User authentication—RSA-based user authentication uses a private/public key pair associated with each user
for authentication. The user must generate a private/public key pair on the client and configure a public key
on the Cisco SSH server to complete the authentication.
An SSH user trying to establish credentials provides an encrypted signature using the private key. The signature
and the user’s public key are sent to the SSH server for authentication. The SSH server computes a hash over
the public key provided by the user. The hash is used to determine if the server has a matching entry. If a
match is found, an RSA-based message verification is performed using the public key. Hence, the user is
authenticated or denied access based on the encrypted signature.
Server authentication—While establishing an SSH session, the Cisco SSH client authenticates the SSH server
by using the server host keys available during the key exchange phase. SSH server keys are used to identify
the SSH server. These keys are created at the time of enabling SSH and must be configured on the client.
For server authentication, the Cisco SSH client must assign a host key for each server. When the client tries
to establish an SSH session with a server, the client receives the signature of the server as part of the key
exchange message. If the strict host key checking flag is enabled on the client, the client checks if it has the
host key entry corresponding to the server. If a match is found, the client tries to validate the signature by
using the server host key. If the server is successfully authenticated, the session establishment continues;
otherwise, it is terminated and displays a “Server Authentication Failed” message.
Storing public keys on a server uses memory; therefore, the number of public keys configurable on an
SSH server is restricted to ten users, with a maximum of two public keys per user.
Note
RSA-based user authentication is supported by the Cisco server, but Cisco clients cannot propose public
key as an authentication method. If the Cisco server receives a request from an open SSH client for
RSA-based authentication, the server accepts the authentication request.
Note
For server authentication, configure the RSA public key of the server manually and configure the ip ssh
stricthostkeycheck command on the Cisco SSH client.
Note
SNMP Trap Generation
Depending on your release, Simple Network Management Protocol (SNMP) traps are generated automatically
when an SSH session terminates if the traps have been enabled and SNMP debugging has been enabled. For
information about enabling SNMP traps, see the “Configuring SNMP Support” module in the SNMP
Configuration Guide.
When you configure the snmp-server host command, the IP address must be the address of the PC that
has the SSH (telnet) client and that has IP connectivity to the SSH server.
Note
You must also enable SNMP debugging using the debug snmp packet command to display the traps. The
trap information includes information such as the number of bytes sent and the protocol that was used for the
SSH session.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(4)E (Catalyst 2960-X Switches)
1091
Information About Secure Shell Version 2 Support
To Next Page
Loading...
Need help?
General
