4-19
Configuring Secure Shell (SSH)
Configuring the Switch for SSH Operation
3. Copy the public-key file into a TFTP server accessible to the switch and
download the file to the switch.
(For more on these topics, refer to “MoreInformation on SSH Client Public-
Key Authentication” on page 4-21.)
With steps 1 - 3, above, completed and SSH properly configured on the switch,
if an SSH client contacts the switch, login authentication automatically occurs
first, using the switch and client public-keys. After the client gains login
access, the switch controls client access to the manager level by requring the
passwords configured earlier by the aaa authentication ssh enable command.
Caution To allow SSH access only to clients having the correct public key, you must
configure the secondary (password) method for login rsa to none. Otherwise
a client without the correct public key can still gain entry by submitting a
correct local login password.
For example, assume that you have a client public-key file named Client-
Keys.pub (on a TFTP server at 10.33.18.117) ready for downloading to the
switch. For SSH access to the switch you want to allow only clients having a
private key that matches a public key found in Client-Keys.pub. For Manager-
level (enable) access for successful SSH clients you want to use TACACS+ for
primary password authentication and local for secondary password authenti-
cation, with a Manager username of "1eader" and a password of "m0ns00n".
To set up this operation you would configure the switch in a manner similar
to the following:
Syntax: copy tftp pub-key-file < ip-address > < filename > < local | none >
Copies a public key file into the switch.
aaa authentication ssh login rsa
Configures the switch to authenticate a client public-
key at the login level with an optional secondary pass-
word method (default: none).
Syntax: aaa authentication ssh enable < local | tacacs | radius > < local | none >
Configures a password method for the primary and
secondary enable (Mana ger) access. If you do not
specify an optional secondary method, it defaults to
none.
!FishSecurity.book Page 19 Thursday, October 10, 2002 9:19 PM
To Next Page
Loading...
Need help?
General
