Before you begin
Type the host name or IP address of the SSH server into the “Host name (or IP address)” box. Ensure the port number in the “Port” box matches the port number the SSH server requires. SSH servers use port 22 by default, but servers are often configured to use other port numbers instead. Click “Open” to connect. SSH (Secure Shell) You can access the command line of a Raspberry Pi remotely from another computer or device on the same network using SSH. The Raspberry Pi will act as a remote device: you can connect to it using a client on another machine. Ssh -L 127.0.0.1:80:intra.example.com:80 gw.example.com. The LocalForward option in the OpenSSH client configuration file can be used to configure forwarding without having to specify it on command line. Remote Forwarding. In OpenSSH, remote SSH port forwardings are specified using the -R option. For example: ssh -R 8080:localhost:80 public.
Using SSH public key authentication to connect to a remote system is a robust, more secure alternative to logging in with an account password or passphrase. SSH public key authentication relies on asymmetric cryptographic algorithms that generate a pair of separate keys (a key pair), one 'private' and the other 'public'. You keep the private key a secret and store it on the computer you use to connect to the remote system. Conceivably, you can share the public key with anyone without compromising the private key; you store it on the remote system in a .ssh/authorized_keys
directory.
- Check if ssh client is installed. Make sure you have the latest updates of Windows if that is not.
- Copy and paste the command-line examples given, substituting the highlighted values with your own values. The most common way of connecting to a remote Linux server is through SSH. SSH stands for Secure Shell and provides a safe and secure way of executing commands, making changes, and configuring services remotely.
To use SSH public key authentication:
- The remote system must have a version of SSH installed. The information in this document assumes the remote system uses OpenSSH. If the remote system is using a different version of SSH (for example, Tectia SSH), the process outlined below may not be correct.
- The computer you use to connect to the remote server must have a version of SSH installed. This document includes instructions for generating a key pair with command-line SSH on a Linux or macOS computer, and with PuTTY on a Windows computer.
- You need to be able to transfer your public key to the remote system. Therefore, you must either be able to log into the remote system with an established account username and password/passphrase, or have an administrator on the remote system add the public key to the
~/.ssh/authorized_keys
file in your account. - Two-factor authentication using Two-Step Login (Duo) is required for access to the login nodes on IU research supercomputers, and for SCP and SFTP file transfers to those systems. SSH public key authentication remains an option for researchers who submit the 'SSH public key authentication to HPS systems' agreement (log into HPC everywhere using your IU username and passphrase), in which you agree to set a passphrase on your private key when you generate your key pair. If you have questions about how two-factor authentication may impact your workflows, contact the UITS Research Applications and Deep Learning team. For help, see Get started with Two-Step Login (Duo) at IU and Help for Two-Step Login (Duo).
Set up public key authentication using SSH on a Linux or macOS computer
To set up public key authentication using SSH on a Linux or macOS computer:
- Log into the computer you'll use to access the remote host, and then use command-line SSH to generate a key pair using the RSA algorithm.
To generate RSA keys, on the command line, enter:
- You will be prompted to supply a filename (for saving the key pair) and a password (for protecting your private key):
- Filename: To accept the default filename (and location) for your key pair, press
Enter
orReturn
without entering a filename.Alternatively, you can enter a filename (for example,
my_ssh_key
) at the prompt, and then pressEnter
orReturn
. However, many remote hosts are configured to accept private keys with the default filename and path (~/.ssh/id_rsa
for RSA keys) by default. Consequently, to authenticate with a private key that has a different filename, or one that is not stored in the default location, you must explicitly invoke it either on the SSH command line or in an SSH client configuration file (~/.ssh/config
); see below for instructions. - Password: Enter a password that contains at least five characters, and then press
Enter
orReturn
. If you pressEnter
orReturn
without entering a password, your private key will be generated without password-protection.If you don't password-protect your private key, anyone with access to your computer conceivably can SSH (without being prompted for a password) to your account on any remote system that has the corresponding public key.
