Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
630
Views
0
Helpful
1
Replies

SSH settings on Cisco ASR 1001-X

carlostrejoruiz
Level 1
Level 1

‎10-04-2022 08:22 PM - edited ‎10-04-2022 08:51 PM

Hi,

I was wondering if anyone knows or can guide me in the right direction to know if the Cisco ASR 1001-X supports the following SSH settings?

 

a. Use of [SSH] Version one (1) disabled ( E.g can SSH v1 be disabled?)

b. [SSH] daemon configured to listen only on required interfaces, where multiple network interfaces are configured on a machine

c. Connection forwarding disabled

d. Gateway ports disabled

e. Login directly as root disabled

f. Host-based authentication disabled

g. Rhosts-based authentication disabled

h. No empty passphrases

i. Authentication timeout less than or equal to sixty (60) seconds

j. X forwarding disabled

k. maximum number of authentication attempts before lockout equal to three (3)

l. Private keys protected with any of the following means:

i. passphrase

ii. Key encryption key.

 

Kind Regards,

Labels:
0 Helpful
1 Reply 1

Richard Burts
Hall of Fame
Hall of Fame

‎12-04-2022 12:57 PM

Here are answers/comments on some of your questions:

a: By default both version 1 and 2 are enabled. If you specify version 2 the result is that version 1 becomes disabled.

b: I am not clear what you mean with "listen only on required interfaces". Is it controlling which interfaces the SSH request physically arrives on (SSH permitted incoming on G0/0 but not permitted incoming on G0/1) or is it controlling which interface addresses can be the destination address (SSH permitted to address of Loopback0 but not permitted to the address of G0/0). In either case you can not configure this directly in the SSH daemon but you could accomplish it by configuring appropriate extended access lists and applying them to appropriate interfaces. If you do not want SSH to arrive on G0/1 the simple solution would be an acl that denies any incoming packet whose destination port protocol is SSH and then permits other traffic. You would apply this ACL inbound on G0/1. Note that this would deny any SSH attempt to this router and would also deny SSH attempting to go through this router to some other destination. If you need SSH transit traffic to work then the acl would have individual statements denying SSH to every destination IP address configured on the router and then permitting all other SSH traffic. If you did not want SSH to succeed if the destination address was G0/0 Then the acl would deny traffic with destination address of G0/0 and protocol port of SSH and then statements permitting other traffic. The acl would be applied inbound on every interface of the router that accepts inbound traffic.

e: I am not clear what you mean about login directly as root. There is not a root ID on the router unless you configure one. Or are you describing being able to login and go directly into enable mode? That is not permitted by default. You can accomplish that if you configure a specific user ID to have privilege level of 15 or if you configure a vty port to go directly into enable mode. But if you do not configure those things then no one would go directly into enable mode.

HTH

Rick
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents