ssh (System Services)
Syntax
ssh { access-disable-external; authentication-order [method 1 method2...]; authorized-keys-command authorized-keys-command; authorized-keys-command-user authorized-keys-command-user; (authorized-principals principal-names | authorized-principals-command program-path) authorized-principals-file filename ciphers [ cipher-1 cipher-2 cipher-3 ...]; client-alive-count-max number; client-alive-interval seconds; connection-limit limit; fingerprint-hash (md5 | sha2-256); host-certificate-file filename hostkey-algorithm (algorithm | no-algorithm); key-exchange [algorithm1 algorithm2...]; log-key-changes log-key-changes; macs [algorithm1 algorithm2...]; max-pre-authentication-packets number; max-sessions-per-connection number; no-challenge-response; no-password-authentication; no-passwords; no-public-keys; allow-tcp-forwarding; port port-number; protocol-version [v2]; rate-limit number; rekey { data-limit bytes; time-limit minutes; } root-login (allow | deny | deny-password); sftp-server; trusted-user-ca-key-file filename }
Hierarchy Level
[edit system services]
Description
Allow SSH requests from remote systems to access the local device.
Options
access-disable-external |
Disable external SSH access without disabling internal SSH access. |
allow-tcp-forwarding |
Enable a user to create an SSH tunnel over a CLI session to a disaggregated Junos OS platform by using SSH. Starting in Junos OS Release 22.2R1, we’ve disabled the TCP forwarding
feature by default to enhance security. To enable the TCP forwarding
feature, you can configure the |
||||
authentication-order [method1 method2...] |
Configure the order in which the software tries different user authentication methods when attempting to authenticate a user. For each login attempt, the software tries the authentication methods in order, starting with the first one, until the password matches.
|
||||
authorized-keys-command |
Specify a command string to be used to look up the user's public keys. |
||||
authorized-keys-command-user |
Specify the user under whose account the authorized-keys-command is run. |
||||
authorized-principals principal-names |
Specify a list of principals that can be accepted for authenticaiton.
Principals added through this command are supplemental to the principals
added with the Note:
The |
||||
authorized-principals-file filename |
Configure the |
||||
authorized-principals-command program-path |
Specify a program to be used for generating the list of allowed
certificate principals found in the
Note:
The |
||||
ciphers [ cipher-1 cipher-2 cipher-3 ...] |
Specify the set of ciphers the SSH server can use to perform encryption and decryption functions.
|
||||
client-alive-count-max number |
Configure the number of client alive messages that can be sent without sshd receiving any messages back from the client. If this threshold is reached while client alive messages are being sent, sshd will disconnect the client, terminating the session. Client alive messages are sent through the encrypted channel. Use in conjunction with the client-alive-interval statement to disconnect unresponsive SSH clients.
|
||||
client-alive-interval seconds |
Configure a timeout interval in seconds, after which if no data has been received from the client, sshd will send a message through the encrypted channel to request a response from the client. This option applies to SSH protocol version 2 only. Use in conjunction with the client-alive-count-max statement to disconnect unresponsive SSH clients.
|
||||
fingerprint-hash (md5 | sha2-256) |
Specify the hash algorithm used by the SSH server when it displays key fingerprints. Note:
The FIPS image does not permit the use of MD5 fingerprints. On
systems in FIPS mode,
|
||||
host-certificate-file filename |
Configure the |
||||
log-key-changes log-key-changes |
Enable Junos OS to log the authorized SSH keys. When the
|
||||
macs [algorithm1 algorithm2...] |
Specify the set of message authentication code (MAC) algorithms that the SSH server can use to authenticate messages. Note:
The macs configuration statement represents a set. Therefore, it must be configured as follows: user@host#set system services ssh macs [hmac-md5 hmac-sha1]
|
||||
max-pre-authentication-packets number |
Define the maximum number of pre-authentication SSH packets that the SSH server will accept prior to user authentication.
|
||||
max-sessions-per-connection number |
Specify the maximum number of ssh sessions allowed per single SSH connection.
|
||||
no-challenge-response |
Disable SSH challenge-response-based authentication methods. Note:
Configuring this statement under the |
||||
no-password-authentication |
Disable SSH password-based authentication methods. Note:
Configuring this statement under the |
||||
no-passwords |
Disable both password-based and challenge-response-based authentication for SSH. Note:
Configuring this statement under the |
||||
no-public-keys |
Disable public key authentication system wide. If you specify the no-public-keys statement at the [edit system login user user-name authentication] hierarchy level, you disable public key authentication for a specific user. |
||||
port port-number |
Specify the port number on which to accept incoming SSH connections.
|
||||
protocol-version [v2] |
Specify the Secure Shell (SSH) protocol version. Starting in Junos OS Release 19.3R1 and Junos OS Release 18.3R3, on all
SRX Series devices, we’ve removed the nonsecure SSH protocol version 1
( Junos OS releases before 19.3R1 and 18.3R3 continue to support the
|
||||
rate-limit number |
Configure the maximum number of connection attempts per minute, per protocol (either IPv6 or IPv4) on an access service. For example, a rate limit of 10 allows 10 IPv6 SSH session connection attempts per minute and 10 IPv4 SSH session connection attempts per minute.
|
||||
rekey |
Specify limits before the session keys are renegotiated.
|
||||
root-login (allow | deny | deny-password) |
Control user access through SSH.
|
||||
sftp-server |
Globally enable incoming SSH File Transfer Protocol (SFTP) connections.
By configuring the |
||||
trusted-user-ca-key-file filename |
Configure the |
The remaining statements are explained separately. Search for a statement in CLI Explorer or click a linked statement in the Syntax section for details.
Required Privilege Level
system—To view this statement in the configuration.
system-control—To add this statement to the configuration.
Release Information
Statement introduced before Junos OS Release 7.4.
ciphers
, hostkey-algorithm
,
key-exchange
, and macs
statements introduced
in Junos OS Release 11.2.
max-sessions-per-connection
and
no-tcp-forwarding
statements introduced in
Junos OS Release 11.4.
SHA-2 options introduced in Junos OS Release 12.1.
Support for the curve25519-sha256 option on the
key-exchange
statement added in Junos OS Release
12.1X47-D10.
client-alive-interval
and
client-alive-count-max
statements introduced in Junos OS
Release 12.2.
max-pre-authentication-packets
statement introduced in Junos OS Release 12.3X48-D10.
no-passwords
statement introduced in Junos OS Release 13.3.
no-public-keys
statement introduced in Junos OS release 15.1.
tcp-forwarding
statement introduced in Junos OS Release 15.1X53-D50
for the NFX250 Network Services Platform.
fingerprint-hash
statement introduced in Junos OS
Release 16.1.
log-key-changes
statement introduced in Junos OS Release 17.4R1.
sftp-server
statement introduced in Junos OS Release 19.1R1.
no-challenge-response
and
no-password-authentication
statements introduced in Junos OS
Release 19.4R1.
Option ldaps
introduced in Junos OS Release
20.2R1.
allow-tcp-forwarding
option added in Junos OS Release
22.2R1.
access-disable-external
option added in Junos OS Release 22.2R3.
The athorized-prinicpals
,
authorized-principals-command
, and the
authorized-principals-file
options added in Junos OS Release
22.3R1.