Your private key will be generated using the default filename (for example,
id_rsa
) or the filename you specified (for example,my_ssh_key
), and stored on your computer in a.ssh
directory off your home directory (for example,~/.ssh/id_rsa
or~/.ssh/my_ssh_key
).The corresponding public key will be generated using the same filename (but with a
.pub
extension added) and stored in the same location (for example,~/.ssh/id_rsa.pub
or~/.ssh/my_ssh_key.pub
). - Filename: To accept the default filename (and location) for your key pair, press
- Use SFTP or SCP to copy the public key file (for example,
~/.ssh/id_rsa.pub
) to your account on the remote system (for example,darvader@deathstar.empire.gov
); for example, using command-line SCP:You'll be prompted for your account password. Your public key will be copied to your home directory (and saved with the same filename) on the remote system.
- Log into the remote system using your account username and password.If the remote system is not configured to support password-based authentication, you will need to ask system administrators to add your public key to the
~/.ssh/authorized_keys
file in your account (if your account doesn't have~/.ssh/authorized_keys
file, system administrators can create one for you). Once your public key is added to your~/.ssh/authorized_keys
file on the remote system, the setup process is complete, and you should now be able to SSH to your account from the computer that has your private key. - If your account on the remote system doesn't already contain a
~/.ssh/authorized_keys
file, create one; on the command line, enter the following commands:If your account on the remote system already has a~/.ssh/authorized_keys
file, executing these commands will not damage the existing directory or file. - On the remote system, add the contents of your public key file (for example,
~/id_rsa.pub
) to a new line in your~/.ssh/authorized_keys
file; on the command line, enter:You may want to check the contents of
~/.ssh/authorized_keys
to make sure your public key was added properly; on the command line, enter: - You may now safely delete the public key file (for example,
~/id_rsa.pub
) from your account on the remote system; on the command line, enter:Alternatively, if you prefer to keep a copy of your public key on the remote system, move it to your
.ssh
directory; on the command line, enter: - Optionally, repeat steps 3-7 to add your public key to other remote systems that you want to access from the computer that has your private key using SSH public key authentication.
- You now should be able to SSH to your account on the remote system (for example,
username@host2.somewhere.edu
) from the computer (for example,host1
) that has your private key (for example,~/.ssh/id_rsa
):- If your private key is password-protected, the remote system will prompt you for the password or passphrase (your private key password/passphrase is not transmitted to the remote system):
- If your private key is not password-protected, the remote system will place you on the command line in your home directory without prompting you for a password or passphrase:
If the private key you're using does not have the default name, or is not stored in the default path (not
~/.ssh/id_rsa
), you must explicitly invoke it in one of two ways:- On the SSH command line: Add the
-i
flag and the path to your private key.For example, to invoke the private key
host2_key
, stored in the~/.ssh/old_keys
directory, when connecting to your account on a remote host (for example,username@host2.somewhere.edu
), enter: - In an SSH client configuration file: SSH gets configuration data from the following sources (in this order):
- From command-line options
- From the user's client configuration file (
~/.ssh/config
), if it exists - From the system-wide client configuration file (
/etc/ssh/ssh_config
)
The SSH client configuration file is a text file containing keywords and arguments. To specify which private key should be used for connections to a particular remote host, use a text editor to create a
~/.ssh/config
that includes theHost
andIdentityFile
keywords.For example, for connections to
host2.somewhere.edu
, to make SSH automatically invoke the private keyhost2_key
, stored in the~/.ssh/old_keys
directory, create a~/.ssh/config
file with these lines included:Once you save the file, SSH will use the specified private key for future connections to that host.
You can add multiple
Host
andIdentityFile
directives to specify a different private key for each host listed; for example:Alternatively, you can use a single asterisk (
*
) to provide global defaults for all hosts (specify one private key for several hosts); for example:For more about the SSH client configuration file, see the OpenSSH SSH client configuration file on the web or from the command line (
man ssh_config
).
