Configuring the SSH management parameters

Enabling the SSH server to support SSH1 clients

  1. Enter system view.

    system-view

  2. Enable the SSH server to support SSH1 clients.

    ssh server compatible-ssh1x enable

    By default, the SSH server does not support SSH1 clients.

    This command is not available in FIPS mode.

Enabling SSH algorithm renegotiation and key re-exchange

  1. Enter system view.

    system-view

  2. Enable SSH algorithm renegotiation and key re-exchange.

    ssh server key-re-exchange enable [ interval interval ]

    By default, SSH algorithm renegotiation and key re-exchange are disabled.

    This command is not available in FIPS mode.

    The command takes effect only on new SSH connections that are established after the command is configured, and it does not affect existing SSH connections.

Setting the minimum interval for updating the RSA server key pair

  1. Enter system view.

    system-view

  2. Set the minimum interval for updating the RSA server key pair.

    ssh server rekey-interval interval

    By default, the device does not update the RSA server key pair.

    This command is not available in FIPS mode.

    This configuration takes effect only on SSH1 clients.

Setting the SSH user authentication timeout timer

  1. Enter system view.

    system-view

  2. Set the SSH user authentication timeout timer.

    ssh server authentication-timeout time-out-value

    The default setting is 60 seconds.

    Perform this task to prevent malicious occupation of TCP connections. If a user does not finish the authentication when the timeout timer expires, the connection cannot be established.

Setting the maximum number of SSH authentication attempts

  1. Enter system view.

    system-view

  2. Set the maximum number of SSH authentication attempts.

    ssh server authentication-retries retries

    The default setting is 3.

    Perform this task to prevent malicious hacking of usernames and passwords. If the authentication method is any, the total number of publickey authentication attempts and password authentication attempts cannot exceed the upper limit.

Specifying an SSH login control ACL

  1. Enter system view.

    system-view

  2. Specify an SSH login control ACL.

    IPv4:

    ssh server acl { advanced-acl-number | basic-acl-number | mac mac-acl-number }

    IPv6:

    ssh server ipv6 acl { ipv6 { advanced-acl-number | basic-acl-number } | mac mac-acl-number }

    This feature uses an ACL to filter SSH clients that initiate SSH connections to the server. By default, no ACLs are specified and all SSH users can initiate SSH connections to the server.

Enabling logging for SSH login attempts that are denied by the SSH login control ACL

  1. Enter system view.

    system-view

  2. Enable logging for SSH login attempts that are denied by the SSH login control ACL.

    ssh server acl-deny-log enable

    By default, logging is disabled for login attempts that are denied by the SSH login control ACL.

    This command enables SSH to generate log messages for SSH login attempts that are denied by the SSH login control ACL and send the messages to the information center.

Setting the DSCP value in the packets that the SSH server sends to SSH clients

  1. Enter system view.

    system-view

  2. Set the DSCP value in the packets that the SSH server sends to the SSH clients.

    IPv4:

    ssh server dscp dscp-value

    IPv6:

    ssh server ipv6 dscp dscp-value

    By default, the DSCP value of SSH packets is 48.

    The DSCP value of a packet defines the priority of the packet and affects the transmission priority of the packet. A bigger DSCP value represents a higher priority.

Setting the SFTP connection idle timeout timer

  1. Enter system view.

    system-view

  2. Set the SFTP connection idle timeout timer.

    sftp server idle-timeout time-out-value

    By default, the SFTP connection idle timeout is 10 minutes.

    When the SFTP connection idle timeout timer expires, the system automatically tears the connection down and releases the connection resources.

Setting the maximum number of online SSH users

  1. Enter system view.

    system-view

  2. Set the maximum number of online SSH users.

    aaa session-limit ssh max-sessions

    The default setting is 32.

    When the number of online SSH users reaches the upper limit, the system denies new SSH connection requests. Changing the upper limit does not affect online SSH users.

    For more information about this command, see AAA commands in Security Command Reference.