Cisco `ip ssh source-interface` refers to server, client, or both

ciscocisco-commandsssh

If I do ip ssh source-interface g0, that restricts:

which interface the Cisco device listens for SSH connections,
which interface it is allowed to use for the client to connect to other SSH servers,
which interface all SSH packets go out and/or permitted in (implying both 1 and 2), or
None of the above.

Experimentally, it looks like 2, which is not what I had intuited originally, thus prompting the question for confirmation.

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp5893687220 — Ref that seems to agree with my experimental conclusion, but I've been wrong trying to follow Cisco logic before.

Best Answer

Actually, none of the above. It doesn't actually determine any interface. That command, and other Cisco source commands, determine the source address on the traffic sourced on the device exiting the device, regardless of the actual interface used to forward the traffic. Remember that traffic is routed by the destination address.

Without any command, the source address on the traffic sourced from the device leaving the device would be the actual interface used, but the Cisco source commands can be used to change the source address to the address of a different interface on the router. Loopback interfaces are a good choice because loopback addresses never go down, unless you specifically configure them down.

For example, you have a router with Loopback0, GigbitEthernet0, GigbitEthernet1, and GigbitEthernet2. You probably want all traffic sourced from Loopback0 so that it doesn't matter which interface is used. That way, if the traffic would normally use GigbitEthernet0, but that interface goes down and the other device could still reach the router through GigbitEthernet2, then the conversation can continue normally because the source address remains the same.

Related Solutions

Switch – Cisco IOS built-in SSH client default version

ssh version 2 for IOS 12.1(19)E and later

SSH from one switch to another... for reasons I can't explain, Cisco calls SSHv2 SSH-1.99...

SRV1#debug ip ssh client
SSH Client debugging is on
SRV1#ssh 10.19.1.2

Password:
Jun  4 13:45:28.747 CDT: SSH1: sent protocol version id SSH-1.99-Cisco-1.25   <-----
Jun  4 13:45:28.787 CDT: SSH CLIENT0: protocol version id is - SSH-1.99-Cisco-1.25
Jun  4 13:45:28.787 CDT: SSH CLIENT0: sent protocol version id SSH-1.99-Cisco-1.25

Also from linux when connecting to IOS...

[mpenning@something ~]$ ssh -v dst1
OpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to dst1 [10.19.1.1] port 22.
debug1: Connection established.
debug1: identity file /home/mpenning/.ssh/identity type -1
debug1: identity file /home/mpenning/.ssh/id_rsa type 1
debug1: identity file /home/mpenning/.ssh/id_dsa type -1
debug1: Remote protocol version 1.99, remote software version Cisco-1.25     <-------
debug1: no match: Cisco-1.25
debug1: Enabling compatibility mode for protocol 2.0                         <--------
debug1: Local version string SSH-2.0-OpenSSH_5.3

CISCO Switch SSH Certificate via TACACS-Server

The short answer is no, because the SSH authentication happens before the login authentication (where the TACACS server is contacted).

Even if it were possible to download the certificate, you would then have the problem of verifying that the device that downloaded it is in fact the right switch.

I suspect having the certificate on the switch is relatively low risk. It would be very, very difficult (but not impossible) to steal the private key to impersonate the switch.

Best Answer

Related Solutions

Switch – Cisco IOS built-in SSH client default version

CISCO Switch SSH Certificate via TACACS-Server

Related Topic