Enhancements in Release F.04.08

Configuring Secure Shell (SSH)

3. Providing the Switch’s Public Key to Clients

When an SSH client contacts the switch for the first time, the client will challenge the connection unless you have already copied the key into the client’s "known host" file. Copying the switch’s key in this way reduces the chance that an unauthorized device can pose as the switch to learn your access passwords. The most secure way to acquire the switch’s public key for distribution to clients is to use a direct, serial connection between the switch and a management device (laptop, PC, or UNIX workstation), as described below.

Note on the Public Key Format

The switch uses SSH version 1, but can be authenticated by SSH version 2 clients that are backwards- compatible to SSHv1. However, if your SSH client supports SSHv2, then it may use the PEM format for storing the switch’s public key in its "known host" file. In this case, the following procedure will not work for the client unless you have a method for converting the switch’s ASCII-string public key into the PEM format. If you do not have a conversion method, then you can still set up authentication of the switch to the client over the network by simply using your client to contact the switch and then accepting the resulting challenge that your client should pose to accepting the switch. This should be acceptable as long as you are confident that there is no "man-in-the-middle" spoofing attempt during the first contact. Because the client will acquire the switch’s public key after you accept the challenge, subsequent contacts between the client and the switch should be secure.

The public key generated by the switch consists of three parts, separated by one blank space each:

Key

Encoded

Encoded

Size

Public Exponent

Modulus

896 35 427199470766077426366625060579924214851527933248752021855126493

2934075407047828604329304580321402733049991670046707698543529734853020

0176777055355544556880992231580238056056245444224389955500310200336191

3610469786020092436232649374294060627777506601747146563337525446401

Figure 32. Example of a Public Key Generated by the Switch

(The generated public key on the switch is always 896 bits.)

With a direct serial connection from a management station to the switch:

1.Use a terminal application such as HyperTerminal to display the switch’s public key with the show ip host-public-keycommand, as shown in figure 31.

2.Bring up the SSH client’s "known host" file in a text editor such as Notepad as straight ASCII text, and copy the switch’s public key into the file.

87