SSH Server
The nv unset commands remove the configuration you set with the equivalent nv set commands. This guide only describes an nv unset command if it differs from the nv set command.
nv set system ssh-server allow-users <user-id>
Configures the user accounts that you to allow to establish an SSH session.
Command Syntax
| Syntax | Description |
|---|---|
<user-id> |
The user account name. |
Version History
Introduced in Cumulus Linux 5.6.0
Example
cumulus@switch:~$ nv set system ssh-server allow-users user1
nv set system ssh-server authentication-retries
Configures the number of login attempts allowed before rejecting the SSH session. You can set a value between 3 and 100.
Version History
Introduced in Cumulus Linux 5.6.0
Example
cumulus@switch:~$ nv set system ssh-server authentication-retries 10
nv set system ssh-server ciphers
Configures SSH ciphers. You can specify aes256-ctr, aes192-ctr, aes128-ctr, aes128-gcm@openssh.com, or aes256-gcm@openssh.com. The default value is aes256-ctr.
SSH cipher configuration replaces SSH strict mode that is available in Cumulus Linux 5.14 and earlier.
Version History
Introduced in Cumulus Linux 5.15.0
Example
cumulus@switch:~$ nv set system ssh-server ciphers aes192-ctr
nv set system ssh-server deny-users <user-id>
Configures the user accounts that are not allowed to establish an SSH session.
Command Syntax
| Syntax | Description |
|---|---|
<user-id> |
The user account name. |
Version History
Introduced in Cumulus Linux 5.6.0
Example
cumulus@switch:~$ nv set system ssh-server deny-users user3
nv set system ssh-server host-key-algorithms
Configures SSH strict SSH host key algorithms. You can specify ecdsa-sha2-nistp256, rsa-sha2-256, or rsa-sha2-512. The default value is ecdsa-sha2-nistp256.
Version History
Introduced in Cumulus Linux 5.15.0
Example
cumulus@switch:~$ nv set system ssh-server host-key-algorithms rsa-sha2-256
nv set system ssh-server inactive-timeout
Configures the amount of time a session can be inactive before the SSH server terminates the connection.
Version History
Introduced in Cumulus Linux 5.6.0
Example
cumulus@switch:~$ nv set system ssh-server inactive-timeout 5
nv set system ssh-server kex-algorithms
Configures strict SSH key exchange algorithms. You can specify curve25519-sha256, curve25519-sha256@libssh.org, diffie-hellman-group16-sha512, diffie-hellman-group18-sha512, or diffie-hellman-group14-sha256. The default value is curve25519-sha256.
Version History
Introduced in Cumulus Linux 5.15.0
Example
cumulus@switch:~$ nv set system ssh-server kex-algorithms curve25519-sha256@libssh.org
nv set system ssh-server login-record-period
Configures the number of days on which to calculate login records, to be shown after login. You can set a value between 1 and 30.
Version History
Introduced in Cumulus Linux 5.10.0
Example
cumulus@switch:~$ nv set system ssh-server login-record-period 20
nv set system ssh-server login-timeout
Configures the number of seconds allowed before login times out. You can set a value between 1 and 600.
Version History
Introduced in Cumulus Linux 5.6.0
Example
cumulus@switch:~$ nv set system ssh-server login-timeout 200
nv set system ssh-server macs
Configures strict SSH MACs. You can specify hmac-sha2-256, hmac-sha2-512, hmac-sha2-512-etm@openssh.com, or hmac-sha2-256-etm@openssh.com. The default value is hmac-sha2-256.
Version History
Introduced in Cumulus Linux 5.15.0
Example
cumulus@switch:~$ nv set system ssh-server macs hmac-sha2-512
nv set system ssh-server max-sessions-per-connection
Configures the maximum number of SSH sessions allowed per TCP connection. You can specify a value between 1 and 100.
Version History
Introduced in Cumulus Linux 5.6.0
Example
cumulus@switch:~$ nv set system ssh-server max-sessions-per-connection 10
nv set system ssh-server max-unauthenticated session-count
Configures the maximum number of unauthenticated SSH sessions allowed. You can set a value between 1 and 10000.