Set up public key authentication using PuTTY on a Windows 10 or Windows 8.x computer
The PuTTY command-line SSH client, the PuTTYgen key generation utility, the Pageant SSH authentication agent, and the PuTTY SCP and SFTP utilities are packaged together in a Windows installer available under The MIT License for free download from the PuTTY development team.
After installing PuTTY:
- Launch PuTTYgen.
- In the 'PuTTY Key Generator' window, under 'Parameters':
- For 'Type of key to generate', select RSA. (In older versions of PuTTYgen, select SSH2-RSA.)
- For 'Number of bits in a generated key', leave the default value (
2048
).
- Under 'Actions', click Generate.
- When prompted, use your mouse (or trackpad) to move your cursor around the blank area under 'Key'; this generates randomness that PuTTYgen uses to generate your key pair.
- When your key pair is generated, PuTTYgen displays the public key in the area under 'Key'. In the 'Key passphrase' and 'Confirm passphrase' text boxes, enter a passphrase to passphrase-protect your private key.If you don't passphrase-protect your private key, anyone with access to your computer will be able to SSH (without being prompted for a passphrase) to your account on any remote system that has the corresponding public key.
- Save your public key:
- Under 'Actions', next to 'Save the generated key', click Save public key.
- Give the file a name (for example,
putty_key
), select a location on your computer to store it, and then click Save.
- Save your private key:
- Under 'Actions', next to 'Save the generated key', click Save private key.If you didn't passphrase-protect your private key, the utility will ask whether you're sure you want to save it without a passphrase. Click Yes to proceed or No to go back and create a passphrase for your private key.
- Keep 'Save as type' set to PuTTY Private Key Files (*.ppk), give the file a name (for example,
putty_private_key
), select a location on your computer to store it, and then click Save. - If you wish to connect to a remote desktop system such as Research Desktop (RED), click Conversions > Export OpenSSH key, give the file a name (for example,
putty_rsa
), select a location on your computer to store it, and then click Save.
- Under 'Actions', next to 'Save the generated key', click Save private key.
- Log into the remote system using your account username and password.
If the remote system does not support password-based authentication, you will need to ask system administrators to add your public key to the
~/.ssh/authorized_keys
file in your account (if your account doesn't have~/.ssh/authorized_keys
file, system administrators can create one for you). Once your public key is added to your account's~/.ssh/authorized_keys
file on the remote system... - If your account on the remote system doesn't already contain a
~/.ssh/authorized_keys
file, create one; on the command line, enter the following commands:If your account on the remote system already has
~/.ssh/authorized_keys
, executing these commands will not damage the existing directory or file. - On your computer, in the PuTTYgen utility, copy the contents of the public key (displayed in the area under 'Key') onto your Clipboard. Then, on the remote system, use your favorite text editor to paste it onto a new line in your
~/.ssh/authorized_keys
file, and then save and close the file. - On your computer, open the Pageant SSH authentication agent. This utility runs in the background, so when it opens, you should see its icon displayed in the Windows notification area.
- In the Windows notification area, right-click on the Pageant icon, select Add Key, navigate to the location where you saved your private key (for example,
putty_private_key.ppk
), select the file, and then click Open. - If your private key is passphrase-protected, Pageant will prompt you to enter the passphrase; enter the passphrase for your private key, and then click OK.
If your private key is not passphrase-protected, Pageant will add your private key without prompting you for a passphrase.
Either way, Pageant stores the unencrypted private key in memory for use by PuTTY when you initiate an SSH session to the remote system that has your public key.
- On your computer, open the PuTTY SSH client:
- On the Session screen:
- Under 'Host Name (or IP address)', enter your username coupled with the hostname of the remote server that has your public key; for example:
- Under 'Connection type', make sure SSH is selected.
- In the 'Category' list on the left, navigate to the Auth screen (Connection > SSH > Auth). On the Auth screen, under 'Authentication methods', select Attempt authentication using Pageant.
