NX-OS SSH Login-gracetime

John Aberasturi · ‎04-30-2018

Hello. I am trying to configure the ssh login-gracetime to 60. Running 6.2(20) on a C7009. The command does not appear. I have SSH working fine, but the gracetime command doesn't show. It only has login-attempts. Any ideas? The Nexxus 7000 Security Guide says it should be there. Thanks.

Georg Pauwen · ‎04-30-2018

Hello,

you could be hitting the bug below:

Need ssh login grace timeout command in Nexus 7k platform.
CSCui42959
Description
Symptom:
ip ssh timeout command is not present on the Nexus 7k.

User can not configure login grace timeout which will enforce negotiation and authentication to be within login grace time , otherwise ssh server process will get terminated and ssh connection can not be established.

Conditions:

Workaround:
Load plugin and change the parameter LoginGraceTime manually in /isan/etc/dcos_sshd_config file.

I cannot test this because I only have the VIRL version of the N7K, but it apparently goes like this: you have to comment out the 'LoginGraceTime' parameter in the /isan/etc/dcos_sshd_config file.

n7k#config t
n7k(config)#feature bash-shell
n7k(config)#run bash
bash-4.2$ sudo su -
root@N7K-1#cd /isan/etc
root@N7K-1#cat dcos_sshd_config | egrep LoginGraceTime
#CSCui42959 :

!! Create a back up of the existing SSHD_CONFIG
root@N7K-1#mv dcos_sshd_config dcos_sshd_config.backup

!! comment out LoginGraceTime and save to config (effectively removing the restriction)
cat dcos_sshd_config.backup | sed 's@^LoginGraceTime@# LoginGraceTime@g' > dcos_sshd_config

!! Verify
root@N7K-1#cat dcos_sshd_config | egrep LoginGraceTime
#CSCui42959 :

root@N7K-1#exit
logout
bash-4.2$ exit
exit
N7K-1(config)# no feature bash
N7K-1(config)# exit