enable ssh on a 8600

[dekdek]

hi everyone,

i'm trying to enable ssh on a 8600. I think all is right (as config sys set ssh info seems to show) but i can't ssh the passport ?
Is the Passport need a reboot ?

config sys set ssh info

Total Active Sessions  : 0
   version            : v2only
   port               : 22
   max-sessions       : 4
   timeout            : 60
   action rsa-keygen  : rsa-keysize 1024
   action dsa-keygen  : key not generated
   rsa-auth           : true
   dsa-auth           : true
   pass-auth          : true
   enable             : true


thanks

[dafle_ro]

Hi

I think you need create access policy for ssh enable:

config sys access-policy enable false

config sys access-policy policy 2 create
config sys access-policy policy 2 name policy2
config sys access-policy policy 2 accesslevel rwa
config sys access-policy policy 2 service ssh enable
config sys access-policy policy 2 network x.x.x.0/24
config sys access-policy policy 2 enable

config sys access-policy enable true

[Michael McNamara]

If you have access policies enabled then you'll need to add an additional policy to allow access.

What version of software are you running?

I believe with older versions of software the CPU/SF needed a restart.

Cheers!

[dekdek]

hi,

version is 5.1.2.0 and i think access policy is disable. I can do a telnet (I don't want telnet anymore that's why i want enable ssh) :

show sys access-policy info

  AccessPolicyEnable: off

                  Id: 1
                Name: default
        PolicyEnable: true
                Mode: allow
             Service: ftp|http|telnet|ssh
          Precedence: 128
         NetAddrType: any
             NetAddr: N/A
             NetMask: N/A
     TrustedHostAddr: N/A
 TrustedHostUserName: none
         AccessLevel: readOnly
        AccessStrict: false
               Usage: 0

[Michael McNamara]

Have you loaded any of the encryption modules? I'm know they are required for SNMPv3 but I'm not sure about SSH.

[dekdek]

i don't thinkso .
how can i load them or verify if they are loaded ?
thanks

[dekdek]

ok i've found a way ; i'll post explanation asap.
thanks

[dekdek]

how i enable ssh on ERS 8600 :
1/ enable ssh & generate a key :
sys set ssh enable true
config sys set ssh action rsa-keygen
2/ copy file p80c5120.img on /flash/  and then
load the encryption module as Michael suggest (he was right as usual!!) :
config load-encryption-module 3DES
3/ create access-policies
sys access-policy policy 2 create
sys access-policy policy 2 accesslevel rwa
sys access-policy policy 2 network X.X.X.0/24
sys access-policy policy 2 service ssh enable
sys access-policy policy 2 service snmpv3 enable
sys access-policy policy 2 snmp-group-add readgrp snmpv1
sys access-policy policy 2 snmp-group-add readgrp snmpv2c
sys access-policy policy 2 snmp-group-add v1v2grp snmpv1
sys access-policy policy 2 snmp-group-add v1v2grp snmpv2c
4/ enable access-policies
config sys access-policy enable true

PS : Michael i'm sure i've posted info (april/may maybe) about how monitoring ERS using cacti, nedi and a lot of
tools. I can't find this post. Was it deleted and why (contents maybe ?) ?

[Michael McNamara]

Thanks for sharing your solution to everyone here.

We lost a few posts when I migrated the forums over to a VPS back a few months... I vaguely remember the post you are referring to but it's possible it was one of the few that were lost in that 1-2 day time frame.

Feel free to re-post if you are so inclined.

Cheers!

[tbigby]

Do you mean this thread?

http://forums.networkinfrastructure.info/nortel-ethernet-switching/monitoring-nortel-ers-equipment/

[Michael McNamara]

That was one of them but I believe there was another one that got lost during the migration, I could be wrong though.

[dekdek]

yes it's this thread. but no problem with that. i thought it was because of the contents and i was very surprise of that ...