- Return to the Session screen, and under 'Saved Sessions', enter a name (for example,
Deathstar
), and then click Save. - Click Open to connect to your account on the remote system. With Pageant running in the background, PuTTY will retrieve the unencrypted private key automatically from Pageant and use it to authenticate. Because Pageant has your private key's passphrase saved (if applicable), the remote system will place you on the command line in your account without prompting you for the passphrase.
Technically, at this point, the setup is complete. In the future, whenever you log into your Windows desktop, you can run Pageant, add the private key, and then use PuTTY to SSH to any remote resource that has your public key. Alternatively, you can create a shortcut in your WindowsStartup
folder to launch Pageant and load your private key automatically whenever you log into your desktop. For instructions, finish the rest of the following steps. - On the Session screen:
- Open your
Startup
folder. PressWin-r
, and in the 'Open' field, typeshell:startup
, and then pressEnter
. - Right-click inside the
Startup
folder, and then select New and Shortcut. - In the 'Type the location of the item' text box, enter the path to the Pageant executable (
pageant.exe
) followed by the path to your private key file (for example,putty_private_key.ppk
); enclose both paths in double quotes; for example: - Click Next, and then, in the 'Type a name for this shortcut' text box, enter a name for the shortcut (for example,
PAGEANT
). - Click Finish.
The next time you log into your Windows desktop, Pageant will start automatically, load your private key, and (if applicable) prompt you for the passphrase.
Contents
Introduction
Secure Shell (SSH) is a protocol which provides a secure remote access connection to network devices. Communication between the client and server is encrypted in both SSH version 1 and SSH version 2. Implement SSH version 2 when possible because it uses a more enhanced security encryption algorithm.
This document discusses how to configure and debug SSH on Cisco routers or switches that run a version of Cisco IOS® Software that supports SSH. This document contains more information on specific versions and software images.
Prerequisites
Requirements
Ssh On Cmder
The Cisco IOS image used must be a k9(crypto) image in order to support SSH. For example c3750e-universalk9-tar.122-35.SE5.tar is a k9 (crypto) image.
Components Used
The information in this document is based on Cisco IOS 3600 Software (C3640-IK9S-M), Release 12.2(2)T1.
SSH was introduced into these Cisco IOS platforms and images:
SSH Version 1.0 (SSH v1) server was introduced in some Cisco IOS platforms and images that start in Cisco IOS Software Release 12.0.5.S.
SSH client was introduced in some Cisco IOS platforms and images starting in Cisco IOS Software Release 12.1.3.T.
SSH terminal-line access (also known as reverse-Telnet) was introduced in some Cisco IOS platforms and images starting in Cisco IOS Software Release 12.2.2.T.
SSH Version 2.0 (SSH v2) support was introduced in some Cisco IOS platforms and images starting in Cisco IOS Software Release 12.1(19)E.
Refer to How to Configure SSH on Catalyst Switches Running CatOS for more information on SSH support in the switches.
Refer to the Software Advisor (registered customers only) for a complete list of feature sets supported in different Cisco IOS Software releases and on different platforms.
The information presented in this document was created from devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If you are in a live network, make sure that you understand the potential impact of any command before you use it.
Conventions
Refer to Cisco Technical Tips Conventions for more information on document conventions.
SSH v1 vs. SSH v2
Use the Cisco Software Advisor (registered customers only) in order to help you find the version of code with appropriate support for either SSH v1 or SSH v2.
Network Diagram
Test Authentication
Authentication Test without SSH
First test the authentication without SSH to make sure that authentication works with the router Carter before you add SSH. Authentication can be with a local username and password or with an authentication, authorization, and accounting (AAA) server that runs TACACS+ or RADIUS. (Authentication through the line password is not possible with SSH.) This example shows local authentication, which lets you Telnet into the router with username 'cisco' and password 'cisco.'
Authentication Test with SSH
Ssh On Command Prompt
In order to test authentication with SSH, you have to add to the previous statements in order to enable SSH on Carter and test SSH from the PC and UNIX stations.
At this point, the show crypto key mypubkey rsa command must show the generated key. After you add the SSH configuration, test your ability to access the router from the PC and UNIX station. If this does not work, see the debug section of this document.
