ssh
- service ssh
- Devices
Secure SHell (SSH) protocol
- service ssh aaa
- Devices
AAA options
- service ssh aaa accounting <id>
- Devices
Accounting list name
- Reference:
- service ssh aaa authentication <id>
- Devices
Authentication list name
- Reference:
- service ssh access-control
- Devices
Limit how roles and users can access the system through SSH
- service ssh access-control allow
- Devices
Allow access to specific roles/users
- service ssh access-control allow role <id>
- Devices
- Values:
id – Role
- Instances:
Multiple
- service ssh access-control allow user <txt>
- Devices
User
- Reference:
- Instances:
Multiple
- service ssh access-control deny
- Devices
Deny access to specific roles/users
- service ssh access-control deny role <id>
- Devices
- Values:
id – Role
- Instances:
Multiple
- service ssh access-control deny user <txt>
- Devices
User
- Reference:
- Instances:
Multiple
- service ssh cipher <id>
- Devices
- Values:
id –
Ciphers to use for ongoing SSH connections
It is possible to limit which ciphers will be used for ongoing SSH connections. A list of ciphers is accepted, and they will be sorted by their strength (strong-first based ordering).
- Instances:
List of values
- service ssh disable-password-authentication
- Devices
Disables the login using password authentication
- service ssh host-key <file>
- Devices
- Values:
file – Host key used when others connect to us through SSH
- Instances:
Multiple
- service ssh host-key-algorithms <id>
- Devices
- Values:
id – Specifies the host key algorithms that the server offers
- Instances:
List of values
- service ssh keepalive-count-max <u32>
- Devices
Number of keepalive messages to be sent without any response from the client
- Values:
u32 – Disables connection termination (0)
u32 – Number of messages to be sent (1-65535)
- service ssh keepalive-interval <u32>
- Devices
Timeout interval in seconds after which SSH will send a message requesting a response
- Values:
u32 – Seconds (0-65535)
- service ssh key-exchange <id>
- Devices
- Values:
id – Specifies the available KEX (Key Exchange) algorithms
- Instances:
List of values
- service ssh listen-address <ipv4|ipv6|id>
- Devices
Listen address to listen to
- Values:
ipv4 – IP address to listen to
ipv6 – IPv6 address to listen to
hostname – Hostname to listen to
- Local IP address:
- Instances:
Multiple
- service ssh log-level <txt>
- Devices
Specific log-level to use. Each level logs their own messages and “higher” levels ones
- Values:
quiet – Log no messages
fatal – Fatal messages
error – Error messages
info – Informational messages
verbose – More informational messages
debug – Debugging messages
debug2 – More debugging messages
- service ssh login-grace-time <u32>
- Devices
- Values:
u32 –
The server disconnects after this time (in seconds) if the user has not successfully logged in.
If the value is 0, there is no time limit. The default is 120 seconds.
- service ssh mac <id>
- Devices
- Values:
id –
Specifies the available MAC (Message Authentication Code) algorithms
The MAC algorithm is used for data integrity protection. The algorithms that contain “-etm” calculate the MAC after encryption (encrypt-then-mac). These are considered safer and their use recommended.
