8-6
Configuring Secure Shell (SSH)
Steps for Configuring and Using SSH for Switch and Client Authentication
B. Switch Preparation
1. Assign a login (Operator) and enable (Manager) password on the 
switch (page 8-9).
2. Generate a public/private key pair on the switch (page 8-9).
You need to do this only once. The key remains in the switch even if 
you reset the switch to its factory-default configuration. (You can 
remove or replace this key pair, if necessary.)
3. Copy the switch’s public key to the SSH clients you want to access 
the switch (page 8-12).
4. Enable SSH on the switch (page 8-15).
5. Configure the primary and secondary authentication methods you 
want the switch to use. In all cases, the switch will use its host-public-
key to authenticate itself when initiating an SSH session with a client.
• SSH Login (Operator) options:
– Option A:
Primary: Local, TACACS+, or RADIUS password
Secondary: Local password or none. If the primary 
option is local, the secondary option must be none.
– Option B:
Primary: Client public-key authentication (login public-
key — page 8-25)
Secondary: none
Note that if you want the switch to perform client public-key 
authentication, you must configure the switch with Option B.
• SSH Enable (Manager) options:
Primary: Local, TACACS+, or RADIUS
Secondary: Local password or none. If the primary option is 
local, the secondary option must be none.
6. Use your SSH client to access the  switch using the switch’s IP address 
or DNS name (if allowed by your SSH client application). Refer to the 
documentation provided with the client application.