SSH XR DEVICE

pramod · ‎08-08-2009

How to config SSH on a XR device.In XR i did nt find cryto commands.ssh commands also missing.How to configure please help

Mark Yeates · ‎08-09-2009

XR CLI is significantly different than IOS. See the following link to configure SSH on your router.

http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094056.shtml#processid

HTH,

Mark

pramod · ‎08-09-2009

The link you provided is "What Does the show ip ospf interface Command Reveal?" can you please provide me a valid link?

Mark Yeates · ‎08-09-2009

Sorry about that... It was a link for a different post. Here is the proper link.

http://www.cisco.com/en/US/docs/ios_xr_sw/iosxr_r2.0/security/configuration/guide/scssh.html#wp1044523

Mark

sbhadrav@cisco.com · ‎04-16-2018

In IOS XR if you don’t configure domain name default domain name that the software uses to complete unqualified host names.

Enabling SSH on IOS XR requires the "Hfr-k9sec security" PIE to be installed on the router.

If this PIE is not present, it needs to be installed; you can refer Upgrading and Managing Cisco IOS XR Software on Cisco ASR 9000 Series Routers document

In addition to installing the k9sec PIE, IOS XR requires RSA or DSA keys to be generated on the router before SSH runs in server mode.
To verify the existence of k9sec pie use "show install active | include k9" command as shown below:
RP/0/0/CPU0:Router1(admin)#sh install active | in k9

Wed May 15 17:59:25.164 UTC

disk0:hfr-k9sec-3.6.0

RP/0/0/CPU0:Router1(admin)#
Then generate DSA key pairs using following command:

RP/0/0/CPU0:Router1#crypto key generate dsa

Wed May 15 18:16:43.712 UTC

The name for the keys will be: the_default

Choose the size of your DSA key modulus. Modulus size can be 512, 768, or 1024 bits. Choosing a key modulus

How many bits in the modulus [1024]: 1024

Generating DSA keys ...

Done w/ crypto generate keypair

[OK]

RP/0/0/CPU0:Router1#

Then enable SSHv2:

If you don’t enable server configuration on XR devices you will not able to get SSH access of device, you will get following message:

RP/0/0/CPU0:Router2#ssh 10.1.1.1

%Error in connect v4 - Connection refused

RP/0/0/CPU0:Router2#

Now let’s enable SSHv2 on Router1:

RP/0/0/CPU0:Router1(config)#ssh server v2

RP/0/0/CPU0:Router1(config)#commit

Verification:
1) SSH from Router2 to Router1

RP/0/0/CPU0:Router2#ssh 10.1.1.1

Password:

RP/0/0/CPU0:Router1#

2) You can also verify SSH session detail on the router:

RP/0/0/CPU0:Router1#sh ssh session details

Wed May 15 18:31:11.993 UTC

SSH version : Cisco-2.0
id key-exchange pubkey incipher outcipher inmac   outmac

-------------------------------------------------------------------

Incoming Session

0 diffie-hellman ssh-dss 3des-cbc 3des-cbc hmac-md5 hmac-md5

Outgoing connection

RP/0/0/CPU0:Router1#

3) The output of show tcp brief shows the TCP port 22 sessions that identifies the incoming SSH connection.

RP/0/0/CPU0:Router1#sh tcp brief

Wed May 15 18:32:16.959 UTC

   PCB     VRF-ID     Recv-Q Send-Q Local Address         Foreign Address       State

0x1012d904 0x60000000     0     0 :::22                 :::0                   LISTEN

0x10129ed0 0x00000000     0     0 :::22                 :::0                   LISTEN

0x1012e1bc 0x60000000     0     0 10.1.1.1:22           10.1.1.2:62153        ESTAB

0x1012d764 0x60000000     0     0 0.0.0.0:22             0.0.0.0:0             LISTEN

0x10125348 0x00000000     0     0 0.0.0.0:22             0.0.0.0:0             LISTEN

RP/0/0/CPU0:Router1#
You can also configure SSH client on router as shown below:

RP/0/0/CPU0:Router2(config)#ssh client ?

dscp              DSCP value for ssh client sessions

knownhost         Enable the host pubkey check by local database

source-interface Source interface for ssh client sessions

vrf   Source interface VRF for ssh client sessions

If you want to enable SSH on VRF just include "vrf" word after ssh command as shown below :

"ssh server [vrf vrf-name]"

"ssh client [vrf vrf-name]"