Chapter 3: Operations | 17 |
|
|
Telnet access on port 3007, then port 3107 will be a direct SSH connection for port 7. When SSH is enabled, Telnet port 23 connections will be accepted from other clients if the Server Security command includes the Encrypt=SSH,None parameter, which indicates that both SSH and plain text connections will be allowed. Connecting to Telnet port 23 may also be tunneled through a connection to SSH port 22.
Telnet, DSView software and SSH clients may authenticate using a DS server.
SSH server keys
When SSH is enabled for the first time, the CPS generates an SSH server key. The key generation process may take up to ten minutes. The key is computed at random and is stored in the CPS configuration database.
In most cases, the SSH server key should not be modified because most SSH clients will associate the key with the IP address of the CPS appliance. During the first connection to a new SSH server, the client will display the SSH server’s key. You will be prompted to indicate if it should be stored on the SSH client. After the first connection, most SSH clients will validate the key when connecting to the CPS appliance. This provides an extra layer of security because the SSH client can verify the key sent by the server each time it connects.
When you disable SSH and later reenable it, you may either use the existing server key or compute a new one. If you are reenabling the same server at the same IP address, it is recommended that you use the existing key, as SSH clients may be using it for verification. If you are moving the CPS appliance to another location and changing the IP address, you may wish to generate a new SSH server key.
Authenticating an SSH user
SSH is enabled and disabled with the Server SSH command. When you enable SSH, you may specify the authentication method(s) that will be used for SSH connections. The method may be a password, an SSH key or both. A user’s password and SSH key are specified with a User Add or User Set command. All SSH keys must be RSA keys. DSA keys are not supported.
Table 3.2 lists and describes the valid SSH authentication methods that may be specified with a Server SSH command.
Table 3.2: SSH Authentication Methods
MethodDescription
SSH connections will be authenticated with a username/password. With this method,
PW (default)a user’s definition must include a valid password in order for that user to authenticate an SSH session. A password may authenticate to a DSView software or RADIUS
server or to the local user database.
SSH connections will be authenticated with an SSH key. With this method, a user’s
KEYdefinition must include valid SSH key information in order for that user to authenticate an SSH session. Key authentication is always local; RADIUS is not supported. For more information, see SSH user keys on page 18.