Configure SSH and SSH Access List

To allow SSH sessions from the admin user to the chassis on the Management interface, enable the SSH server and configure the allowed networks.

Procedure

Step 1

Choose Devices > Platform Settings and create or edit the chassis policy.

Step 2

Choose SSH.

Step 3

To enable SSH access to the chassis, enable the Enable SSH Server slider.

SSH
SSH

Step 4

To set the allowed Algorithms, click Edit (edit icon).

Add Algorithms
Add Algorithms

  1. Select the Encryption algorithms.

  2. Select the Key Exchange algorithms.

    The key exchange provides a shared secret that cannot be determined by either party alone. The key exchange is combined with a signature and the host key to provide host authentication. This key-exchange method provides explicit server authentication.

  3. Select the Mac integrity algorithms.

Step 5

For Host Key, enter the modulus size for the RSA key pairs.

The modulus value (in bits) is in multiples of 8 from 1024 to 2048. The larger the key modulus size you specify, the longer it takes to generate an RSA key pair. We recommend a value of 2048.

Step 6

For the server Volume Rekey Limit, set the amount of traffic in KB allowed over the connection before FXOS disconnects from the session.

Step 7

For the server Time Rekey Limit, set the minutes for how long an SSH session can be idle before FXOS disconnects the session.

Step 8

For the SSH Client, configure the following settings.

SSH
SSH

  • Strict Host Keycheck—Choose enable, disable, or prompt to control SSH host key checking.

    • enable—The connection is rejected if the host key is not already in the FXOS known hosts file. You must manually add hosts at the FXOS CLI using the enter ssh-host command in the system/services scope.

    • prompt—You are prompted to accept or reject the host key if it is not already stored on the chassis.

    • disable—(The default) The chassis accepts the host key automatically if it was not stored before.

  • Algorithms—Click Edit (edit icon). and select the Encryption, Key Exchange, and Mac algorithms.

  • Volume Rekey Limit—Set the amount of traffic in KB allowed over the connection before FXOS disconnects from the session.

  • Time Rekey Limit—Set the minutes for how long an SSH session can be idle before FXOS disconnects the session.

Step 9

Choose SSH Access List. You need to allow access to IP addresses or networks before you can use SSH.

SSH Access List
SSH Access List

Step 10

Click Edit (edit icon) to add network objects and click Save. You can also manually enter IP addresses.

Network Objects
Network Objects

Step 11

Click Save to save all policy changes.