Enhancements in Release F.04.08

Configuring Secure Shell (SSH)

(For more on these topics, refer to “Further Information on SSH Client Public-Key Authentication” on page 95.)

With steps 1 - 3, above, completed and SSH properly configured on the switch, if an SSH client contacts the switch, login authentication automatically occurs first, using the switch and client public-keys. After the client gains login access, the switch controls client access to the manager level by requiring the passwords configured earlier by the aaa authentication ssh enable command.

Syntax: copy tftp pub-key-file < ip-address> < filename >

Copies a public key file into the switch.

aaa authentication ssh login rsaConfigures the switch to authenticate
< local none >a client public-key at the login level

 

with an optional secondary password

 

method (default: none).

Caution

To allow SSH access only to clients having the correct public key, you must configure the secondary (password) method for login rsa to none. Otherwise a client without the correct public key can still gain entry by submitting a correct local login password.

aaa authentication ssh enableConfigures a password method for the

< local tacacs radius >

primary and secondary enable (Mana-

< local none >

ger) access. If you do not specify an

 

optional secondary method, it defaults

 

to none.

For example, assume that you have a client public-key file named Client-Keys.pub(on a TFTP server at 10.33.18.117) ready for downloading to the switch. For SSH access to the switch you want to allow only clients having a private key that matches a public key found in Client-Keys.pub.For Manager-level (enable) access for successful SSH clients you want to use TACACS+ for primary password authentication and local for secondary password authentication, with a Manager username of "1eader" and a password of "m0ns00n". To set up this operation you would configure the switch in a manner similar to the following:

93