Secure Shell (SSH)
Page 52 7450 ESS System Mangement Guide
Other Security Features
Secure Shell (SSH)
Secure Shell Version 1 (SSH) is a protocol that provides a secure, encrypted Telnet-like
connection to a router. A connection is always initiated by the client (the user). Authentication
takes places by one of the configured authentication methods (local, RADIUS, or TACACS+).
With authentication and encryption, SSH allows for a secure connection over an insecure
network.
The OS allows you to configure Secure Shell (SSH) Version 2 (SSH2). SSH1 and SSH2 are
different protocols and encrypt at different parts of the packets. SSH1 uses server as well as
host keys to authenticate systems whereas SSH2 only uses host keys. SSH2 does not use the
same networking implementation that SSH1 does and is considered a more secure, efficient,
and portable version of SSH.
SSH runs on top of a transport layer (like TCP or IP), and provides authentication and
encryption capabilities.
The OS has a global SSH server process to support inbound SSH and SCP sessions initiated
by external SSH or SCP client applications. The SSH server supports SSHv1. Note that this
server process is separate from the SSH and SCP client commands on the routers which
initiate outbound SSH and SCP sessions.
Inbound SSH sessions are counted as inbound telnet sessions for the purposes of the maximum
number of inbound sessions specified by Login Control. Inbound SCP sessions are counted as
inbound ftp sessions by Login Control.
When SSH server is enabled, an SSH security key is generated. The key is only valid until
either the node is restarted or the SSH server is stopped and restarted (unless the preserve-key
option is configured for SSH). The key size is non-configurable and set at 1024 bits. When the
server is enabled, both inbound SSH and SCP sessions will be accepted provided the session is
properly authenticated.
When the global SSH server process is disabled, no inbound SSH or SCP sessions will be
accepted.
When using SCP to copy files from an external device to the file system, the SCP server will
accept either forward slash (“/”) or backslash (“\”) characters to delimit directory and/or
filenames. Similarly, the SCP client application can use either slash or backslash characters,
but not all SCP clients treat backslash characters as equivalent to slash characters. In
particular, UNIX systems will often times interpret the backslash character as an “escape”
character which does not get transmitted to the SCP server. For example, a destination
To Next Page
Loading...
