Skip to content
Network as Code

SSH

SSH server configuration for NX-OS devices. This section controls SSH protocol settings including ciphers, key exchange algorithms, message authentication codes, login behavior, and host key generation. SSH requires the ssh feature to be enabled.

Diagram

Section titled “Diagram”
Diagram

Classes

Section titled “Classes”

system (nxos.devices.configuration)

Section titled “system (nxos.devices.configuration)”
NameTypeConstraintMandatoryDefault Value
sshClass[ssh]No

ssh (nxos.devices.configuration.system)

Section titled “ssh (nxos.devices.configuration.system)”
NameTypeConstraintMandatoryDefault Value
ciphers_allBooleantrue, falseNo
ciphers_weakBooleantrue, falseNo
kexalgos_allBooleantrue, falseNo
keytypes_allBooleantrue, falseNo
login_attemptsIntegermin: 1, max: 10No
login_gracetimeIntegermin: 0, max: 3600No
macs_allBooleantrue, falseNo
portIntegermin: 22, max: 65535No
keysList[keys]No

keys (nxos.devices.configuration.system.ssh)

Section titled “keys (nxos.devices.configuration.system.ssh)”
NameTypeConstraintMandatoryDefault Value
typeChoicersa, dsa, ecdsaYes
key_lengthIntegermin: 0, max: 4096No

Examples

Section titled “Examples”

Example 1: Basic SSH hardening with weak ciphers disabled

nxos:
  devices:
    - name: LEAF1
      configuration:
        system:
          ssh:
            ciphers_weak: false
            login_attempts: 3
            login_gracetime: 60

Example 2: SSH with custom port and key generation

nxos:
  devices:
    - name: LEAF1
      configuration:
        system:
          ssh:
            port: 2222
            login_attempts: 3
            login_gracetime: 120
            keys:
              - type: rsa
                key_length: 2048
              - type: ecdsa
                key_length: 256

Example 3: Full SSH hardening configuration

nxos:
  devices:
    - name: LEAF1
      configuration:
        system:
          ssh:
            ciphers_all: true
            ciphers_weak: false
            kexalgos_all: true
            keytypes_all: true
            macs_all: true
            login_attempts: 3
            login_gracetime: 60
            port: 22
            keys:
              - type: rsa
                key_length: 2048
              - type: ecdsa
                key_length: 521