ssh

service ssh
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE VM

Secure SHell (SSH) protocol

service ssh aaa
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE VM

AAA options

service ssh aaa accounting <id>
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE VM

Accounting list name

Reference:

system aaa list <id>

service ssh aaa authentication <id>
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE VM

Authentication list name

Reference:

system aaa list <id>

service ssh access-control
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE VM

Limit how roles and users can access the system through SSH

service ssh access-control allow
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE VM

Allow access to specific roles/users

service ssh access-control allow role <id>
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE VM
Values:

  • id – Role

Instances:

Multiple

service ssh access-control allow user <txt>
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE VM

User

Reference:

system login user <txt>

Instances:

Multiple

service ssh access-control deny
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE VM

Deny access to specific roles/users

service ssh access-control deny role <id>
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE VM
Values:

  • id – Role

Instances:

Multiple

service ssh access-control deny user <txt>
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE VM

User

Reference:

system login user <txt>

Instances:

Multiple

service ssh cipher <id>
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE VM
Values:

  • id

    Ciphers to use for ongoing SSH connections

    It is possible to limit which ciphers will be used for ongoing SSH connections. A list of ciphers is accepted, and they will be sorted by their strength (strong-first based ordering).

Instances:

List of values

service ssh disable-password-authentication
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE VM

Disables the login using password authentication

service ssh host-key <file>
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE VM
Values:

  • file – Host key used when others connect to us through SSH

Instances:

Multiple

service ssh host-key-algorithms <id>
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE VM
Values:

  • id – Specifies the host key algorithms that the server offers

Instances:

List of values

service ssh keepalive-count-max <u32>
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE VM

Number of keepalive messages to be sent without any response from the client

Values:

  • u32 – Disables connection termination (0)

  • u32 – Number of messages to be sent (1-65535)

service ssh keepalive-interval <u32>
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE VM

Timeout interval in seconds after which SSH will send a message requesting a response

Values:

  • u32 – Seconds (0-65535)

service ssh key-exchange <id>
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE VM
Values:

  • id – Specifies the available KEX (Key Exchange) algorithms

Instances:

List of values

service ssh listen-address <ipv4|ipv6|id>
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE VM

Listen address to listen to

Values:

  • ipv4 – IP address to listen to

  • ipv6 – IPv6 address to listen to

  • hostname – Hostname to listen to

Local IP address:

Instances:

Multiple

service ssh log-level <txt>
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE VM

Specific log-level to use. Each level logs their own messages and “higher” levels ones

Values:

  • quiet – Log no messages

  • fatal – Fatal messages

  • error – Error messages

  • info – Informational messages

  • verbose – More informational messages

  • debug – Debugging messages

  • debug2 – More debugging messages

service ssh login-grace-time <u32>
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE VM
Values:

  • u32

    The server disconnects after this time (in seconds) if the user has not successfully logged in.

    If the value is 0, there is no time limit. The default is 120 seconds.

service ssh mac <id>
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE VM
Values:

  • id

    Specifies the available MAC (Message Authentication Code) algorithms

    The MAC algorithm is used for data integrity protection. The algorithms that contain “-etm” calculate the MAC after encryption (encrypt-then-mac). These are considered safer and their use recommended.

Instances:

List of values

service ssh match
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE VM

Match directives to apply a given configuration to specific users or groups

service ssh match address <ipv4net|ipv6net>
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE VM
Values:

  • ipv4net – Specific configuration for matched addresses

  • ipv6net – Specific configuration for matched addresses

Instances:

Multiple

service ssh match address <ipv4net|ipv6net> disable-password-authentication
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE VM

Disables the login using password authentication

service ssh match address <ipv4net|ipv6net> keepalive-count-max <u32>
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE VM

Number of keepalive messages to be sent without any response from the client

Values:

  • u32 – Disables connection termination (0)

  • u32 – Number of messages to be sent (1-65535)

service ssh match address <ipv4net|ipv6net> keepalive-interval <u32>
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE VM

Timeout interval in seconds after which SSH will send a message requesting a response

Values:

