Configuring the SSH management parameters
Enabling the SSH server to support SSH1 clients
Enter system view.
system-view
Enable the SSH server to support SSH1 clients.
ssh server compatible-ssh1x enable
By default, the SSH server does not support SSH1 clients.
This command is not available in FIPS mode.
Enabling SSH algorithm renegotiation and key re-exchange
Enter system view.
system-view
Enable SSH algorithm renegotiation and key re-exchange.
ssh server key-re-exchange enable [ interval interval ]
By default, SSH algorithm renegotiation and key re-exchange are disabled.
This command is not available in FIPS mode.
The command takes effect only on new SSH connections that are established after the command is configured, and it does not affect existing SSH connections.
Setting the minimum interval for updating the RSA server key pair
Enter system view.
system-view
Set the minimum interval for updating the RSA server key pair.
ssh server rekey-interval interval
By default, the device does not update the RSA server key pair.
This command is not available in FIPS mode.
This configuration takes effect only on SSH1 clients.
Setting the SSH user authentication timeout timer
Enter system view.
system-view
Set the SSH user authentication timeout timer.
ssh server authentication-timeout time-out-value
The default setting is 60 seconds.
Perform this task to prevent malicious occupation of TCP connections. If a user does not finish the authentication when the timeout timer expires, the connection cannot be established.
Setting the maximum number of SSH authentication attempts
Enter system view.
system-view
Set the maximum number of SSH authentication attempts.
ssh server authentication-retries retries
The default setting is 3.
Perform this task to prevent malicious hacking of usernames and passwords. If the authentication method is any, the total number of publickey authentication attempts and password authentication attempts cannot exceed the upper limit.
Specifying an SSH login control ACL
Enter system view.
system-view
Specify an SSH login control ACL.
IPv4:
ssh server acl { advanced-acl-number | basic-acl-number | mac mac-acl-number }
IPv6:
ssh server ipv6 acl { ipv6 { advanced-acl-number | basic-acl-number } | mac mac-acl-number }
This feature uses an ACL to filter SSH clients that initiate SSH connections to the server. By default, no ACLs are specified and all SSH users can initiate SSH connections to the server.
Enabling logging for SSH login attempts that are denied by the SSH login control ACL
Enter system view.
system-view
Enable logging for SSH login attempts that are denied by the SSH login control ACL.
ssh server acl-deny-log enable
By default, logging is disabled for login attempts that are denied by the SSH login control ACL.
This command enables SSH to generate log messages for SSH login attempts that are denied by the SSH login control ACL and send the messages to the information center.
Setting the DSCP value in the packets that the SSH server sends to SSH clients
Enter system view.
system-view
Set the DSCP value in the packets that the SSH server sends to the SSH clients.
IPv4:
ssh server dscp dscp-value
IPv6:
ssh server ipv6 dscp dscp-value
By default, the DSCP value of SSH packets is 48.
The DSCP value of a packet defines the priority of the packet and affects the transmission priority of the packet. A bigger DSCP value represents a higher priority.
Setting the SFTP connection idle timeout timer
Enter system view.
system-view
Set the SFTP connection idle timeout timer.
sftp server idle-timeout time-out-value
By default, the SFTP connection idle timeout is 10 minutes.
When the SFTP connection idle timeout timer expires, the system automatically tears the connection down and releases the connection resources.
Setting the maximum number of online SSH users
Enter system view.
system-view
Set the maximum number of online SSH users.
aaa session-limit ssh max-sessions
The default setting is 32.
When the number of online SSH users reaches the upper limit, the system denies new SSH connection requests. Changing the upper limit does not affect online SSH users.
For more information about this command, see AAA commands in Security Command Reference.