SSH, Telnet acces configuration
crypto key generate
This command generates a pair of cryptographic keya to establish SSH connection.
Syntax
crypto key generate [ dsa | escda <ESCDA> | ed25519 <ED25519> | rsa <RSA> | rsa1 <RSA1> ]
Parameters
dsa – DSA algorithm;
ecdsa – ECDSA algorithm;
- <ECDSA> – key size, takes the value 256, 384 or 521;
- Without specification, key size 521 is used.
ed25519 – ED25519 algorithm;
- <ED25519> – key size, may take values [256..2048];
- Without specification, key size 2048 is used.
rsa – RSA algorithm with specifying the key length;
- <RSA> – key size, may take values [1024..2048];
- Without specification, key size 2048 is used.
rsa1 – RSA1 algorithm.
- <RSA> – key size, may take values [1024..2048];
- Without specification, key size 2048 is used.
Required privilege level
15
Command mode
CONFIG
Example
esr(config)# crypto key generate ecdsa
ip ftp client password
This command defines the default password for FTP copy operations.
The use of a negative form (no) of the command removes the password.
Syntax
ip ftp client password { <CLEAR-TEXT> | encrypted <ENCRYPTED-TEXT> }[no] ftp client password
Parameters
<CLEAR-TEXT> – password, set by the string of 1 to 16 characters, takes the value of [0-9a-fA-F];
<ENCRYPTED-TEXT> – encrypted password, set by the string of [2..32] characters.
Required privilege level
15
Command mode
CONFIG
Example
esr(config)# ip ftp client password test
ip ftp client username
This command defines the default user name for FTP copy operations.
The use of a negative form (no) of the command removes a user name.
Syntax
ip ftp client username <NAME>
no ftp client username
Parameters
<NAME> – user name, set by the string of up to 31 characters.
Required privilege level
15
Command mode
CONFIG
Example
esr(config)# ip ftp client username test
ip sftp client password
This command sets the password values for an SFTP client.
The use of a negative form (no) of the command removes the password values for an SFTP client.
Syntax
ip sftp client password { <TEXT> | encrypted < ENCRYPTED-TEXT > }no ip sftp client password
Parameters
<TEXT> – string [1..16] ASCII characters;
<ENCRYPTED-TEXT> – encrypted password, [8..16] bytes size, set by the string of [16..32] characters.
Default value
Username is not specified.
Required privilege level
15
Command mode
CONFIG
Example
esr(config)# ip sftp client password 123456789
ip sftp client username
This command sets the user name values for an SFTP client.
The use of a negative form (no) of the command removes the user name values for an SFTP client.
Syntax
ip sftp client username <USERNAME>
no ip sftp client username
Parameters
<USERNAME> – user name, set by the string of up to 31 characters.
Default value
Username is not specified.
Required privilege level
15
Command mode
CONFIG
Example
esr(config)# ip sftp client username esruserip ssh authentication algorithm disable
This command prohibits the use of a specific authentication algorithm for SSH server.
The use of a negative form (no) of the command allows the use of a specific authentication algorithm for the SSH server.
Syntax
[no] ip ssh authentication algorithm <ALGORITHM> disable
Parameters
<ALGORITHM> – authentication algorithm, takes values of: [md5, md5-96, sha1, sha1-96, sha2-256, sha2-512, ripemd160].
Required privilege level
15
Default value
Allow all authentication algorithms.
Command mode
CONFIG
Example
esr(config)# no ip ssh authentication algorithm md5 disableip ssh authentication retries
This command sets the number of authentication attempts for SSH server.
The use of a negative form (no) of the command sets the default number of authentication attempts for SSH server.
Syntax
ip ssh authentication retries <NUM>
no ip ssh authentication retries
Parameters
<NUM> – number of authentication attempts for SSH server [1..10].
Required privilege level
10
Default value
6
Command mode
CONFIG
Example
esr(config)# ip ssh authentication retries 5ip ssh authentication timeout
This command sets authentication timeout period for SSH server.