  • u32 – Seconds (0-65535)

service ssh match address <ipv4net|ipv6net> log-level <txt>
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE VM

Specific log-level to use. Each level logs their own messages and “higher” levels ones

Values:

  • quiet – Log no messages

  • fatal – Fatal messages

  • error – Error messages

  • info – Informational messages

  • verbose – More informational messages

  • debug – Debugging messages

  • debug2 – More debugging messages

service ssh match host <ipv4|ipv6>
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE VM
Values:

  • ipv4 – Specific configuration for matched hosts

  • ipv6 – Specific configuration for matched hosts

Instances:

Multiple

service ssh match host <ipv4|ipv6> disable-password-authentication
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE VM

Disables the login using password authentication

service ssh match host <ipv4|ipv6> keepalive-count-max <u32>
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE VM

Number of keepalive messages to be sent without any response from the client

Values:

  • u32 – Disables connection termination (0)

  • u32 – Number of messages to be sent (1-65535)

service ssh match host <ipv4|ipv6> keepalive-interval <u32>
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE VM

Timeout interval in seconds after which SSH will send a message requesting a response

Values:

  • u32 – Seconds (0-65535)

service ssh match host <ipv4|ipv6> log-level <txt>
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE VM

Specific log-level to use. Each level logs their own messages and “higher” levels ones

Values:

  • quiet – Log no messages

  • fatal – Fatal messages

  • error – Error messages

  • info – Informational messages

  • verbose – More informational messages

  • debug – Debugging messages

  • debug2 – More debugging messages

service ssh match role <id>
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE VM
Values:

  • id – Specific configuration for matched roles

Instances:

Multiple

service ssh match role <id> disable-password-authentication
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE VM

Disables the login using password authentication

service ssh match role <id> keepalive-count-max <u32>
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE VM

Number of keepalive messages to be sent without any response from the client

Values:

  • u32 – Disables connection termination (0)

  • u32 – Number of messages to be sent (1-65535)

service ssh match role <id> keepalive-interval <u32>
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE VM

Timeout interval in seconds after which SSH will send a message requesting a response

Values:

  • u32 – Seconds (0-65535)

service ssh match role <id> log-level <txt>
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE VM

Specific log-level to use. Each level logs their own messages and “higher” levels ones

Values:

  • quiet – Log no messages

  • fatal – Fatal messages

  • error – Error messages

  • info – Informational messages

  • verbose – More informational messages

  • debug – Debugging messages

  • debug2 – More debugging messages

service ssh match user <txt>
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE VM

Specific configuration for matched users

Reference:

system login user <txt>

Instances:

Multiple

service ssh match user <txt> disable-password-authentication
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE VM

Disables the login using password authentication

service ssh match user <txt> keepalive-count-max <u32>
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE VM

Number of keepalive messages to be sent without any response from the client

Values:

  • u32 – Disables connection termination (0)

  • u32 – Number of messages to be sent (1-65535)

service ssh match user <txt> keepalive-interval <u32>
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE VM

Timeout interval in seconds after which SSH will send a message requesting a response

Values:

  • u32 – Seconds (0-65535)

service ssh match user <txt> log-level <txt>
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE VM

Specific log-level to use. Each level logs their own messages and “higher” levels ones

Values:

  • quiet – Log no messages

  • fatal – Fatal messages

  • error – Error messages

  • info – Informational messages

  • verbose – More informational messages

  • debug – Debugging messages

  • debug2 – More debugging messages

service ssh max-auth-tries <u32>
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE VM

Maximum number of authentication attempts allowed per connection

Values:

  • u32 – Disabled (infinite attempts are allowed) (0)

  • u32 – Trials (1-65535)

service ssh port <u32>
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE VM

Port for SSH service

Values:

  • u32 – Numeric IP port (1-32767)

  • u32 – Numeric IP port (60000-65535)

service ssh pubkey-accepted-algorithms <id>
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE VM
Values:

  • id – Specifies the signature algorithms that will be accepted for public key authentication

Instances:

List of values

service ssh vrf <id>
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE VM

VRF interface to run SSH on

Reference:

system vrf <id>