-sessions <u32>
SDE M10-Smart M2 RS420 AresC640

Maximum number of open shell, login or subsystem sessions allowed per connection

Values:

  • u32 – No shell, login and subsystem sessions are allowed (but forwarding allowed) (0)

  • u32 – Disable session multiplexing (1)

  • u32 – Maximum number of sessions allowed (2-65535)

service ssh match role <id> permit-empty-passwords
SDE M10-Smart M2 RS420 AresC640

Whether the server allows login to accounts with empty password strings

This feature only takes place when password authentication is enabled.

service ssh match role <id> permit-open <fqdn|ipv4|ipv6>
SDE M10-Smart M2 RS420 AresC640

Specifies destinations to which TCP port forwarding is permitted

Values:

  • fqdn – Host to allow forwarding TCP connections to

  • ipv4 – IPv4 address to allow forwarding TCP connections to

  • ipv6 – IPv6 address to allow forwarding TCP connections to

Instances:

Multiple

Required:

service ssh match role <id> permit-open <fqdn|ipv4|ipv6> port <u32>
SDE M10-Smart M2 RS420 AresC640

Port to allow forwarding TCP connections to

Values:

  • u32 – Port to allow forwarding connection to (1-65535)

Instances:

List of values

service ssh match role <id> tcp-forwarding
SDE M10-Smart M2 RS420 AresC640

Enables TCP forwarding

service ssh match role <id> x11-forwarding
SDE M10-Smart M2 RS420 AresC640

Enables X11 forwarding

When X11 forwarding is enabled, there may be additional exposure to the server and to client displays if the SSH proxy is configured to listen on the wildcard address (though this is not the default). Additionally, the authentication spoofing and authentication data verification and substitution occur on the client side. The security risk of using X11 forwarding is that the client’s X11 display server may be exposed to attach when the SSH client requests forwarding). A system administrator may have a stance in which they want to protect clients that may expose themselves to attack by unwittingly requesting X11 forwarding, which can warrant a “no” setting.

service ssh match user <txt>
SDE M10-Smart M2 RS420 AresC640

Specific configuration for matched users

Reference:

system login user <txt>

Instances:

Multiple

service ssh match user <txt> agent-forwarding
SDE M10-Smart M2 RS420 AresC640

Enables SSH agent forwarding

service ssh match user <txt> disable-password-authentication
SDE M10-Smart M2 RS420 AresC640

Disables the login using password authentication

service ssh match user <txt> disable-pubkey-authentication
SDE M10-Smart M2 RS420 AresC640

Disables the login using public key authentication

service ssh match user <txt> disable-tty
SDE M10-Smart M2 RS420 AresC640

Specifies whether pty allocation is permitted

service ssh match user <txt> keepalive-count-max <u32>
SDE M10-Smart M2 RS420 AresC640

Number of keepalive messages to be sent without any response from the client

Values:

  • u32 – Disables connection termination (0)

  • u32 – Number of messages to be sent (1-65535)

service ssh match user <txt> keepalive-interval <u32>
SDE M10-Smart M2 RS420 AresC640

Timeout interval in seconds after which SSH will send a message requesting a response

Values:

  • u32 – Seconds (0-65535)

service ssh match user <txt> log-level <txt>
SDE M10-Smart M2 RS420 AresC640

Specific log-level to use. Each level logs their own messages and “higher” levels ones

Values:

  • quiet – Log no messages

  • fatal – Fatal messages

  • error – Error messages

  • info – Informational messages

  • verbose – More informational messages

  • debug – Debugging messages

  • debug2 – More debugging messages

  • debug3 – Even more debugging messages

service ssh match user <txt> max-sessions <u32>
SDE M10-Smart M2 RS420 AresC640

Maximum number of open shell, login or subsystem sessions allowed per connection

Values:

  • u32 – No shell, login and subsystem sessions are allowed (but forwarding allowed) (0)

  • u32 – Disable session multiplexing (1)

