Security
7705 SAR OS System Management Guide Page 41
Other Security Features
Secure Shell (SSH)
Secure Shell Version 1 (SSH1) is a protocol that provides a secure, encrypted Telnet-like
connection to a router. A connection is always initiated by the client (the user).
Authentication takes place by one of the configured authentication methods (local,
RADIUS, or TACACS+). With authentication and encryption, SSH allows for a secure
connection over an insecure network.
The 7705 SAR allows you to configure SSH1 or Secure Shell Version 2 (SSH2). SSH1 and
SSH2 are different protocols and encrypt at different parts of the packets. SSH1 uses the
server as well as host keys to authenticate systems, whereas SSH2 only uses host keys.
SSH2 does not use the same networking implementation that SSH1 does and is considered a
more secure, efficient, and portable version of SSH that includes Secure FTP (SFTP). SFTP
is functionally similar to FTP but is SSH2-encrypted. Rather than validating identities via
passwords, SSH2 can also use public key encryption to authenticate remote hosts. For
example, if you were to connect to a remote host also running SSH2, the secure shell would
use this system to verify that the remote system is the host and not a computer set up to
imitate it.
SSH runs on top of a transport layer (like TCP or IP), and provides authentication and
encryption capabilities. SSH supports remote login to another computer over a network,
remote command execution, and file relocation from one host to another.
The 7705 SAR has a global SSH server process to support inbound SSH and SCP sessions
initiated by external SSH or SCP client applications. The SSH server supports SSH1. Note
that this server process is separate from the SSH and SCP client commands on the
7705 SAR, which initiate outbound SSH and SCP sessions.
Inbound SSH sessions are counted as inbound Telnet sessions for the purposes of the
maximum number of inbound sessions specified by Login Control. Inbound SCP sessions
are counted as inbound FTP sessions by Login Control.
When the SSH server is enabled, an SSH security key is generated. The key is only valid
until either the node is restarted or the SSH server is stopped and restarted. The key size is
non-configurable and set at 1024 bits. When the server is enabled, both inbound SSH and
SCP sessions will be accepted provided the session is properly authenticated.
When the global SSH server process is disabled, no inbound SSH or SCP sessions will be
accepted.
To Next Page
Loading...
