SSH is a cryptographic network protocol for operating network services securely over an unsecured network. The standard TCP port for SSH is 22. The best known example application is for remote login to computer systems by users.
SSH provides a secure channel over an unsecured network in a client-server architecture, connecting an SSH client application with an SSH server. Common applications include remote command-line login and remote command execution, but any network service can be secured with SSH. The protocol specification distinguishes between two major versions, referred to as SSH-1 and SSH-2.
The most visible application of the protocol is for access to shell accounts on Unix-like operating systems, but it sees some limited use on Windows as well. In 2015, Microsoft announced that they would include native support for SSH in a future release.
SSH was designed as a replacement for Telnet and for unsecured remote shell protocols such as the Berkeley rlogin, rsh, and rexec protocols. Those protocols send information, notably passwords, in plaintext, rendering them susceptible to interception and disclosure using packet analysis. The encryption used by SSH is intended to provide confidentiality and integrity of data over an unsecured network, such as the Internet.
Enabling SSH only requires you to specify the port
<port> you want SSH to
listen on. By default, SSH runs on port 22.
Specify IPv4/IPv6 listen address of SSH server. Multiple addresses can be defined.
Define allowed ciphers used for the SSH connection. A number of allowed ciphers
can be specified, use multiple occurrences to allow multiple ciphers. You can
choose from the following ciphers:
Disable password based authentication. Login via SSH keys only. This hardens security!
Disable the host validation through reverse DNS lookups - can speedup login time when reverse lookup is not possible.
Specifies the available MAC algorithms.
The MAC algorithm is used in protocol version 2 for data integrity protection.
Multiple algorithms can be provided. Supported MACs:
VyOS 1.1 supported login as user
root. This has been removed due
to tighter security in VyOS 1.2.
Add access-control directive to allow or deny users and groups. Directives are
processed in the following order of precedence:
Specify timeout interval for keepalive message in seconds.
Specify allowed KEX algorithms.
sshd log level. The default is
Specify name of the VRF instance.