Configuring Secure Shell (SSH)

Configuring the Switch for SSH Operation

Option A: Configuring SSH Access for Password-Only SSH

Authentication. When configured with this option, the switch uses its pub­ lic key to authenticate itself to a client, but uses only passwords for client authentication.

Syntax: aaa authentication ssh login < local tacacs radius public-key >[< local none authorized >]

Configures a password method for the primary and second­ ary login (Operator) access. If you do not specify an optional secondary method, it defaults to none. If the primary method is local, the secondary method must be none.

The authorized option allows access without authentication.

aaaauthentication ssh enable < local tacacs radius public-key>[< local none authorized >]

Configures a password method for the primary and second­ ary enable (Manager) access. If you do not specify an optional secondary method, it defaults to none. If the primary method is local, the secondary method must be none.

The authorized option allows access without authentication.

Option B: Configuring the Switch for Client Public-Key SSH

Authentication. If configured with this option, the switch uses its public key to authenticate itself to a client, but the client must also provide a client public-key for the switch to authenticate. This option requires the additional step of copying a client public-key file from a TFTP server into the switch. This means that before you can use this option, you must:

1.Create a key pair on an SSH client.

2.Copy the client’s public key into a public-key file (which can contain up to ten client public-keys).

3.Copy the public-key file into a TFTP server accessible to the switch and download the file to the switch.

(For more on these topics, refer to “Further Information on SSH Client Public- Key Authentication” on page 7-23.)

With steps 1 - 3, above, completed and SSH properly configured on the switch, if an SSH client contacts the switch, login authentication automatically occurs first, using the switch and client public-keys. After the client gains login access, the switch controls client access to the manager level by requiring the passwords configured earlier by the aaa authentication ssh enable command.

7-20