SSH
Secure Shell (SSH) provides encrypted transport for remote device management on IOS-XR. The server side controls inbound access — protocol version, session limits, cryptographic algorithms, NETCONF subsystem, VRF-scoped ACLs, and authorized public keys. The client side governs outbound SSH connections from the router, including source interface selection, VRF binding, and algorithm preferences. Rekey intervals and DSCP marking are available on both sides to meet compliance and QoS requirements.
Diagram
Section titled “Diagram”
Classes
Section titled “Classes”configuration (iosxr.devices)
Section titled “configuration (iosxr.devices)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| ssh | Class | [ssh] | No |
ssh (iosxr.devices.configuration)
Section titled “ssh (iosxr.devices.configuration)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| client | Class | [client] | No | |
| server | Class | [server] | No | |
| timeout | Integer | No |
client (iosxr.devices.configuration.ssh)
Section titled “client (iosxr.devices.configuration.ssh)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| algorithms | Class | [algorithms] | No | |
| disable_hmacs | List | Choice[sha1, sha2_256, sha2_512] | No | |
| dscp | Integer | min: 0, max: 63 | No | |
| enable_ciphers | List | Choice[aes_cbc, 3des_cbc] | No | |
| rekey_time | Integer | No | ||
| rekey_volume | Integer | No | ||
| source_interface | String | No | ||
| tcp_window_scale | Integer | No | ||
| v1 | Boolean | true, false | No | |
| v2 | Boolean | true, false | No | |
| vrf | String | No |
server (iosxr.devices.configuration.ssh)
Section titled “server (iosxr.devices.configuration.ssh)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| algorithms | Class | [algorithms] | No | |
| disable_hmacs | List | Choice[sha1, sha2_256, sha2_512] | No | |
| dscp | Integer | min: 0, max: 63 | No | |
| enable_ciphers | List | Choice[aes_cbc, 3des_cbc] | No | |
| logging | Boolean | true, false | No | |
| max_auth_limit | Integer | No | ||
| netconf_port | Integer | No | ||
| netconf_vrfs | List | [netconf_vrfs] | No | |
| netconf_xml | Boolean | true, false | No | |
| port | Integer | No | ||
| port_forwarding_local | Boolean | true, false | No | |
| rate_limit | Integer | min: 1, max: 600 | No | |
| rekey_time | Integer | No | ||
| rekey_volume | Integer | No | ||
| session_limit | Integer | min: 1, max: 1024 | No | |
| tcp_window_scale | Integer | No | ||
| usernames | List | [usernames] | No | |
| v1 | Boolean | true, false | No | |
| v2 | Boolean | true, false | No | |
| vrfs | List | [vrfs] | No |
algorithms (iosxr.devices.configuration.ssh.client)
Section titled “algorithms (iosxr.devices.configuration.ssh.client)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| ciphers | List | String | No | |
| key_exchanges | List | String | No |
algorithms (iosxr.devices.configuration.ssh.server)
Section titled “algorithms (iosxr.devices.configuration.ssh.server)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| ciphers | List | String | No | |
| host_keys | List | Choice[dsa, ecdsa_nistp256, ecdsa_nistp384, ecdsa_nistp521, ed25519, rsa, rsa_sha256, rsa_sha512, ssh_rsa, x509v3_ssh_rsa] | No | |
| key_exchanges | List | String | No |
netconf_vrfs (iosxr.devices.configuration.ssh.server)
Section titled “netconf_vrfs (iosxr.devices.configuration.ssh.server)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| name | String | Yes | ||
| ipv4_access_list | String | No | ||
| ipv6_access_list | String | No |
usernames (iosxr.devices.configuration.ssh.server)
Section titled “usernames (iosxr.devices.configuration.ssh.server)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| name | String | Yes | ||
| keystring | String | No |
vrfs (iosxr.devices.configuration.ssh.server)
Section titled “vrfs (iosxr.devices.configuration.ssh.server)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| name | String | Yes | ||
| ipv4_access_list | String | No | ||
| ipv6_access_list | String | No |
Example YAML Code:
Section titled “Example YAML Code:”Example-1: Enable SSHv2 with DSCP marking and session logging.
iosxr: devices: - name: router-1 host: 10.10.10.1:57400 configuration: ssh: server: dscp: 48 logging: true v2: trueExample-2: Harden SSH access with rate limiting, session cap, and a non-default port.
iosxr: devices: - name: router-1 host: 10.10.10.1:57400 configuration: ssh: server: v2: true rate_limit: 60 session_limit: 10 max_auth_limit: 10 port: 5522Example-3: Restrict SSH access per VRF using IPv4/IPv6 ACLs.
iosxr: devices: - name: router-1 host: 10.10.10.1:57400 configuration: ssh: server: v2: true vrfs: - name: VRF1 ipv4_access_list: ACL1 ipv6_access_list: ACL2 - name: MGMT ipv4_access_list: MGMT_ACLExample-4: Harden cryptography by disabling weak HMACs, enabling legacy ciphers for compatibility, and key-exchange algorithms.
iosxr: devices: - name: router-1 host: 10.10.10.1:57400 configuration: ssh: server: v2: true disable_hmacs: - sha1 enable_ciphers: - aes_cbc - 3des_cbc algorithms: key_exchanges: - ecdh-sha2-nistp521 - ecdh-sha2-nistp384 - ecdh-sha2-nistp256 ciphers: - aes128-ctr - aes192-ctr - aes256-ctrExample-5: Enable NETCONF with VRF-scoped ACLs and periodic rekey.
iosxr: devices: - name: router-1 host: 10.10.10.1:57400 configuration: ssh: server: v2: true netconf_port: 830 netconf_vrfs: - name: MGMT ipv4_access_list: NETCONF_ACL rekey_time: 60 rekey_volume: 2048