Configuring Secure Shell (SSH)

Configuring the Switch for SSH Operation

Syntax: aaa authentication ssh enable < local tacacs radius > < local none >

Configures a password method for the primary and secondary enable (Manager) access. If you do not specify an optional secondary method, it defaults to none.

If the primary access method is local, you can only specify none for a secondary access method.

Note: The configuration of SSH clients’ public keys is stored in flash memory on the switch. You also can save SSH client public-key configurations to a configuration file by entering the following commands:

include-credentials write memory

For more information about saving security credentials, see “Saving Security Credentials in a Config File” on page 2-10in this guide.

For example, assume that you have a client public-key file named Client- Keys.pub (on a TFTP server at 10.33.18.117) ready for downloading to the switch. For SSH access to the switch you want to allow only clients having a private key that matches a public key found in Client-Keys.pub.For Manager- level (enable) access for successful SSH clients you want to use TACACS+ for primary password authentication and local for secondary password authenti- cation, with a Manager username of "1eader" and a password of "m0ns00n". To set up this operation you would configure the switch in a manner similar to the following:

6-22