Overview & Thematic Scope
This FAQ addresses advanced security configurations for CLI-based management using SSHv2 on B2B telecom hardware (routers, switches, OLTs). Whether you are in pre-sales evaluating control plane hardening or post-sales troubleshooting authentication failures, these answers target real-world deployment scenarios and are optimized to capture Google Featured Snippets for security-conscious network engineers.
Frequently Asked Questions
- Q1: What is the minimum SSHv2 key exchange method required for FIPS 140-2 compliance on telecom hardware?
- Minimum required: ecdh-sha2-nistp256 or diffie-hellman-group-exchange-sha256. For FIPS 140-2 compliance, disable diffie-hellman-group14-sha1, diffie-hellman-group1-sha1, and any KEX using SHA-1. Use ‘ip ssh kex ecdh-sha2-nistp256’ on Cisco IOS-like CLI or ‘ssh key-exchange ecdh-sha2-nistp256’ on Juniper. Always verify with ‘show ssh server kex’.
- Q2: How do I configure ACLs to restrict SSHv2 management access to only a specific jump host subnet?
- Apply an IPv4 ACL to the vty lines (or SSH-specific control plane filter) referencing only the jump host’s /29 subnet. Example on Cisco: ‘access-list 99 permit 10.10.10.8 0.0.0.7’ then ‘line vty 0 4’ with ‘access-class 99 in’. For control plane protection on Nokia or Huawei, use ‘control-plane peer-filter’ or ‘ssh server acl’. Always test via ‘telnet’ (disabled) and then SSH from an unauthorized IP to confirm explicit deny.
- Q3: Which SSHv2 ciphers should I enable to prevent Sweet32 (CVE-2016-2183) attacks on CLI sessions?
- Disable all 64-bit block ciphers (3DES, Blowfish-CBC). Enable only AES-GCM-128, AES-GCM-256, or AES-CBC-128 with HMAC. Specifically remove ‘aes128-cbc’, ‘aes192-cbc’, ‘3des-cbc’, ‘blowfish-cbc’. Use ‘ip ssh cipher aes256-gcm aes128-gcm’ (Cisco), ‘ssh ciphers aes256-gcm aes128-gcm’ (Juniper), or ‘ssh2 cipher aes256-gcm aes128-gcm’ (Huawei). Verify with ‘ssh -c ?’ from a client.
- Q4: What is the correct CLI command sequence to disable password-based SSHv2 login and enforce RSA public-key authentication only?
- Set ‘authentication publickey’ and explicitly disable ‘authentication password’ under your SSH server configuration, plus remove ‘password’ from AAA login methods. On Cisco IOS-XE: ‘conf t’, ‘ip ssh server algorithm authentication publickey’ then ‘no ip ssh server algorithm authentication password’. On Juniper: ‘set system services ssh root-login deny-password’ and ‘set system services ssh user
authentication public-keys’. Also require ‘login authentication none’ on console/vty if AAA fallback exists. - Q5: How can I log all failed SSHv2 login attempts (source IP, username) for SIEM integration?
- Configure SSH server extended logging level 6 (informational) and send logs to syslog with source IP and failed username included. On Cisco: ‘logging buffered 16384’ and ‘logging 192.168.1.100’, plus ‘ip ssh logging failed attempts’. On Huawei: ‘info-center source SSH channel 4 log level debugging’. Use ‘show logging | include SSH’ to verify. For SIEM, ensure logs include ‘SSH2_MSG_USERAUTH_FAILURE’ to capture the attempted username.
- Q6: What is the recommended SSHv2 idle timeout and maximum authentication retry limit to prevent brute-force attacks on the control plane?
- Idle timeout: 5 minutes (300 seconds). Max authentication retries: 3. On Cisco: ‘line vty 0 4’ -> ‘absolute-timeout 5’ and ‘login block-for 60 attempts 3 within 120’. Also ‘ip ssh time-out 60’ (seconds per login). On Nokia SAR: ‘configure system security ssh max-auth-attempts 3’ and ‘ssh idle-timeout 300’. These values comply with NIST SP 800-53 for network device protection.
- Q7: How do I verify that SSHv2 management plane is isolated from data plane forwarding on a given platform (no CPU overload)?
- Check control plane policing (CoPP) or hardware rate-limiter counters specifically for SSH/management traffic. On Cisco: ‘show control-plane output features’ and ‘show platform hardware qfp active statistics drop | include SSH’. On Juniper: ‘show firewall filter statistics protocol ssh’. Expect data plane forwarding at line rate (1G/10G) while SSHv2 management plane never exceeds 1-2% CPU per session. Run ‘iperf’ through the box while doing ‘scp’ to a management IP; throughput should not degrade.
- Q8: What is the CLI process to regenerate an expired SSHv2 RSA host key on a production router with zero downtime for existing sessions?
- Generate a new host key with a different modulus length (e.g., from 2048 to 3072) and set the new key as the default; existing sessions remain unaffected. On Cisco: ‘crypto key generate rsa modulus 3072 label NEWHOSTKEY’ then ‘ip ssh rsa keypair-name NEWHOSTKEY’. No reload is required. On Huawei: ‘ssh server key rsa local-key-pair new modulus 3072’ then ‘ssh server key rsa default new’. New sessions use the new key; old sessions stay on the original RSA key until reconnection.
Leave a comment