Cisco CRS-1 - Carrier Routing System Router Configuration Manual page 206

Ios xr system security configuration guide

Hide thumbs Also See for CRS-1 - Carrier Routing System Router:

Administration manual (436 pages)

Getting started manual (289 pages)

Troubleshooting manual (264 pages)

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

page of 232

/ 232
Contents
Table of Contents
Bookmarks

Table of Contents

Contents

•

Prerequisites to Implementing Secure Shell

The following prerequisites are required to implement Secure Shell:

•

Restrictions for Implementing Secure Shell

The following are some basic SSH restrictions and limitations of the SFTP feature:

•

Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router

SC-200

Prerequisites to Implementing Secure Shell, page SC-200

Restrictions for Implementing Secure Shell, page SC-200

Information About Implementing Secure Shell, page SC-201

How to Implement Secure Shell, page SC-204

Configuration Examples for Implementing Secure Shell, page SC-208

Additional References, page SC-209

You must be in a user group associated with a task group that includes the proper task IDs. The

command reference guides include the task IDs required for each command.

If you suspect user group assignment is preventing you from using a command, contact your AAA

administrator for assistance.

Download the required image on your router. The SSH server and SSH client require you to have a

a crypto package (data encryption standard [DES], 3DES and AES) from Cisco downloaded on your

router.

To run an SSHv2 server, you must have a VRF. This may be the default VRF or a specific VRF. VRF

changes are applicable only to the SSH v2 server.

Configure user authentication for local or remote access. You can configure authentication with or

without authentication, authorization, and accounting (AAA). For more information, see the

Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software module in the

Cisco IOS XR System Security Command Reference publication and Configuring AAA Services on

Cisco IOS XR Software module in the Cisco IOS XR System Security Configuration Guide

publication.

AAA authentication and authorization must be configured correctly for Secure Shell File Transfer

Protocol (SFTP) to work.

A VRF is not accepted as inband if that VRF is already set as an out-of-band VRF. SSH v1 continues

to bind only to the default VRF.

In order for an outside client to connect to the router, the router needs to have an RSA (for SSHv1)

or DSA (for SSHv2) key pair configured. DSA and RSA keys are not required if you are initiating

an SSH client connection from the router to an outside routing device. The same is true for SFTP:

DSA and RSA keys are not required because SFTP operates only in client mode.

In order for SFTP to work properly, the remote SSH server must enable the SFTP server

functionality. For example, the SSHv2 server is configured to handle the SFTP subsystem with a line

such as /etc/ssh2/sshd2_config:

subsystem-sftp/usr/local/sbin/sftp-server

Implementing Secure Shell on Cisco IOS XR Software

OL-20382-01

Table of Contents

Chapters

Table of Contents

Cisco CRS-1 - Carrier Routing System Router Configuration Manual page 206

Chapters

Related Manuals for Cisco CRS-1 - Carrier Routing System Router

Related Products for Cisco CRS-1 - Carrier Routing System Router

Table of Contents