4-22
Configuring Secure Shell (SSH)
MoreInformation on SSH Client Public-Key Authentication
1. The client sends its public key to the switch with a request for authenti-
cation.
2. The switch compares the client’s public key to those stored in the switch’s
client-public-key file. (As a prerequisite, you must use the switch’s copy
tftp command to download this file to flash.)
3. If there is not a match, and you have not configured the switch to accept
a login password as a secondary authentication method, the switch denies
SSH access to the client.
4. If there is a match, the switch:
a. Generates a random sequence of bytes.
b. Uses the client’s public key to encrypt this sequence.
c. Send these encrypted bytes to the client.
5. The client uses its private key to decrypt the byte sequence.
6. The client then:
a. Combines the decrypted byte sequence with specific session data.
b. Uses MD5 to create a hash version of this information.
c. Returns the hash version to the switch.
7. The switch computes its own hash version of the data in step 6 and
compares it to the client’s hash version. If they match, then the client is
authenticated. Otherwise, the client is denied access.
Using client public-key authentication requires these steps:
1. Generate a public/private key pair for each client you want to have SSH
access to the switch. This can be a separate key for each client or the same
key copied to several clients.
2. Copy the public key for each client into a client-public-key text file. (For
the SSHv1 application used in the switch, this must be in the ASCII format
(without PEM or any other encoding). If you are using an SSHv2 client
application that creates its public key in a PEM-encoded ASCII string, you
will need to convert the client’s public key to a non-encoded version. Refer
to the documentation provided with the application.)
3. Use copy tftp to copy the client-public-key file into the switch. Note that
the switch can hold only one of these files. If there is already a client-
public-key file in the switch and you copy another one into the switch, the
second file replaces the first file.
4. Use the aaa authentication ssh command to enable client public-key
authentication.
!FishSecurity.book Page 22 Thursday, October 10, 2002 9:19 PM
To Next Page
Loading...
Need help?
General
