Secure Shell (SSH) for Remote Access
NVOS uses the OpenSSH package to provide access to the system using the Secure Shell (SSH) protocol.
You can configure SSH to provide login access to the root user and to specific user accounts, limit SSH to listen on a specific VRF, and configure timeouts and session options.
SSH server configuration changes take effect only in new SSH sessions and do not impact existing ones.
SSH Strict Mode: By default, NVOS disables the following SSH server configurations: X11, TCP forwarding, and compression and enforces secure ciphers.
You can configure the following SSH timeout and session options:
The number of login attempts allowed before rejecting the SSH session. You can specify a value between 3 and 100. The default value is 3 login attempts.
The number of seconds allowed before login times out. You can specify a value between 1 and 600. The default value is 120 seconds.
The TCP port numbers that listen for incoming SSH sessions. You can specify a value between 1 and 65535.
The number of minutes a session can be inactive before the SSH server terminates the connection. The default value is 20 minutes.
The maximum number of SSH sessions allowed per TCP connection. You can specify a value between 1 and 100. The default value is 10.
The following example configures the number of login attempts allowed before rejecting the SSH session to 10 and the number of seconds allowed before login times out to 200:
admin@nvos
:~$ nv set system ssh-server authentication-retries 10
admin@nvos
:~$ nv set system ssh-server login-timeout 200
admin@nvos
:~$ nv config apply
The following example configures the TCP port that listens for incoming SSH sessions to 443:
admin@nvos
:~$ nv set system ssh-server port 443
admin@nvos
:~$ nv config apply
The following example configures the amount of time a session can be inactive before the SSH server terminates the connection to 5 minutes (300 seconds) and the maximum number of cuncurrent SSH user sessions to 5. The default inactive-timeout
is 20 minutes and the default max-sessions
is 100:
admin@nvos
:~$ nv set system ssh-server inactive-timeout 5
admin@nvos
:~$ nv set system ssh-server max-sessions 5
admin@nvos
:~$ nv config apply
Message of the Day
When you log into the switch, NVOS shows system health information and login notifications.
Example:
Last login: Thu Jun 19
04
:52
:31
UTC 2025
from 10.20
.30.40
on pts/0
Number of total successful connections since last 1
days: 6
SSH Login Notifications
NVOS shows the following SSH login information on the console after authentication:
The date and time of the last successful login.
The number of unsuccessful logins after the last successful login.
The date and time of the last unsuccessful login.
Changes to a user account after the last login (password, role, group, and so on).
The location (terminal or IP) of the last successful or unsuccessful login.
The total number of successful logins after a specific date and time.
NVOS displays login notifications for both SSH and serial connections. The information can help to detect unwanted or malicious activities, such as suspicious logins or password and role changes.
To configure the time period in days during which to show login notifications, run the nv set system ssh-server login-record-period <days>
command. You can specify a value between 1 and 30. The default value is 1.
The following example sets the SSH login notification period to 20 days:
admin@nvos
:~$ nv set system ssh-server login-record-period 20
admin@nvos
:~$ nv config apply
To set the SSH login notification period back to the default value (1 day), run the nv unset system ssh-server login-record-period
command.
To show the configured SSH login notification period, run the nv show system ssh-server
command. See Troubleshooting below.
Generate and Install an SSH Key Pair
This section describes how to generate an SSH key pair on one system and install the key as an authorized key on another system.
Generate an SSH Key Pair
To generate an SSH key pair, run the ssh-keygen
command and follow the prompts.
NVOS does not support sha1 ssh key exchange methods.
To configure the system without a password, do not enter a passphrase when prompted in the following step.
admin@host01
:~$ ssh-keygen
Generating public
/private
rsa key pair.
Enter file in which to save the key (/home/admin/.ssh/id_rsa):
Enter passphrase (empty for
no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/admin/.ssh/id_rsa.
Your public
key has been saved in /home/admin/.ssh/id_rsa.pub.
The key fingerprint is:
5a:b4:16
:a0:f9:14
:6b:51
:f6:f6:c0:76
:1a:35
:2b:bb cumulus@leaf04
The key's randomart image is:
+---[RSA 2048
]----+
| +.o o |
| o * o . o |
| o + o O o |
| + . = O |
| . S o . |
| + . |
| . E |
| |
| |
+-----------------+
Install an Authorized SSH Key
To install an authorized SSH key, you take the contents of an SSH public key and add it to the SSH authorized key file (~/.ssh/authorized_keys
) of the user.
A public key is a text file with three space separated fields:
<type> <key string> <comment>
Field | Description |
| The algorithm you want to use to hash the key. The algorithm can be |
| A base64 format string for the key. |
| A single word string. By default, this is the name of the system that generated the key. NVUE uses the |
The procedure to install an authorized SSH key is different based on whether the user is an NVUE managed user or a non-NVUE managed user.
NVUE Managed User
The following example adds an authorized key named prod_key
to the user admin2
. The content of the public key file is ssh-rsa 1234 prod_key
.
admin@nvos
:~$ nv set system aaa user admin2 ssh authorized-key prod_key key XABDB3NzaC1yc2EAAAADAQABAAABgQCvjs/RFPhxLQMkckONg+1RE1PTIO2JQhzFN9TRg7ox7o0tfZ+IzSB99lr2dmmVe8FRWgxVjc...
admin@nvos
:~$ nv set system aaa user admin2 ssh authorized-key prod_key type ssh-rsa
admin@nvos
:~$ nv config apply
PKA-Only
This configuration allows blocking password authentication from users that have a configured authorized key.
To enable this flag, run the following:
admin@nvos
:~$ nv set system ssh-server pka-only enabled
admin@nvos
:~$ nv config apply
Troubleshooting
To show all the current SSH server configuration settings, run the NVUE nv show system ssh-server
command:
admin@nvos
:~$ nv show system ssh
operational applied
---------------------- ----------- --------
authentication-retries 6
6
login-timeout 120
120
inactive-timeout 20
20
login-record-period 1
1
max-sessions 100
100
pka-only disabled disabled
[port] 22
22
To show the TCP port numbers that listen for incoming SSH sessions, run the nv show system ssh-server port
command. You can also show information for a specific port with the nv show system ssh-server port <port>
command.