About the Secure Shell (SSH) server
Full book title 459
About the Secure Shell (SSH) server
The Secure Shell (SSH) server allows remote peers to access the router over a secure TCP
connection using a suitable SSH client. The SSH server provides a Telnet-like interface and secure
file transfer capability.
SSH uses a number of keys during a session. The host keys are used for authentication purposes.
Keys unique to each SSH session are also generated and are used for encryption/authentication
purposes.
The router supports SSH v1.5 and SSH v2. The host key file format differs for each version but
there would normally only be one host key for each version. For this reason the router allows the
user to configure two host key files. These keys may be changed from time to time, specifically if it
suspected that the key has become compromised. Because the host keys need to be secure, it is
highly recommended to store the files on the router’s FLASH filing system using filenames
prefixed with priv which makes it impossible to read the files using any of the normal methods
(such as FTP). It is possible (using the genkey command) to create host keys in either format for
use with SSH. Using this utility it is not necessary to have the host key files present on any other
storage device (thus providing an additional level of security). For details on generating a private
key file, see Generate an SSH private key from the web interface on page 468.
Unlike the Telnet server, you can configure the number of SSH server sockets that listen for new
SSH connections.
Multiple SSH server instances can be configured, each instance can be configured to listen on a
separate port number and can use different keys and encryption methods.
You can configure which authentication methods can be used in an SSH session and the
preferred selection order. The router currently supports MD5, SHA1, MD5-96 and SHA1-96. If
required, a public/private key pair can be used for authentication.
The router currently supports 3DES, 3DES-CBC and AES cipher methods.
DEFLATE compression is also supported. If DEFLATE compression is enabled and negotiated, SSH
packets are first compressed before being encrypted, and delivered to the remote unit via the
TCP socket.
Note The SSH server supports the SCP file copy protocol but does not support filename
wildcards.
To Next Page
Loading...