The use of a negative form (no) of the command sets the default authentication timeout period for SSH server.
Syntax
ip ssh authentication timeout <SEC>
no ip ssh authentication timeout
Parameters
<SEC> – time interval in seconds, takes values of [30..360].
Required privilege level
10
Default value
120
Command mode
CONFIG
Example
esr(config)# ip ssh authentication timeout 60
ip ssh client password
This command defines the default password for SCP copy operations.
The use of a negative form (no) of the command removes the password.
Syntax
ip ssh client password { <CLEAR-TEXT> | encrypted <ENCRYPTED-TEXT> }no ssh client password
Parameters
<CLEAR-TEXT> – password, set by the string of 1 to 16 characters, takes the value of [0-9a-fA-F];
<ENCRYPTED-TEXT> – encrypted password, set by the string of [2..32] characters.
Required privilege level
15
Command mode
CONFIG
Example
esr(config)# ip ssh client password test132ip ssh client source-ip
This command defines the ip-address of the router from which ssh sessions will be established on other devices.
The use of a negative form (no) of the command removes a user name.
Syntax
ip ssh client source-ip <ADDR>
no ssh client source-ip
Parameters
<ADDR> – IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255]. The specified IP address must be assigned on any interface/tunnel of the router.
Required privilege level
10
Command mode
CONFIG
Example
esr(config)# ip ssh client source-ipt 192.168.22.78
ip ssh client username
This command defines the default user name for SCP copy operations.
The use of a negative form (no) of the command removes a user name.
Syntax
ip ssh client username <NAME>
no ssh client username
Parameters
<NAME> – user name, set by the string of up to 31 characters.
Required privilege level
15
Command mode
CONFIG
Example
esr(config)# ip ssh client username testerip ssh dscp
The command sets the DSCP code value for the use in IP headers of SSH server outgoing packets.
The use of a negative form (no) of the command sets the default DSCP value.
Syntax
ip ssh dscp <DSCP>
no ip ssh dscp
Parameters
<DSCP> – DSCP code value, takes values in the range of [0..63].
Default value
32
Required privilege level
10
Command mode
CONFIG
Example
esr(config)# ip ssh dscp 40ip ssh encryption algorithm disable
This command prohibits the use of a specific encryption algorithm for SSH server.
The use of a negative form (no) of the command allows the use of a specific encryption algorithm for the SSH server.
Syntax
[no] ip ssh encryption algorithm <ALGORITHM> disable
Parameters
<ALGORITHM> – encryption algorithm identifier, takes values [aes128, aes192, aes256, aes128ctr, aes192ctr, aes256ctr, arcfour, arcfour128, arcfour256, blowfish, cast128, 3des].
Required privilege level
15
Default value
All algorithms are allowed.
Command mode
CONFIG
Example
esr(config)# ip ssh encryption algorithm aes128 disableip ssh key-exchange algorithm disable
This command prohibits the use of a specific key exchange algorithm for SSH server.
The use of a negative form (no) of the command allows the use of a specific key exchange algorithm for the SSH server.
Syntax
[no] ip ssh key-exchange algorithm <ALGORITHM> disable
Parameters
<ALGORITHM> – key exchange protocol identifier, takes values [dh-group1-sha1, dh-group14-sha1, dh-group-exchange-sha1, dh-group-exchange-sha256, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521].
Required privilege level
15
Default value
All algorithms are allowed.
Command mode
CONFIG
Example
esr(config)# ip ssh key-exchange algorithm dh-group-exchange-sha1 disableip ssh key-exchange time
This command sets authentication keys changing period for SSH server.
The use of a negative form (no) of the command sets the default authentication keys changing period for SSH server.
Syntax
ip ssh key-exchange time <SEC>
no ip ssh key-exchange time
Parameters
<SEC> – time interval in hours, takes values of [1..72].
