Connectivity Guide

ManualsBrandsDell ManualsAccess PlatformsPowerSwitch S4128F-ON/S4128T-ON

791

792

793

794

795

796

797

798

799

800

• Congure the SSH server to be reachable on the management VRF using the ip ssh server vrf command.

• Congure the SSH login timeout using the ip ssh server login-grace-time seconds command, from 0 to 300; default 60.

To reset the default SSH prompt timer, use the

no ip ssh server login-grace-time command.

• Congure the maximum number of authentication attempts using the ip ssh server max-auth-tries number command,

from 0 to 10; default 6. To reset the default, use the no ip ssh server max-auth-tries command.

The max-auth-tries value includes all authentication attempts, including public-key and password. If you enable both, public-key

based authentication and password authentication, the public-key authentication is the default and is tried rst. If it fails, the number of

max-auth-tries is reduced by one. In this case, if you congured ip ssh server max-auth-tries 1, the password prompt

does not display.

Regenerate public keys

When enabled, the SSH server generates public keys by default and uses them for client authentication:

• A Rivest, Shamir, and Adelman (RSA) key using 2048 bits.

• An Elliptic Curve Digital Signature Algorithm (ECDSA) key using 256 bits

• An Ed25519 key using 256 bits

NOTE: RSA1 and DSA keys are not supported on the OS10 SSH server.

An SSH client must exchange the same public key to establish a secure SSH connection to the OS10 switch. If necessary, you can

regenerate the keys used by the SSH server with a customized bit size. You cannot change the default size of the Ed25519 key. The

crypto key generate command is available only to the sysadmin and secadmin roles.

1 Regenerate keys for the SSH server in EXEC mode.

crypto ssh-key generate {rsa {2048|3072|4096} | ecdsa {256|384|521} | ed25519}

2 Enter yes at the prompt to overwrite an existing key.

Host key already exists. Overwrite [confirm yes/no]:yes

Generated 2048-bit RSA key

3 Display the SSH public keys in EXEC mode.

show crypto ssh-key

After you regenerate SSH server keys, disable and re-enable the SSH server to use the new keys. Restarting the SSH server does not

impact current OS10 sessions.

Virtual terminal line

Use Virtual terminal line (VTY) to control Telnet or SSH connections to the switch.

Enter VTY mode using the line vty command in CONFIGURATION mode.

OS10(config)# line vty

OS10(config-line-vty)#

Control access to VTY

You can control the Telnet or SSH connections to the switch by applying access lists on VTY lines.

Create IPv4 or IPv6 access lists with permit or deny lters.

Enter VTY mode using the line vty command in CONFIGURATION mode.

Apply the access lists to the VTY line with the {ip | ipv6} access-class access-list-name command.

Example

OS10(config)# ip access-list permit10

OS10(config-ipv4-acl)# permit ip 172.16.0.0 255.255.0.0 any

794

Security