- Instances:
List of values
- service ssh match
- Devices
Match directives to apply a given configuration to specific users or groups
- service ssh match address <ipv4net|ipv6net>
- Devices
- Values:
ipv4net – Specific configuration for matched addresses
ipv6net – Specific configuration for matched addresses
- Instances:
Multiple
- service ssh match address <ipv4net|ipv6net> disable-password-authentication
- Devices
Disables the login using password authentication
- service ssh match address <ipv4net|ipv6net> keepalive-count-max <u32>
- Devices
Number of keepalive messages to be sent without any response from the client
- Values:
u32 – Disables connection termination (0)
u32 – Number of messages to be sent (1-65535)
- service ssh match address <ipv4net|ipv6net> keepalive-interval <u32>
- Devices
Timeout interval in seconds after which SSH will send a message requesting a response
- Values:
u32 – Seconds (0-65535)
- service ssh match address <ipv4net|ipv6net> log-level <txt>
- Devices
Specific log-level to use. Each level logs their own messages and “higher” levels ones
- Values:
quiet – Log no messages
fatal – Fatal messages
error – Error messages
info – Informational messages
verbose – More informational messages
debug – Debugging messages
debug2 – More debugging messages
- service ssh match host <ipv4|ipv6>
- Devices
- Values:
ipv4 – Specific configuration for matched hosts
ipv6 – Specific configuration for matched hosts
- Instances:
Multiple
- service ssh match host <ipv4|ipv6> disable-password-authentication
- Devices
Disables the login using password authentication
- service ssh match host <ipv4|ipv6> keepalive-count-max <u32>
- Devices
Number of keepalive messages to be sent without any response from the client
- Values:
u32 – Disables connection termination (0)
u32 – Number of messages to be sent (1-65535)
- service ssh match host <ipv4|ipv6> keepalive-interval <u32>
- Devices
Timeout interval in seconds after which SSH will send a message requesting a response
- Values:
u32 – Seconds (0-65535)
- service ssh match host <ipv4|ipv6> log-level <txt>
- Devices
Specific log-level to use. Each level logs their own messages and “higher” levels ones
- Values:
quiet – Log no messages
fatal – Fatal messages
error – Error messages
info – Informational messages
verbose – More informational messages
debug – Debugging messages
debug2 – More debugging messages
- service ssh match role <id>
- Devices
- Values:
id – Specific configuration for matched roles
- Instances:
Multiple
- service ssh match role <id> disable-password-authentication
- Devices
Disables the login using password authentication
- service ssh match role <id> keepalive-count-max <u32>
- Devices
Number of keepalive messages to be sent without any response from the client
- Values:
u32 – Disables connection termination (0)
u32 – Number of messages to be sent (1-65535)
- service ssh match role <id> keepalive-interval <u32>
- Devices
Timeout interval in seconds after which SSH will send a message requesting a response
- Values:
u32 – Seconds (0-65535)
- service ssh match role <id> log-level <txt>
- Devices
Specific log-level to use. Each level logs their own messages and “higher” levels ones
- Values:
quiet – Log no messages
fatal – Fatal messages
error – Error messages
info – Informational messages
verbose – More informational messages
debug – Debugging messages
debug2 – More debugging messages
- service ssh match user <txt>
- Devices
Specific configuration for matched users
- Reference:
- Instances:
Multiple
- service ssh match user <txt> disable-password-authentication
- Devices
Disables the login using password authentication
- service ssh match user <txt> keepalive-count-max <u32>
- Devices
Number of keepalive messages to be sent without any response from the client
- Values:
u32 – Disables connection termination (0)
u32 – Number of messages to be sent (1-65535)
- service ssh match user <txt> keepalive-interval <u32>
- Devices
Timeout interval in seconds after which SSH will send a message requesting a response
- Values:
u32 – Seconds (0-65535)
- service ssh match user <txt> log-level <txt>
- Devices
Specific log-level to use. Each level logs their own messages and “higher” levels ones
- Values:
quiet – Log no messages
fatal – Fatal messages
error – Error messages
info – Informational messages
verbose – More informational messages
debug – Debugging messages
debug2 – More debugging messages
- service ssh max-auth-tries <u32>
- Devices
Maximum number of authentication attempts allowed per connection
- Values:
u32 – Disabled (infinite attempts are allowed) (0)
u32 – Trials (1-65535)
- service ssh port <u32>
- Devices
Port for SSH service
- Values:
u32 – Numeric IP port (1-32767)
u32 – Numeric IP port (60000-65535)
- service ssh pubkey-accepted-algorithms <id>
- Devices
- Values:
id – Specifies the signature algorithms that will be accepted for public key authentication
- Instances:
List of values
- service ssh vrf <id>
- Devices
VRF interface to run SSH on
- Reference: