Chapter 3: Operations | 21 |
|
|
SSH server keys
When SSH is enabled for the first time, all sessions are terminated and the CCM appliance generates an SSH server key. The key generation process may take up to three minutes. The key is computed at random and is stored in the CCM configuration database.
In most cases, the SSH server key should not be modified because most SSH clients will associate the key with the IP address of the CCM appliance. During the first connection to a new SSH server, the client will display the SSH server’s key. You will be prompted to indicate if it should be stored on the SSH client. After the first connection, most SSH clients will validate the key when connecting to the CCM appliance. This provides an extra layer of security because the SSH client can verify the key sent by the server each time it connects.
When you disable SSH and later reenable it, you may either use the existing server key or compute a new one. If you are reenabling the same server at the same IP address, it is recommended that you use the existing key, as SSH clients may be using it for verification. If you are moving the CCM appliance to another location and changing the IP address, you may wish to generate a new SSH server key.
Authenticating an SSH user
SSH is enabled and disabled with the Server SSH command. When you enable SSH, you may specify the authentication method(s) that will be used for SSH connections. The method may be a password, an SSH key or both. A user’s password and SSH key are specified with a User Add or User Set command. All SSH keys must be RSA keys. DSA keys are not supported.
Table 3.3 lists and describes the valid SSH authentication methods that may be specified with a Server SSH command.
Table 3.3: SSH Authentication Methods
MethodDescription
SSH connections will be authenticated with a username/password. With this method,
PW (default)a user’s definition must include a valid password in order for that user to authenticate an SSH session.
SSH connections will be authenticated with an SSH key. With this method, a user’s
KEYdefinition must include valid SSH key information in order for that user to authenticate an SSH session. Key authentication is always local; RADIUS is not supported. For more information, see SSH user keys on page 22.
SSH connections will be authenticated with either a username/password or an SSH key. If a user has only a password defined, that user must authenticate an SSH session with a username/password. If a user has only an SSH key defined, that user must authenticate an SSH session using the key. If a user has both a password and
PWKEY or KEYPW an SSH key defined, that user may use either a username/password or the SSH key to authenticate an SSH session. This method allows the administrator to define how
each user will authenticate an SSH session based on information provided in the User Add/Set command.
PW authentication will be local or RADIUS as specified in the Auth parameter of the Server Security command. Key authentication is always local.