Implementing Secure Shell on Cisco IOS XR Software
Prerequisites to Implementing Secure Shell
SC-150
Cisco IOS XR System Security Configuration Guide
• Configuration Examples for Implementing Secure Shell, page SC-156
• Additional References, page SC-156
Prerequisites to Implementing Secure Shell
The following prerequisites are required to implement Secure Shell:
• You must be in a user group associated with a task group that includes the proper task IDs for
security commands. For detailed information about user groups and task IDs, see the Configuring
AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security
Configuration Guide.
• Download the required image on your router. The SSH server and SSH client require you to have a
a crypto package (data encryption standard [DES], 3DES and AES) from Cisco downloaded on your
router.
• Configure user authentication for local or remote access. You can configure authentication with or
without authentication, authorization, and accounting (AAA). For more information, see the
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software module in the
Cisco IOS XR System Security Command Reference publication and Configuring AAA Services on
Cisco IOS XR Software module in the Cisco IOS XR System Security Configuration Guide
publication.
• AAA authentication and authorization must be configured correctly for Secure Shell File Transfer
Protocol (SFTP) to work.
Restrictions for Implementing Secure Shell
The following are some basic SSH restrictions and limitations of the SFTP feature:
• In order for an outside client to connect to the router, the router needs to have an RSA (for SSHv1)
or DSA (for SSHv2) key pair configured. DSA and RSA keys are not required if you are initiating
an SSH client connection from the router to an outside routing device. The same is true for SFTP:
DSA and RSA keys are not required because SFTP only operates in client mode.
• For SFTP to work properly, the remote SSH server must enable SFTP server functionality. For
example, the SSHv2 server is configured to handle the SFTP subsystem with a line such as
/etc/ssh2/sshd2_config:
subsystem-sftp/usr/local/sbin/sftp-server
The SFTP server is usually included as part of SSH packages from public domain and is turned on
by default configuration.
• SFTP is compatible with sftp server version OpenSSH_2.9.9p2 or higher.
• RSA-based user authentication available in SSH clients is not supported in the SSH server for
Cisco IOS XR software.
• Execution shell and SFTP are the only applications supported.
• The SFTP client does not support remote filenames containing wildcards (*, ?, []). The user must
issue the sftp command multiple times or list all of the source files from the remote host to download
them on to the router. For uploading, the router SFTP client can support multiple files specified
using a wildcard provided that the issues mentioned in the first through third bullets in this section
are resolved.
To Next Page
Need help?
General