Version History
Introduced in Cumulus Linux 5.6.0
Example
cumulus@switch:~$ nv set system ssh-server max-unauthenticated session-count 20
nv set system ssh-server max-unauthenticated throttle-percent
Configures the starting percentage of connections to reject above the throttle start count before reaching the session count limit. You can set a value between 1 and 100.
Version History
Introduced in Cumulus Linux 5.6.0
Example
cumulus@switch:~$ nv set system ssh-server max-unauthešticated throttle-percent 20
nv set system ssh-server max-unauthenticated throttle-start
Configures the number of unauthenticated SSH sessions allowed before throttling starts. You can set a value between 1 and 10000.
Version History
Introduced in Cumulus Linux 5.6.0
Example
cumulus@switch:~$ nv set system ssh-server max-unauthenticated throttle-start 5
nv set system ssh-server permit-root-login
Configures the root account to use SSH to log into the switch with one of the following:
- A password (
enabledordisabled). - A public key or any allowed mechanism that is not a password and not keyboardinteractive. This is the default setting (
prohibit-password). - A set of commands defined in the authorized_keys file (
forced-commands-only).
Version History
Introduced in Cumulus Linux 5.6.0
Example
cumulus@switch:~$ nv set system ssh-server permit-root-login forced-commands-only
nv set system ssh-server port <port-id>
Configures the TCP port numbers that can listen for incoming SSH sessions.
Command Syntax
| Syntax | Description |
|---|---|
<port-id> |
The port number. |
Version History
Introduced in Cumulus Linux 5.6.0
Example
cumulus@switch:~$ nv set system ssh-server port 443
nv set system ssh-server pubkey-accepted-algorithms
Configures strict SSH public key accepted algorithms. You can specify ecdsa-sha2-nistp256-cert-v01@openssh.com, ecdsa-sha2-nistp384-cert-v01@openssh.com, ecdsa-sha2-nistp521-cert-v01@openssh.com, rsa-sha2-512-cert-v01@openssh.com, rsa-sha2-256-cert-v01@openssh.com, rsa-sha2-512, rsa-sha2-256, ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521, ssh-ed25519, or ssh-ed25519-cert-v01@openssh.com. The default value is ecdsa-sha2-nistp256-cert-v01@openssh.com.
Version History
Introduced in Cumulus Linux 5.15.0
Example
cumulus@switch:~$ nv set system ssh-server pubkey-accepted-algorithms ecdsa-sha2-nistp256-cert-v01@openssh.com
nv set system ssh-server state
Enables or disables the SSH server on the switch.
Version History
Introduced in Cumulus Linux 5.6.0
Example
cumulus@switch:~$ nv set system ssh-server state disabled
nv set system ssh-server strict
Enables or disables SSH strict mode. By default, SSH strict mode is on so that Cumulus Linux disables X11, TCP forwarding, and compression and enforces secure ciphers.
Cumulus Linux 5.15 and later no longer support this command.
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv set system ssh-server strict disabled
nv set system ssh-server trusted-ca-keys <key-ID> key
Sets the trusted CA key literal for certificate-based authentication. The key literal is located within a public key file.
Command Syntax
| Syntax | Description |
|---|---|
<key-id> |
The CA trusted certificate ID. |
Version History
Introduced in Cumulus Linux 5.13.0
Example
cumulus@switch:~$ nv set system ssh-server trusted-ca-keys KEY1 key AAAAB3NzaC1yc2EAAAADA..
nv set system ssh-server trusted-ca-keys <key-ID> type <key-type>
Sets the trusted CA key type for certificate-based authentication. The key type is located within a public key file.
Command Syntax
| Syntax | Description |
|---|---|
<key-id> |
The CA trusted certificate ID. |
Version History
Introduced in Cumulus Linux 5.13.0
Example
cumulus@switch:~$ nv set system ssh-server trusted-ca-keys KEY1 type ssh-rsa
nv set system ssh-server vrf <vrf-id>
Configures the VRFs on which you want the SSH service to run. The SSH service runs in the default VRF on the switch but listens on all interfaces in all VRFs.
Command Syntax
| Syntax | Description |
|---|---|
<vrf-id> |
The VRF you want to configure. |
Version History
Introduced in Cumulus Linux 5.6.0
Example
cumulus@switch:~$ nv set system ssh-server vrf RED