08-08-2009 10:23 PM - edited 03-04-2019 05:41 AM
How to config SSH on a XR device.In XR i did nt find cryto commands.ssh commands also missing.How to configure please help
08-09-2009 01:15 AM
XR CLI is significantly different than IOS. See the following link to configure SSH on your router.
http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094056.shtml#processid
HTH,
Mark
08-09-2009 02:30 AM
The link you provided is "What Does the show ip ospf interface Command Reveal?" can you please provide me a valid link?
08-09-2009 06:18 AM
Sorry about that... It was a link for a different post. Here is the proper link.
Mark
04-16-2018 01:04 AM
In IOS XR if you don’t configure domain name default domain name that the software uses to complete unqualified host names.
Enabling SSH on IOS XR requires the "Hfr-k9sec security" PIE to be installed on the router.
If this PIE is not present, it needs to be installed; you can refer Upgrading and Managing Cisco IOS XR Software on Cisco ASR 9000 Series Routers document
In addition to installing the k9sec PIE, IOS XR requires RSA or DSA keys to be generated on the router before SSH runs in server mode.
To verify the existence of k9sec pie use "show install active | include k9" command as shown below:
RP/0/0/CPU0:Router1(admin)#sh install active | in k9
Wed May 15 17:59:25.164 UTC
disk0:hfr-k9sec-3.6.0
RP/0/0/CPU0:Router1(admin)#
Then generate DSA key pairs using following command:
RP/0/0/CPU0:Router1#crypto key generate dsa
Wed May 15 18:16:43.712 UTC
The name for the keys will be: the_default
Choose the size of your DSA key modulus. Modulus size can be 512, 768, or 1024 bits. Choosing a key modulus
How many bits in the modulus [1024]: 1024
Generating DSA keys ...
Done w/ crypto generate keypair
[OK]
RP/0/0/CPU0:Router1#
Then enable SSHv2:
If you don’t enable server configuration on XR devices you will not able to get SSH access of device, you will get following message:
RP/0/0/CPU0:Router2#ssh 10.1.1.1
%Error in connect v4 - Connection refused
RP/0/0/CPU0:Router2#
Now let’s enable SSHv2 on Router1:
RP/0/0/CPU0:Router1(config)#ssh server v2
RP/0/0/CPU0:Router1(config)#commit
Verification:
1) SSH from Router2 to Router1
RP/0/0/CPU0:Router2#ssh 10.1.1.1
Password:
RP/0/0/CPU0:Router1#
2) You can also verify SSH session detail on the router:
RP/0/0/CPU0:Router1#sh ssh session details
Wed May 15 18:31:11.993 UTC
SSH version : Cisco-2.0
id key-exchange pubkey incipher outcipher inmac outmac
-------------------------------------------------------------------
Incoming Session
0 diffie-hellman ssh-dss 3des-cbc 3des-cbc hmac-md5 hmac-md5
Outgoing connection
RP/0/0/CPU0:Router1#
3) The output of show tcp brief shows the TCP port 22 sessions that identifies the incoming SSH connection.
RP/0/0/CPU0:Router1#sh tcp brief
Wed May 15 18:32:16.959 UTC
PCB VRF-ID Recv-Q Send-Q Local Address Foreign Address State
0x1012d904 0x60000000 0 0 :::22 :::0 LISTEN
0x10129ed0 0x00000000 0 0 :::22 :::0 LISTEN
0x1012e1bc 0x60000000 0 0 10.1.1.1:22 10.1.1.2:62153 ESTAB
0x1012d764 0x60000000 0 0 0.0.0.0:22 0.0.0.0:0 LISTEN
0x10125348 0x00000000 0 0 0.0.0.0:22 0.0.0.0:0 LISTEN
RP/0/0/CPU0:Router1#
You can also configure SSH client on router as shown below:
RP/0/0/CPU0:Router2(config)#ssh client ?
dscp DSCP value for ssh client sessions
knownhost Enable the host pubkey check by local database
source-interface Source interface for ssh client sessions
vrf Source interface VRF for ssh client sessions
If you want to enable SSH on VRF just include "vrf" word after ssh command as shown below :
"ssh server [vrf vrf-name]"
"ssh client [vrf vrf-name]"
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: