Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

SSH Configuration On Cisco IOS XR



Secure Shell (SSH) is a useful protocol or application for establishing secure sessions with the router. A router configured with SSH server allows a secure connection to the router similar to Telnet. The Telnet application has limited security. SSH provides stronger encryption and deploys public-key cryptography for added confidentiality.

IOS XR supports two versions of SSH:


  • SSH version 1 uses Rivest, Shamire, and Adelman (RSA) keys.
  • SSH version 2 uses the Digital Signature Algorithm (DSA).

There are two modes you can configure:


SSH Server:

The SSH server feature enables an SSH client to make a secure, encrypted connection to router. This connection provides functionality that is similar to that of an inbound Telnet connection.


SSH Client:

The SSH client feature is an application running over the SSH protocol to provide device authentication and encryption. The SSH client enables router to make a secure, encrypted connection to another router or to any other device running the SSH server. This connection provides functionality that is similar to that of an outbound Telnet connection except that the connection is encrypted.


Configuration Example:

In this example we will configure Router1 in server mode using SSHv2:



In IOS XR if you don’t configure domain name default domain name that the software uses to complete unqualified host names.


Enabling SSH on IOS XR requires the "Hfr-k9sec security" PIE to be installed on the router.

If this PIE is not present, it needs to be installed; you can refer Upgrading and Managing Cisco IOS XR Software on Cisco ASR 9000 Series Routers document

In addition to installing the k9sec PIE, IOS XR requires RSA or DSA keys to be generated on the router before SSH runs in server mode.


To verify the existence of k9sec pie use "show install active | include k9" command as shown below:


RP/0/0/CPU0:Router1(admin)#sh install active | in k9

Wed May 15 17:59:25.164 UTC




Then generate DSA key pairs using following command:

RP/0/0/CPU0:Router1#crypto key generate dsa

Wed May 15 18:16:43.712 UTC

The name for the keys will be: the_default

Choose the size of your DSA key modulus. Modulus size can be 512, 768, or 1024 bits. Choosing a key modulus

How many bits in the modulus [1024]: 1024

Generating DSA keys ...

Done w/ crypto generate keypair





Then enable SSHv2:

If you don’t enable server configuration on XR devices you will not able to get SSH access of device, you will get following message:


%Error in connect v4 - Connection refused




Now let’s enable SSHv2 on Router1:

RP/0/0/CPU0:Router1(config)#ssh server v2




1) SSH from Router2 to Router1





2) You can also verify SSH session detail on the router:

RP/0/0/CPU0:Router1#sh ssh session details

Wed May 15 18:31:11.993 UTC

SSH version : Cisco-2.0


id key-exchange pubkey incipher outcipher inmac   outmac


Incoming Session

0 diffie-hellman ssh-dss 3des-cbc 3des-cbc hmac-md5 hmac-md5


Outgoing connection



3) The output of show tcp brief shows the TCP port 22 sessions that identifies the incoming SSH connection.

RP/0/0/CPU0:Router1#sh tcp brief

Wed May 15 18:32:16.959 UTC

   PCB     VRF-ID     Recv-Q Send-Q Local Address         Foreign Address       State

0x1012d904 0x60000000     0     0 :::22                 :::0                   LISTEN

0x10129ed0 0x00000000     0     0 :::22                 :::0                   LISTEN

0x1012e1bc 0x60000000     0     0         ESTAB

0x1012d764 0x60000000     0     0                LISTEN

0x10125348 0x00000000     0     0                LISTEN



You can also configure SSH client on router as shown below:

RP/0/0/CPU0:Router2(config)#ssh client ?

dscp              DSCP value for ssh client sessions

knownhost         Enable the host pubkey check by local database

source-interface  Source interface for ssh client sessions

vrf               Source interface VRF for ssh client sessions


If you want to enable SSH on VRF just include "vrf" word after ssh command as shown below :

"ssh server [vrf vrf-name]"

"ssh client [vrf vrf-name]"

Related Information:

Implementing Secure Shell

New Member

Does anyone know where the RSA keys are stored in IOS-XR?

In IOS it's nvram:private-config. In IOS-XR there is a file nvram:cepki_key_db, but it's not clear if this is the one.

New Member

RSA keys work just fine with SSHv2, it appears both this document and the official documentation are outdated.

Cisco Employee

You are correct, ssh v1 may only support RSA, but SSH V2 supports both RSA and DSA. I will get the documentation corrected.

RP/0/0/CPU0:PE4#sh ssh sess det
Thu Apr 14 22:34:37.390 CEST
SSH version : Cisco-2.0
id  key-exchange  pubkey  incipher  outcipher  inmac   outmac
Incoming Session
0  diffie-hellman  ssh-rsa  3des-cbc  3des-cbc  hmac-md5  hmac-md5