show ip ssh
Displays the status and configuration of SSH server on the Cisco IOS device, used to verify SSH is enabled and check connection details.
show ip sshWhen to Use This Command
- Verify that SSH server is enabled and listening on the correct port after configuring SSH.
- Check the number of active SSH sessions and their details for troubleshooting connectivity.
- Confirm the SSH version, authentication methods, and encryption algorithms supported.
- Ensure SSH timeout and retry settings are appropriate for security policies.
Command Examples
Basic show ip ssh output
show ip sshSSH Enabled - version 2.0 Authentication timeout: 120 secs; Authentication retries: 3 Minimum expected Diffie-Hellman key size : 1024 bits IOS Keys in SECSH format(ssh-rsa, ssh-dsa) SSH-RSA key: 2048-bit Encryption: AES-CBC, AES-CTR, 3DES-CBC Hash: SHA-1, SHA-256 Authentication: Publickey, Password MAC: HMAC-SHA1, HMAC-SHA1-96 %No SSHv2 server connections running.
Line 1: SSH is enabled with version 2.0. Line 2: Authentication timeout (120 secs) and retries (3). Line 3: Minimum Diffie-Hellman key size. Lines 4-9: SSH host key type and size, supported encryption, hash, authentication, and MAC algorithms. Last line: No active SSH sessions.
Show ip ssh with active sessions
show ip sshSSH Enabled - version 2.0 Authentication timeout: 120 secs; Authentication retries: 3 Minimum expected Diffie-Hellman key size : 1024 bits IOS Keys in SECSH format(ssh-rsa, ssh-dsa) SSH-RSA key: 2048-bit Encryption: AES-CBC, AES-CTR, 3DES-CBC Hash: SHA-1, SHA-256 Authentication: Publickey, Password MAC: HMAC-SHA1, HMAC-SHA1-96 Connection Version Mode Encryption Hmac State Username 0 2.0 IN aes128-cbc hmac-sha1 Session started admin 0 2.0 OUT aes128-cbc hmac-sha1 Session started admin
Same initial lines as before. After blank line, a table shows active SSH sessions: Connection number, SSH version, Mode (IN/OUT), Encryption algorithm, HMAC, State (e.g., Session started), and Username. Here, one session (connection 0) for user 'admin' is active.
Understanding the Output
The output begins with SSH status (enabled/disabled) and version. Authentication timeout and retries indicate how long the device waits for login and how many attempts allowed. Minimum Diffie-Hellman key size is a security parameter. The key section shows the host key type and size (e.g., SSH-RSA 2048-bit). Supported algorithms for encryption, hash, authentication, and MAC are listed. If active sessions exist, a table shows each connection: Connection ID, SSH version, direction (IN/OUT), encryption cipher, HMAC algorithm, session state (e.g., Session started, Authentication in progress), and username. No sessions means '%No SSHv2 server connections running.' Good values: SSH version 2.0, strong encryption (AES), reasonable timeout (120 secs), retries (3). Watch for version 1.99 (transitional) or disabled SSH.
CCNA Exam Tips
CCNA exam may ask which command verifies SSH is enabled and its version; answer: show ip ssh.
Know that SSH version 2.0 is required for secure management; version 1 is deprecated.
Remember that authentication timeout and retries are configured with 'ip ssh time-out' and 'ip ssh authentication-retries'.
Be aware that 'show ip ssh' does not show SSH client connections; use 'show ssh' for client sessions.
Common Mistakes
Confusing 'show ip ssh' with 'show ssh' — the former shows server config, the latter shows active sessions.
Assuming SSH is enabled when output shows 'SSH Disabled' — must enable with 'ip ssh version 2' and generate keys.
Overlooking that SSH requires a host key pair; if not generated, SSH will not start even if enabled.
Related Commands
crypto key generate rsa modulus [bits]
Generates an RSA key pair for SSH, encryption, or digital signatures on a Cisco IOS device, typically used to enable secure management access.
ip ssh version 2
Enables SSH version 2 on the router for secure remote management, replacing the less secure version 1.
show ssh
Displays the status and configuration of SSH server connections on a Cisco device, used to verify SSH sessions, authentication methods, and encryption settings.
Practice for the CCNA 200-301
Test your knowledge with hundreds of CCNA practice questions covering all exam domains.
Practice CCNA Questions