successfully authenticated. The timeout limits are independent of any limits configured
for virtual terminals (vtys). The following limits are supported:
■User authentication protocol—SSH user authentication protocol enabled on the
router.
■SSH timeout—Maximum time allowed for a user to be authenticated, starting
from the receipt of the first SSH protocol packet.
■Authentication retry—Number of times a user can try to correct incorrect
information—such as a bad password—in a given connection attempt.
■Sleep—Prevents a user that has exceeded the authentication retry limit from
connecting from the same host within the specified period.
ip ssh user-authentication-protocol
â– Configures the SSH user authentication protocol. E-Series routers support RADIUS
and TACACS+ user authentication protocols.
â– Specify an RADIUS or TACACS+.
â– Example
host1(config)#ip ssh user-authentication-protocol TACACS+
â– Use the no to restore the SSH user authentication protocol to the default, RADIUS.
â– See ip ssh authentication-retries.
ip ssh authentication-retries
â– Use to set the number of times that a user can retry a failed authentication, such
as trying to correct a wrong password. The SSH server terminates the connection
when the limit is exceeded.
■Specify an integer in the range 0–20.
â– Example
host1(config)#ip ssh authentication-retries 3
â– Use the no version to restore the default value, 20 retry attempts.
â– See ip ssh authentication-retries.
ip ssh disable-user-authentication
â– Use to disable SSH password authentication. If you disable SSH authentication,
the authentication protocol becomes None and all SSH clients that pass protocol
negotiation are accepted.
â– RADIUS authentication is enabled by default.
â– Example
host1(config)#ip ssh disable-user-authentication
â– Use the no version to restore default user authentication protocol, RADIUS.
â– See ip ssh disable-user-authentication.
Secure System Administration with SSH â– 441
Chapter 7: Passwords and Security
To Next Page
Loading...
Need help?
General
