What can I help you with?
NVIDIA NVOS User Manual for InfiniBand Switches v25.02.4014
NVIDIA Docs Hub  NVIDIA Networking  Networking Software  Switch Software  NVIDIA NVOS User Manual for InfiniBand Switches v25.02.4014  Secure Shell (SSH) for Remote Access

On This Page

Secure Shell (SSH) for Remote Access

NVOS uses the OpenSSH package to provide access to the system using the Secure Shell (SSH) protocol.

Overview

You can configure SSH to provide login access to the root user and to specific user accounts, limit SSH to listen on a specific VRF, and configure timeouts and session options.

Note

  • SSH server configuration changes take effect only in new SSH sessions and do not impact existing ones.

  • SSH Strict Mode: By default, NVOS disables the following SSH server configurations: X11, TCP forwarding, and compression and enforces secure ciphers.

Configure Timeouts and Sessions

You can configure the following SSH timeout and session options:

  • The number of login attempts allowed before rejecting the SSH session. You can specify a value between 3 and 100. The default value is 3 login attempts.

  • The number of seconds allowed before login times out. You can specify a value between 1 and 600. The default value is 120 seconds.

  • The TCP port numbers that listen for incoming SSH sessions. You can specify a value between 1 and 65535.

  • The number of minutes a session can be inactive before the SSH server terminates the connection. The default value is 20 minutes.

  • The maximum number of SSH sessions allowed per TCP connection. You can specify a value between 1 and 100. The default value is 10.

The following example configures the number of login attempts allowed before rejecting the SSH session to 10 and the number of seconds allowed before login times out to 200:

Copy
Copied!
            

            
admin@nvos:~$ nv set system ssh-server authentication-retries 10
admin@nvos:~$ nv set system ssh-server login-timeout 200
admin@nvos:~$ nv config apply

The following example configures the TCP port that listens for incoming SSH sessions to 443:

Copy
Copied!
            

            
admin@nvos:~$ nv set system ssh-server port 443
admin@nvos:~$ nv config apply

The following example configures the amount of time a session can be inactive before the SSH server terminates the connection to 5 minutes (300 seconds) and the maximum number of cuncurrent SSH user sessions to 5. The default inactive-timeout is 20 minutes and the default max-sessions is 100:

Copy
Copied!
            

            
admin@nvos:~$ nv set system ssh-server inactive-timeout 5
admin@nvos:~$ nv set system ssh-server max-sessions 5
admin@nvos:~$ nv config apply

Message of the Day

When you log into the switch, NVOS shows system health information and login notifications.

Example:

Copy
Copied!
            

            
Last login: Thu Jun 19 04:52:31 UTC 2025 from 10.20.30.40 on pts/0
Number of total successful connections since last 1 days: 6

SSH Login Notifications

NVOS shows the following SSH login information on the console after authentication:

  • The date and time of the last successful login.

  • The number of unsuccessful logins after the last successful login.

  • The date and time of the last unsuccessful login.

  • Changes to a user account after the last login (password, role, group, and so on).

  • The location (terminal or IP) of the last successful or unsuccessful login.

  • The total number of successful logins after a specific date and time.

NVOS displays login notifications for both SSH and serial connections. The information can help to detect unwanted or malicious activities, such as suspicious logins or password and role changes.

To configure the time period in days during which to show login notifications, run the nv set system ssh-server login-record-period <days> command. You can specify a value between 1 and 30. The default value is 1.

The following example sets the SSH login notification period to 20 days:

Copy
Copied!
            

            
admin@nvos:~$ nv set system ssh-server login-record-period 20
admin@nvos:~$ nv config apply

To set the SSH login notification period back to the default value (1 day), run the nv unset system ssh-server login-record-period command.

To show the configured SSH login notification period, run the nv show system ssh-server command. See Troubleshooting below.

Generate and Install an SSH Key Pair

This section describes how to generate an SSH key pair on one system and install the key as an authorized key on another system.

Generate an SSH Key Pair

To generate an SSH key pair, run the ssh-keygen command and follow the prompts.

NVOS does not support sha1 ssh key exchange methods.

To configure the system without a password, do not enter a passphrase when prompted in the following step.

Copy
Copied!
            

            
 admin@host01:~$ ssh-keygen 
Generating public/private rsa key pair. 
Enter file in which to save the key (/home/admin/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/admin/.ssh/id_rsa. 
Your public key has been saved in /home/admin/.ssh/id_rsa.pub. 
The key fingerprint is: 
5a:b4:16:a0:f9:14:6b:51:f6:f6:c0:76:1a:35:2b:bb cumulus@leaf04 
The key's randomart image is: 
+---[RSA 2048]----+ 
|      +.o   o    | 
|     o * o . o   | 
|    o + o O o    | 
|     + . = O     | 
|      . S o .    | 
|       +   .     | 
|      .   E      | 
|                 | 
|                 | 
+-----------------+

Install an Authorized SSH Key

To install an authorized SSH key, you take the contents of an SSH public key and add it to the SSH authorized key file (~/.ssh/authorized_keys) of the user.

A public key is a text file with three space separated fields:

<type> <key string> <comment>

Field

Description

<type>

 The algorithm you want to use to hash the key. The algorithm can be ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521, ssh-dss, ssh-ed25519, or ssh-rsa (the default value).

<key string>

A base64 format string for the key.

<comment>

A single word string. By default, this is the name of the system that generated the key. NVUE uses the <comment> field as the key name.

The procedure to install an authorized SSH key is different based on whether the user is an NVUE managed user or a non-NVUE managed user.

NVUE Managed User

The following example adds an authorized key named prod_key to the user admin2. The content of the public key file is ssh-rsa 1234 prod_key.

Copy
Copied!
            

            
admin@nvos:~$ nv set system aaa user admin2 ssh authorized-key prod_key key XABDB3NzaC1yc2EAAAADAQABAAABgQCvjs/RFPhxLQMkckONg+1RE1PTIO2JQhzFN9TRg7ox7o0tfZ+IzSB99lr2dmmVe8FRWgxVjc...
admin@nvos:~$ nv set system aaa user admin2 ssh authorized-key prod_key type ssh-rsa
admin@nvos:~$ nv config apply


PKA-Only

This configuration allows blocking password authentication from users that have a configured authorized key.

To enable this flag, run the following:

Copy
Copied!
            

            
admin@nvos:~$ nv set system ssh-server pka-only enabled
admin@nvos:~$ nv config apply

Troubleshooting

To show all the current SSH server configuration settings, run the NVUE nv show system ssh-server command:

Copy
Copied!
            

            
admin@nvos:~$ nv show system ssh
                        operational  applied 
----------------------  -----------  --------
authentication-retries  6            6       
login-timeout           120          120     
inactive-timeout        20           20      
login-record-period     1            1       
max-sessions            100          100     
pka-only                disabled     disabled
[port]                  22           22

To show the TCP port numbers that listen for incoming SSH sessions, run the nv show system ssh-server port command. You can also show information for a specific port with the nv show system ssh-server port <port> command.
© Copyright 2025, NVIDIA. Last updated on Jul 7, 2025.
content here