  • u32 – Maximum number of sessions allowed (2-65535)

service ssh match user <txt> permit-empty-passwords
SDE M10-Smart M2 RS420 AresC640

Whether the server allows login to accounts with empty password strings

This feature only takes place when password authentication is enabled.

service ssh match user <txt> permit-open <fqdn|ipv4|ipv6>
SDE M10-Smart M2 RS420 AresC640

Specifies destinations to which TCP port forwarding is permitted

Values:

  • fqdn – Host to allow forwarding TCP connections to

  • ipv4 – IPv4 address to allow forwarding TCP connections to

  • ipv6 – IPv6 address to allow forwarding TCP connections to

Instances:

Multiple

Required:

service ssh match user <txt> permit-open <fqdn|ipv4|ipv6> port <u32>
SDE M10-Smart M2 RS420 AresC640

Port to allow forwarding TCP connections to

Values:

  • u32 – Port to allow forwarding connection to (1-65535)

Instances:

List of values

service ssh match user <txt> tcp-forwarding
SDE M10-Smart M2 RS420 AresC640

Enables TCP forwarding

service ssh match user <txt> x11-forwarding
SDE M10-Smart M2 RS420 AresC640

Enables X11 forwarding

When X11 forwarding is enabled, there may be additional exposure to the server and to client displays if the SSH proxy is configured to listen on the wildcard address (though this is not the default). Additionally, the authentication spoofing and authentication data verification and substitution occur on the client side. The security risk of using X11 forwarding is that the client’s X11 display server may be exposed to attach when the SSH client requests forwarding). A system administrator may have a stance in which they want to protect clients that may expose themselves to attack by unwittingly requesting X11 forwarding, which can warrant a “no” setting.

service ssh max-sessions <u32>
SDE M10-Smart M2 RS420 AresC640

Maximum number of open shell, login or subsystem sessions allowed per connection

Values:

  • u32 – No shell, login and subsystem sessions are allowed (but forwarding allowed) (0)

  • u32 – Disable session multiplexing (1)

  • u32 – Maximum number of sessions allowed (2-65535)

service ssh permit-empty-passwords
SDE M10-Smart M2 RS420 AresC640

Whether the server allows login to accounts with empty password strings

This feature only takes place when password authentication is enabled.

service ssh permit-open <fqdn|ipv4|ipv6>
SDE M10-Smart M2 RS420 AresC640

Specifies destinations to which TCP port forwarding is permitted

Values:

  • fqdn – Host to allow forwarding TCP connections to

  • ipv4 – IPv4 address to allow forwarding TCP connections to

  • ipv6 – IPv6 address to allow forwarding TCP connections to

Instances:

Multiple

Required:

service ssh permit-open <fqdn|ipv4|ipv6> port <u32>
SDE M10-Smart M2 RS420 AresC640

Port to allow forwarding TCP connections to

Values:

  • u32 – Port to allow forwarding connection to (1-65535)

Instances:

List of values

service ssh port <u32>
SDE M10-Smart M2 RS420 AresC640

Port for SSH service

Values:

  • u32 – Numeric IP port (1-32767)

  • u32 – Numeric IP port (60000-65535)

service ssh tcp-forwarding
SDE M10-Smart M2 RS420 AresC640

Enables TCP forwarding

service ssh vrf <id>
SDE M10-Smart M2 RS420 AresC640

VRF interface to run SSH on

Reference:

system vrf <id>

service ssh x11-forwarding
SDE M10-Smart M2 RS420 AresC640

Enables X11 forwarding

When X11 forwarding is enabled, there may be additional exposure to the server and to client displays if the SSH proxy is configured to listen on the wildcard address (though this is not the default). Additionally, the authentication spoofing and authentication data verification and substitution occur on the client side. The security risk of using X11 forwarding is that the client’s X11 display server may be exposed to attach when the SSH client requests forwarding). A system administrator may have a stance in which they want to protect clients that may expose themselves to attack by unwittingly requesting X11 forwarding, which can warrant a “no” setting.