Optional Parameters Overview

You can adjust the following SSH settings on the RUCKUS device.

  • The user authentication method: For SSH connections, the RUCKUS ICX device can use several authentication types together or individually. Refer to SSH2 Authentication Types.

  • The number of SSH authentication retries: By default, the RUCKUS ICX device tries 3 times to negotiate a connection with the host. The number of authentication retries can be changed to 1 through 5.

  • Key exchange method: RUCKUS ICX SSH2 offers diffie-hellman-group14-sha1 and diffie-hellman-group1-sha1 as the key exchange methods for establishing an SSH connection. By default, when SSH clients connect, the ICX device as SSH server offers both diffie-hellman-group14-sha1 and diffie-hellman-group1-sha1, and diffie-hellman-group14-sha1 will be given first priority. The diffie-hellman-group14-sha1 algorithm provides enhanced encryption of shared secrets between two devices and safeguards critical security parameters. The diffie-hellman-group1-sha1 key exchange method is a weaker algorithm and can be disabled using the no ip ssh key-exchange-method dh-group1-sha1 command.

  • Empty password logins to the RUCKUS ICX device: By default, empty password logins are not allowed. Each user with an SSH client is prompted for a password when he logs into the device and must have a user name and password to gain access. If you enable empty password logins, any user with an SSH client can log in without being prompted for a password.

  • The port number for SSH connections: By default, SSH traffic is carried on TCP port 22. You can change this port number; however, you must configure SSH clients to connect to the new port. You must also be careful not to assign SSH to a port that is used by another service.

  • The SSH login timeout value: When the SSH server attempts to negotiate a session key and encryption method with a connecting client, it waits a maximum of 120 seconds by default for a response from the client. If there is no response from the client after 120 seconds, the SSH server disconnects. You can configure a timeout value from 1 through 120 seconds.

  • Source interface for all SSH traffic from the device: By default, the management port is used as the source interface for all SSH traffic from the RUCKUS ICX device. You can instead designate an Ethernet port, virtual interface, or loopback interface.
  • The maximum idle time for SSH sessions: By default, SSH sessions never time out. You can set the amount of time an SSH session can be inactive before the RUCKUS device closes it. An idle time of 0 minutes means that SSH sessions never time out. The maximum idle time for SSH sessions is 240 minutes.

  • SSH rekey: In an SSH2 implementation, if an SSH session is authenticated and established, it remains connected until the user closes it or until the configured idle time limit is reached. Prolonged use of the session key negotiated at connection poses several security issues and exposes the SSH connection to man-in-middle attacks. To safeguard the SSH connection from security vulnerability, new keys should be exchanged frequently for existing SSH sessions.