50-2
Catalyst 4500 Series Switch, Cisco IOS Software Configuration Guide - Cisco IOS XE 3.9.xE and IOS 15.2(5)Ex
Chapter 50 X.509v3 Certificates for SSH Authentication
Restrictions for X.509v3 Certificates for SSH Authentication
Restrictions for X.509v3 Certificates for SSH Authentication
• The X.509v3 Certificates for SSH Authentication feature implementation is applicable only on the
Cisco IOS Secure Shell (SSH) server side.
• The Cisco IOS SSH server supports only the x509v3-ssh-rsa algorithm-based certificate for server
and user authentication.
• The Rivest, Shamir, and Adelman (RSA) 2-factor authentication on Catalyst 4506 SUP7L-E
switches and Cisco Identity Services Engine (ISE) does not work correctly, when a user enters the
incorrect password. Normal authentication and interworking with Cisco Adaptive Security
Appliance (ASA) works fine. Configure the ip ssh server algorithm authentication keyboard
command for the authentication to work.
Information About X.509v3 Certificates for SSH Authentication
• X.509v3 Certificates for SSH Authentication Overview, page 50-2
• Server and User Authentication Using X.509v3, page 50-2
• OCSP Response Stapling, page 50-3
X.509v3 Certificates for SSH Authentication Overview
The Secure Shell (SSH) protocol provides a secure remote access connection to network devices. The
communication between the client and server is encrypted.
There are two SSH protocols that use public key cryptography for authentication. The Transport Layer
Protocol, uses a digital signature algorithm (called the public key algorithm) to authenticate the server
to the client. And the User Authentication Protocol uses a digital signature to authenticate (public key
authentication) the client to the server.
The validity of the authentication depends upon the strength of the linkage between the public signing
key and the identity of the signer. Digital certificates, such as those in X.509 Version 3 (X.509v3), are
used to provide identity management. X.509v3 uses a chain of signatures by a trusted root certification
authority and intermediate certificate authorities to bind a public signing key to a specific digital
identity. This implementation allows the use of a public key algorithm for server and user authentication,
and allows SSH to verify the identity of the owner of a key pair via digital certificates, signed and issued
by a Certificate Authority (CA).
Server and User Authentication Using X.509v3
For server authentication, the Secure shell (SSH) server sends its own certificate to the SSH client for
verification. This server certificate is associated with the trustpoint configured in the server certificate
profile (ssh-server-cert-profile-server configuration mode).
For user authentication, the SSH client sends the user's certificate to the IOS SSH server for verification.
The SSH server validates the incoming user certificate using public key infrastructure (PKI) trustpoints
configured in the server certificate profile (ssh-server-cert-profile-user configuration mode).
By default, certificate-based authentication is enabled for server and user at the IOS SSH server end.
To Next Page
Loading...