Optional Configuration Settings
Prevent Non-SSH Connections
If you want to prevent non-SSH connections, add the transport input ssh command under the lines to limit the router to SSH connections only. Straight (non-SSH) Telnets are refused.
Test to make sure that non-SSH users cannot Telnet to the router Carter.
Set Up an IOS Router or Switch as SSH Client
There are four steps required to enable SSH support on a Cisco IOS router:
Configure the hostname command.
Configure the DNS domain.
Generate the SSH key to be used.
Enable SSH transport support for the virtual type terminal (vtys).
If you want to have one device act as an SSH client to the other, you can add SSH to a second device called Reed. These devices are then in a client-server arrangement, where Carter acts as the server, and Reed acts as the client. The Cisco IOS SSH client configuration on Reed is the same as required for the SSH server configuration on Carter.
Issue this command to SSH from the Cisco IOS SSH client (Reed) to the Cisco IOS SSH server (Carter) in order to test this:
SSH v1:
SSH v2:
Setup an IOS Router as an SSH server that performs RSA based User Authentication
Complete these steps in order to configure the SSH server to perform RSA based authentication.
Specify the Host name.
Define a default domain name.
Generate RSA key pairs.
Configure SSH-RSA keys for user and server authentication.
Configure the SSH username.
Specify the RSA public key of the remote peer.
Specify the SSH key type and version. (optional)
Exit the current mode and return to privileged EXEC mode.
Note: Refer to Secure Shell Version 2 Support for more information.
Add SSH Terminal-Line Access
If you need outbound SSH terminal-line authentication, you can configure and test SSH for outbound reverse Telnets through Carter, which acts as a comm server to Philly.
If Philly is attached to Carter's port 2, then you can configure SSH to Philly through Carter from Reed with the help of this command:
SSH v1:
SSH v2:
You can use this command from Solaris:
Restrict SSH access to a subnet
You need to limit SSH connectivity to a specific subnetwork where all other SSH attempts from IPs outside the subnetwork should be dropped.
You can use these steps to accomplish the same:
Ssh In Cmd Windows 10
Define an access-list that permits the traffic from that specific subnetwork.
Restrict access to the VTY line interface with an access-class.
This is an example configuration. In this example only SSH access to the 10.10.10.0 255.255.255.0 subnet is permitted, any other is denied access.
Note: The same procedure to lock down the SSH access is also applicable on switch platforms.
Configure the SSH Version
Configure SSH v1:
Configure SSH v2:
Configure SSH v1 and v2:
Note: You receive this error message when you use SSHv1:
Note: Cisco bug ID CSCsu51740 (registered customers only) is filed for this issue. Workaround is to configure SSHv2.
Variations on banner Command Output
Ssh Options Command Line
The banner command output varies between the Telnet and different versions of SSH connections. This table illustrates how different banner command options work with various types of connections.
Banner Command Option | Telnet | SSH v1 only | SSH v1 and v2 | SSH v2 only |
---|---|---|---|---|
banner login | Displayed before logging into the device. | Not displayed. | Displayed before logging into the device. | Displayed before logging into the device. |
banner motd | Displayed before logging into the device. | Displayed after logging into the device. | Displayed after logging into the device. | Displayed after logging into the device. |
banner exec | Displayed after logging into the device. | Displayed after logging into the device. | Displayed after logging into the device. | Displayed after logging into the device. |
Unable to Display the Login Banner
SSH version 2 supports the login banner. The login banner is displayed if the SSH client sends the username when it initiates the SSH session with the Cisco router. For example, when the Secure Shell ssh client is used, the login banner is displayed. When the PuTTY ssh client is used, the login banner is not displayed. This is because Secure Shell sends the username by default and PuTTY does not send the username by default.
The Secure Shell client needs the username to initiate the connection to the SSH enabled device. The Connect button is not enabled if you do not enter the host name and username. This screenshot shows that the login banner is displayed when Secure Shell connects to the router. Then, the login banner password prompt displays.
