successfully authenticated. The timeout limits are independent of any limits configured
for virtual terminals (vtys). The following limits are supported:
■ User authentication protocol—SSH user authentication protocol enabled on the
router.
■ SSH timeout—Maximum time allowed for a user to be authenticated, starting
from the receipt of the first SSH protocol packet.
■ Authentication retry—Number of times a user can try to correct incorrect
information—such as a bad password—in a given connection attempt.
■ Sleep—Prevents a user that has exceeded the authentication retry limit from
connecting from the same host within the specified period.
ip ssh user-authentication-protocol
■ Configures the SSH user authentication protocol. E-Series routers support RADIUS
and TACACS+ user authentication protocols.
■ Specify an RADIUS or TACACS+.
■ Example
host1(config)#ip ssh user-authentication-protocol TACACS+
■ Use the no to restore the SSH user authentication protocol to the default, RADIUS.
■ See ip ssh authentication-retries.
ip ssh authentication-retries
■ Use to set the number of times that a user can retry a failed authentication, such
as trying to correct a wrong password. The SSH server terminates the connection
when the limit is exceeded.
■ Specify an integer in the range 0–20.
■ Example
host1(config)#ip ssh authentication-retries 3
■ Use the no version to restore the default value, 20 retry attempts.
■ See ip ssh authentication-retries.
ip ssh disable-user-authentication
■ Use to disable SSH password authentication. If you disable SSH authentication,
the authentication protocol becomes None and all SSH clients that pass protocol
negotiation are accepted.
■ RADIUS authentication is enabled by default.
■ Example
host1(config)#ip ssh disable-user-authentication
■ Use the no version to restore default user authentication protocol, RADIUS.
■ See ip ssh disable-user-authentication.
Secure System Administration with SSH ■ 441
Chapter 7: Passwords and Security