authenticate user command to remove the ip ssh server authenticate user command from the configuration.
The IOS secure shell (SSH) server will start using the ip ssh server algorithm authentication command.
When you configure the ip ssh server authenticate user command, the following message is displayed:
SSH command accepted; but this CLI will be deprecated soon. Please move to new CLI ip ssh server
algorithm authentication. Please configure the “default ip ssh server authenticate user” to make the
CLI ineffective.
Warning
Restrictions for X.509v3 Certificates for SSH Authentication
•
The X.509v3 Certificates for SSH Authentication feature implementation is applicable only on the Cisco
IOS Secure Shell (SSH) server side.
•
The Cisco IOS SSH server supports only the x509v3-ssh-rsa algorithm-based certificate for server and
user authentication.
Information About X.509v3 Certificates for SSH Authentication
X.509v3 Certificates for SSH Authentication Overview
The Secure Shell (SSH) protocol provides a secure remote access connection to network devices. The
communication between the client and server is encrypted.
There are two SSH protocols that use public key cryptography for authentication. The Transport Layer Protocol,
uses a digital signature algorithm (called the public key algorithm) to authenticate the server to the client. And
the User Authentication Protocol uses a digital signature to authenticate (public key authentication) the client
to the server.
The validity of the authentication depends upon the strength of the linkage between the public signing key
and the identity of the signer. Digital certificates, such as those in X.509 Version 3 (X.509v3), are used to
provide identity management. X.509v3 uses a chain of signatures by a trusted root certification authority and
intermediate certificate authorities to bind a public signing key to a specific digital identity. This implementation
allows the use of a public key algorithm for server and user authentication, and allows SSH to verify the
identity of the owner of a key pair via digital certificates, signed and issued by a Certificate Authority (CA).
Server and User Authentication Using X.509v3
For server authentication, the Secure shell (SSH) server sends its own certificate to the SSH client for
verification. This server certificate is associated with the trustpoint configured in the server certificate profile
(ssh-server-cert-profile-server configuration mode).
For user authentication, the SSH client sends the user's certificate to the IOS SSH server for verification. The
SSH server validates the incoming user certificate using public key infrastructure (PKI) trustpoints configured
in the server certificate profile (ssh-server-cert-profile-user configuration mode).
By default, certificate-based authentication is enabled for server and user at the IOS SSH server end.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(4)E (Catalyst 2960-X Switches)
1118
Restrictions for X.509v3 Certificates for SSH Authentication
To Next Page
Loading...
Need help?
General