The PuTTY client does not require the username to initiate the SSH connection to the router. This screenshot shows that the PuTTY client connects to the router and prompts for the username and password. It does not display the login banner.
This screen shot shows that the login banner is displayed when PuTTY is configured to send the username to the router.
debug and show Commands
Before you issue the debug commands described and illustrated here, refer to Important Information on Debug Commands. Certain show commands are supported by the Output Interpreter Tool (registered customers only) , which allows you to view an analysis of show command output.
debug ip sshâDisplays debug messages for SSH.
show sshâDisplays the status of SSH server connections.
show ip sshâDisplays the version and configuration data for SSH.
Version 1 Connection and no Version 2
Version 2 Connection and no Version 1
Version 1 and Version 2 Connections
Sample Debug Output
Router Debug
Note: Some of this good debug output is wrapped to multiple lines because of spatial considerations.
Server Debug
Note: This output was captured on a Solaris machine.
What can go Wrong
These sections have sample debug output from several incorrect configurations.
SSH From an SSH Client Not Compiled with Data Encryption Standard (DES)
Solaris Debug
Router Debug
Bad Password
Router Debug
SSH Client Sends Unsupported (Blowfish) Cipher
Router Debug
Geting the '%SSH-3-PRIVATEKEY: Unable to retrieve RSA private key for' Error
If you receive this error message, it may be caused due to any change in the domain name or host name. In order to resolve this, try these workarounds.
Zeroize the RSA keys and re-generate the keys.
If the previous workaround does not work, try these steps:
Zeroize all RSA keys.
Reload the device.
Create new labeled keys for SSH.
Cisco bug ID CSCsa83601 (registered customers only) has been filed to address this behaviour.
Troubleshooting Tips
If your SSH configuration commands are rejected as illegal commands, you have not successfully generated a RSA key pair for your router. Make sure you have specified a host name and domain. Then use the crypto key generate rsa command to generate an RSA key pair and enable the SSH server.
When you configure the RSA key pair, you might encounter these error messages:
No hostname specified
You must configure a host name for the router using the hostname global configuration command.
No domain specified
You must configure a host domain for the router using the ip domain-name global configuration command.
The number of allowable SSH connections is limited to the maximum number of vtys configured for the router. Each SSH connection uses a vty resource.
SSH uses either local security or the security protocol that is configured through AAA on your router for user authentication. When you configure AAA, you must ensure that the console is not running under AAA by applying a keyword in the global configuration mode to disable AAA on the console.
No SSH server connections running.
This output suggests that the SSH server is disabled or not enabled properly. If you have already configured SSH, it is recommended that you reconfigure the SSH server in the device. Complete these steps in order to reconfigure SSH server on the device.
Delete the RSA key pair. After the RSA key pair is deleted, the SSH server is automatically disabled.
Note: It is important to generate a key-pair with at least 768 as bit size when you enable SSH v2.
Caution: This command cannot be undone after you save your configuration, and after RSA keys have been deleted, you cannot use certificates or the CA or participate in certificate exchanges with other IP Security (IPSec) peers unless you reconfigure CA interoperability by regenerating RSA keys, getting the CA's certificate, and requesting your own certificate again.Refer to crypto key zeroize rsa - Cisco IOS Security Command Reference, Release 12.3 for more information on this command.
Reconfigure the hostname and domain name of the device.
Generate an RSA key pair for your router, which automatically enables SSH.
Refer to crypto key generate rsa - Cisco IOS Security Command Reference, Release 12.3 for more information on the usage of this command.
Note: You can receive the SSH2 0: Unexpected mesg type received error message due to a packet received that is not understandable by the router. Increase the key length while you generate rsa keys for ssh in order to resolve this issue.
Configure SSH server. In order to enable and configure a Cisco router/switch for SSH server, you can configure SSH parameters. If you do not configure SSH parameters, the default values are used.
ip ssh {[timeout seconds] | [authentication-retries integer]}Refer to ip ssh - Cisco IOS Security Command Reference, Release 12.3 for more information on the usage of this command.