Required privilege level
15
Default value
1
Command mode
CONFIG
Example
esr(config)# ip ssh key-exchange time 24ip ssh key-exchange volume
This command sets the amount of data, after passing which, the authentication keys for the SSH server will be updated.
The use of a negative form (no) of the command sets the amount of data, after passing which, the authentication keys for the default SSH server will be updated.
Syntax
ip ssh key-exchange volume <DATA>
no ip ssh key-exchange volume
Parameters
<DATA> – data size in MB, takes values [1..4096].
Required privilege level
15
Default value
1000
Command mode
CONFIG
Example
esr(config)# ip ssh key-exchange volume 512ip ssh port
This command defines the SSH server port on the router.
The use of a negative form (no) of the command sets the default value.
Syntax
ip ssh port <PORT>
no ip ssh port
Parameters
<PORT> – port number, set in the range of [1..65535].
Default value
22
Required privilege level
15
Command mode
CONFIG
Example
esr(config)# ip ssh port 3001ip ssh server
This command enables the SSH server on the router.
The use of a negative form (no) of the command disables SSH server.
Syntax
[no] ip ssh server [ vrf <VRF>]
Parameters
<VRF> – VRF instance name, set by the string of up to 31 characters, within which the SSH server will operate.
Default value
SSH server is disabled.
Required privilege level
10
Command mode
CONFIG
Example
esr(config)# no ip ssh serverip telnet dscp
The command sets the DSCP code value for the use in IP headers of Telnet server outgoing packets.
The use of a negative form (no) of the command sets the default DSCP value.
Syntax
ip telnet dscp <DSCP>
no ip telnet dscp
Parameters
<DSCP> – DSCP code value, takes values in the range of [0..63].
Default value
32
Required privilege level
15
Command mode
CONFIG
Example
esr(config)# ip telnet dscp 40ip telnet port
This command defines the Telnet server port on the router.
The use of a negative form (no) of the command sets the default value.
Syntax
ip telnet port <PORT>
no ip telnet port
Parameters
<PORT> – port number, takes values of [1..65535].
Default value
23
Required privilege level
15
Command mode
CONFIG
Example
esr(config)# ip telnet port 2001ip telnet server
This command enables the Telnet server on the router.
The use of a negative form (no) of the command disables Telnet server.
Syntax
[no] ip telnet server [vrf <VRF>]
Parameters
<VRF> – VRF instance name, set by the string of up to 31 characters, within which the Telnet server will operate.
Default value
Telnet server is disabled.
Required privilege level
15
Command mode
CONFIG
Example
esr(config)# no ip telnet servershow crypto key mypubkey
The command displays the device's public keys used to establish an SSH connection.
Syntax
show crypto key mypubkey <OPTIONS>
Parameters
<OPTIONS> – algorithm for generating a new cryptographic key:
- dsa – DSA algorithm;
- ecdsa – ECDSA algorithm;
- ed25519 – ED25519 algorithm;
- rsa – RSA algorithm;
- rsa1 – RSA1 algorithm.
Required privilege level
15
Command mode
ROOT
Example
esr# show crypto key mypubkey rsa
Key data
------------------------------------------------------------
ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAABAQDz750sWCQrnNufg1yhuksTFYCYdEfg
JZ9tWUvcssAZhCJWMewprXBuZMABzFmfBg157pgapxn2qJXJ8ESMV7X7gPfy
xQQah6l376z3SFcpKvwudNgwHiS5HCYPRQWx2Xdaz/nJtYr5NpYgLPba68NC
iXcqEp7EPR5GojDVxpuDuk0hPFcihzmt5Yx8ZptJRzRtsuDQYlowv0Qa24kd
OlQ90/1qKfbAhB6XI60l+dK5VEj7giBESarcRn69/e/YVbdGBdTE93QWFPKI
bm63imfbxRwWtcwsFdIHi8Blv9ZqDqqF/IO3TkIKa31hV9GnsawlAXi/IdyY
bYPboHRdcTlH/ root@esr-1000