Implementing Secure Shell on Cisco IOS XR Software
•
Information About Implementing Secure Shell
To implement SSH, you should understand the following concepts:
•
•
•
•
SSH Server
The SSH server feature enables an SSH client to make a secure, encrypted connection to a Cisco router.
This connection provides functionality that is similar to that of an inbound Telnet connection. Before
SSH, security was limited to Telnet security. SSH allows a strong encryption to be used with the
Cisco IOS XR software authentication. The SSH server in Cisco IOS XR software works with publicly
and commercially available SSH clients.
SSH Client
The SSH client feature is an application running over the SSH protocol to provide device authentication
and encryption. The SSH client enables a Cisco router to make a secure, encrypted connection to another
Cisco router or to any other device running the SSH server. This connection provides functionality that
is similar to that of an outbound Telnet connection except that the connection is encrypted. With
authentication and encryption, the SSH client allows for a secure communication over an insecure
network.
The SSH client in the Cisco IOS XR software works with publicly and commercially available SSH
servers. The SSH client supports the ciphers of DES, 3DES, message digest algorithm 5 (MD5), SHA1,
and password authentication. User authentication is performed like that in the Telnet session to the
router. The user authentication mechanisms supported for SSH are RADIUS, TACACS+, and the use of
locally stored usernames and passwords.
SFTP Feature Overview
SSH includes support for SFTP, which is a feature that provides a secure and authenticated method for
copying router configuration or router image files.
SFTP is the new, standard file transfer protocol introduced in SSHv2. The SFTP client functionality is
provided as part of the SSH component and is always enabled on the router. Therefore, a user with the
appropriate level can copy files to and from the router. Like the copy command, the sftp command can
be used only in EXEC mode.
Because the router infrastructure does not provide support for UNIX-like file permissions, files
created on the local device lose the original permission information. For files created on the remote
file system, the file permission adheres to the umask on the destination host and the modification
and last access times are the time of the copy.
SSH Server, page SC-151
SSH Client, page SC-151
SFTP Feature Overview, page SC-151
AAA Feature, page SC-152
Information About Implementing Secure Shell
Cisco IOS XR System Security Configuration Guide
SC-151