BigIron RX Series Configuration Guide 915
53-1002253-01
Configuring SSH
30
• DSA challenge-response authentication, where a collection of public keys are stored on the
device. Only clients with a private key that corresponds to one of the stored public keys can
gain access to the device using SSH.
• Password authentication, where users attempting to gain access to the device using an SSH
client are authenticated with passwords stored on the device or on a TACACS, TACACS+ or
RADIUS server
Both kinds of user authentication are enabled by default. You can configure the device to use one
or both of them.
To configure Secure Shell on a device, do the following.
1. Generate a host DSA public and private key pair for the device.
2. Configure DSA challenge-response authentication.
3. Set optional parameters.
You can also view information about active SSH connections on the device as well as terminate
them.
Generating a host key pair
When SSH is configured, a public and private host DSA key pair is generated for the device. The
SSH server on the device uses this host DSA key pair, along with a dynamically generated server
DSA key pair, to negotiate a session key and encryption method with the client trying to connect to
it.
The host DSA key pair is stored in the device’s system-config file. Only the public key is readable.
The public key should be added to a “known hosts” file (for example, $HOME/.ssh/known_hosts on
UNIX systems) on the clients who want to access the device. Some SSH client programs add the
public key to the known hosts file automatically; in other cases, you must manually create a known
hosts file and place the device’s public key in it. Refer to “Providing the public key to clients” on
page 916 for an example of what to place in the known hosts file.
While the SSH listener exists at all times, sessions can't be started from clients until a key is
generated. Once a key is generated, clients can start sessions. The keys are also not displayed in
the configuration file by default. To display the keys, use the ssh show-host-keys command in
Privileged EXEC mode. To generate a public and private DSA host key pair on a device, enter the
following commands.
BigIron RX(config)# crypto key generate
When a host key pair is generated, it is saved to the flash memory of all management modules.
To disable SSH in SSHv2 on a device, enter the following commands.
BigIron RX(config)# crypto key zeroize
When SSH is disabled, it is deleted from the flash memory of all management modules.
Syntax: crypto key generate | zeroize
The generate keyword places an DSA host key pair in the flash memory and enables SSH on the
device.
The zeroize keyword deletes the DSA host key pair from the flash memory and disables SSH on the
device.
To Next Page
Loading...
