Table of Contents
Advertisement
successfully authenticated. The timeout limits are independent of any limits configured
for virtual terminals (vtys). The following limits are supported:
ip ssh user-authentication-protocol
ip ssh authentication-retries
ip ssh disable-user-authentication
User authentication protocol SSH user authentication protocol enabled on the
router.
SSH timeout Maximum time allowed for a user to be authenticated, starting
from the receipt of the first SSH protocol packet.
Authentication retry Number of times a user can try to correct incorrect
information such as a bad password in a given connection attempt.
Sleep Prevents a user that has exceeded the authentication retry limit from
connecting from the same host within the specified period.
Configures the SSH user authentication protocol. E-Series routers support RADIUS
and TACACS+ user authentication protocols.
Specify an RADIUS or TACACS+.
Example
host1(config)#ip ssh user-authentication-protocol TACACS+
Use the no to restore the SSH user authentication protocol to the default, RADIUS.
See ip ssh authentication-retries.
Use to set the number of times that a user can retry a failed authentication, such
as trying to correct a wrong password. The SSH server terminates the connection
when the limit is exceeded.
Specify an integer in the range 0–20.
Example
host1(config)#ip ssh authentication-retries 3
Use the no version to restore the default value, 20 retry attempts.
See ip ssh authentication-retries.
Use to disable SSH password authentication. If you disable SSH authentication,
the authentication protocol becomes None and all SSH clients that pass protocol
negotiation are accepted.
RADIUS authentication is enabled by default.
Example
host1(config)#ip ssh disable-user-authentication
Use the no version to restore default user authentication protocol, RADIUS.
See ip ssh disable-user-authentication.
Chapter 7: Passwords and Security
Secure System Administration with SSH
441
Advertisement
Table of Contents
Troubleshooting
