6-20
Configuring Secure Shell (SSH)
Configuring the Switch for SSH Operation
Caution To allow SSH access only to clients having the correct public key, you must
configure the secondary (password) method for login public-key to none.
Otherwise a client without the correct public key can still gain entry by
submitting a correct local login password.
For example, assume that you have a client public-key file named Client-
Keys.pub (on a TFTP server at 10.33.18.117) ready for downloading to the
switch. For SSH access to the switch you want to allow only clients having a
private key that matches a public key found in Client-Keys.pub. For Manager-
level (enable) access for successful SSH clients you want to use TACACS+ for
primary password authentication and local for secondary password authenti-
cation, with a Manager username of "1eader" and a password of "m0ns00n".
To set up this operation you would configure the switch in a manner similar
to the following:
Syntax: copy tftp pub-key-file < ip-address > < filename >
Copies a public key file into the switch.
aaa authentication ssh login public-key
Configures the switch to authenticate a client public-key at
the login level with an optional secondary password method
(Default: none).
Note: The secondary access cannot be local.
Syntax: aaa authentication ssh enable < local | tacacs | radius > < local | none >
Configures a password method for the primary and second-
ary enable (Manager) access. If you do not specify an
optional secondary method, it defaults to none.
Note: If the primary access is local, the secondary access
cannot be local.
To Next Page
Loading...
Need help?
General
