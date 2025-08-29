You can configure the following SSH timeout and session options:

The number of login attempts allowed before rejecting the SSH session. You can specify a value between 3 and 100. The default value is 3 login attempts.

The number of seconds allowed before login times out. You can specify a value between 1 and 600. The default value is 120 seconds.

The TCP port numbers that listen for incoming SSH sessions. You can specify a value between 1 and 65535.

The number of minutes a session can be inactive before the SSH server terminates the connection. The default value is 0 minutes.

The maximum number of SSH sessions allowed per TCP connection. You can specify a value between 1 and 100. The default value is 10.

Unauthenticated SSH sessions: The maximum number of unauthenticated SSH sessions allowed. You can specify a value between 1 and 10000. The default value is 100. The number of unauthenticated SSH sessions allowed before throttling starts. You can specify a value between 1 and 10000. The default value is 10. The starting percentage of connections to reject above the throttle start count before reaching the session count limit. You can specify a value between 1 and 100. The default value is 30.



The following example configures the number of login attempts allowed before rejecting the SSH session to 10 and the number of seconds allowed before login times out to 200:

Copy Copied! admin @nvos :~$ nv set system ssh-server authentication-retries 10 admin @nvos :~$ nv set system ssh-server login-timeout 200 admin @nvos :~$ nv config apply

The following example configures the TCP port that listens for incoming SSH sessions to 443:

Copy Copied! admin @nvos :~$ nv set system ssh-server port 443 admin @nvos :~$ nv config apply

The following example configures the amount of time a session can be inactive before the SSH server terminates the connection to 5 minutes (300 seconds) and the maximum number of SSH sessions allowed per TCP connection to 5. The default inactive-timeout is 15 minutes and the default max-sessions is 10:

Copy Copied! admin @nvos :~$ nv set system ssh-server inactive-timeout 5 admin @nvos :~$ nv set system ssh-server max-sessions 5 admin @nvos :~$ nv config apply

When you log into the switch, NVOS shows system health information and login notifications.

Example:

Copy Copied! Last login: Thu Jun 19 04 : 52 : 31 UTC 2025 from 10.20 . 30.40 on pts/ 0 Number of total successful connections since last 1 days: 6

SSH Login Notifications

NVOS shows the following SSH login information on the console after authentication:

The date and time of the last successful login.

The number of unsuccessful logins after the last successful login.

The date and time of the last unsuccessful login.

Changes to a user account after the last login (password, role, group, and so on).

The location (terminal or IP) of the last successful or unsuccessful login.

The total number of successful logins after a specific date and time.

NVOS displays login notifications for both SSH and serial connections. The information can help to detect unwanted or malicious activities, such as suspicious logins or password and role changes.

To configure the time period in days during which to show login notifications, run the nv set system ssh-server login-record-period <days> command. You can specify a value between 1 and 30. The default value is 1.

The following example sets the SSH login notification period to 20 days:

Copy Copied! admin @nvos :~$ nv set system ssh-server login-record-period 20 admin @nvos :~$ nv config apply

To set the SSH login notification period back to the default value (1 day), run the nv unset system ssh-server login-record-period command.

To show the configured SSH login notification period, run the nv show system ssh-server command. See Troubleshooting below.

This section describes how to generate an SSH key pair on one system and install the key as an authorized key on another system.

To generate an SSH key pair, run the ssh-keygen command and follow the prompts.

NVOS does not support sha1 ssh key exchange methods.

To configure the system without a password, do not enter a passphrase when prompted in the following step.

Copy Copied! admin @host01 :~$ ssh-keygen Generating public / private rsa key pair. Enter file in which to save the key (/home/admin/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/admin/.ssh/id_rsa. Your public key has been saved in /home/admin/.ssh/id_rsa.pub. The key fingerprint is: 5a:b4: 16 :a0:f9: 14 :6b: 51 :f6:f6:c0: 76 :1a: 35 :2b:bb cumulus @leaf04 The key's randomart image is: +---[RSA 2048 ]----+ | +.o o | | o * o . o | | o + o O o | | + . = O | | . S o . | | + . | | . E | | | | | +-----------------+

To install an authorized SSH key, you take the contents of an SSH public key and add it to the SSH authorized key file ( ~/.ssh/authorized_keys ) of the user.

A public key is a text file with three space separated fields:

<type> <key string> <comment>

Field Description <type> The algorithm you want to use to hash the key. The algorithm can be ecdsa-sha2-nistp256 , ecdsa-sha2-nistp384 , ecdsa-sha2-nistp521 , ssh-dss , ssh-ed25519 , or ssh-rsa (the default value). <key string> A base64 format string for the key. <comment> A single word string. By default, this is the name of the system that generated the key. NVUE uses the <comment> field as the key name.

The procedure to install an authorized SSH key is different based on whether the user is an NVUE managed user or a non-NVUE managed user.

NVUE Managed User

The following example adds an authorized key named prod_key to the user admin2 . The content of the public key file is ssh-rsa 1234 prod_key .

Copy Copied! admin @nvos :~$ nv set system aaa user admin2 ssh authorized-key prod_key key XABDB3NzaC1yc2EAAAADAQABAAABgQCvjs/RFPhxLQMkckONg+1RE1PTIO2JQhzFN9TRg7ox7o0tfZ+IzSB99lr2dmmVe8FRWgxVjc... admin @nvos :~$ nv set system aaa user admin2 ssh authorized-key prod_key type ssh-rsa admin @nvos :~$ nv config apply





This configuration allows blocking password authentication from users that have a configured authorized key.

To enable this flag, run the following:

Copy Copied! admin @nvos :~$ nv set system ssh-server pka-only enabled admin @nvos :~$ nv config apply

To show all the current SSH server configuration settings, run the NVUE nv show system ssh-server command:

Copy Copied! admin @nvos :~$ nv show system ssh operational applied ---------------------- ----------- -------- authentication-retries 6 6 login-timeout 120 120 inactive-timeout 20 20 login-record-period 1 1 max-sessions 100 100 pka-only disabled disabled [port] 22 22