Enhancements in Release F.04.08

Configuring Secure Shell (SSH)

Configuring Secure Shell (SSH)

Feature

Default

Menu

CLI

Web

 

 

 

 

 

Generating a public/private key pair on the switch

No

n/a

page 85

n/a

Using the switch’s public key

n/a

n/a

page 87

n/a

Enabling SSH

Disabled

n/a

page 89

n/a

Enabling client public-key authentication

Disabled

n/a

pages 92, 95

n/a

Enabling user authentication

Disabled

n/a

page 92

n/a

 

 

 

 

 

The Series 2500 switches use Secure Shell version 1 (SSHv1) to provide remote access to management functions on the switches via encrypted paths between the switch and management station clients capable of SSHv1 operation. (The switches can be authenticated by SSHv2 clients that support SSHv1.) However, to use the reverse option—authenticating an SSHv2 user to the switch—you must have a method for converting the SSHv2 PEM public-key format to non-encoded ASCII. Refer to "PEM (Privacy Enhanced Mode)" on page 80.

SSH provides Telnet-like functions but, unlike Telnet, SSH provides encrypted, authenticated trans- actions. The authentication types include:

Client public-key authenticationSwitch SSH and user password authentication

Client Public Key Authentication (Login/Operator Level) with User Password Authentication (Enable/Manager Level). This option uses one or more public keys (from clients) that must be stored on the switch. Only a client with a private key that matches a stored public key can gain access to the switch. (The same private key can be stored on one or more clients.)

 

 

 

 

 

 

 

1.Switch-to-Client SSH authentication

 

 

 

 

 

Series 2500

 

 

 

 

 

 

 

 

 

 

SSH

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Client

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Switch

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Work-

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

(SSH

 

 

 

 

 

 

2.Client-to-Switch (login rsa) authentication

 

 

 

 

Station

 

 

 

 

 

 

 

 

 

 

 

Server)

 

 

 

 

 

 

3.User-to-Switch (enable password) authentica

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

tion options:

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Local

TACACS+

RADIUS

None

Figure 26. Client Public Key Authentication Model

78