4-16
Configuring Secure Shell (SSH)
Configuring the Switch for SSH Operation
Note When an SSH client connects to the switch for the first time, it is possible for
a "man-in-the-middle" attack; that is, for an unauthorized device to pose
undetected as the switch, and learn the usernames and passwords controlling
access to the switch. You can remove this possibility by directly connecting
the management station to the switch’s serial port, using a show command to
display the switch’s public key, and copying the key from the display into a
file. This requires a knowledge of where your client stores public keys, plus
the knowledge of what key editing and file format might be required by your
client application. However, if your first contact attempt between a client and
the switch does not pose a security problem, this is unnecessary.
To enable SSH on the switch.
1. Generate a public/private key pair if you have not already done so. (Refer
to “2. Generating the Switch’s Public and Private Key Pair” on page 4-10.)
2. Execute the ip ssh command.
To disable SSH on the switch, do either of the following:
Execute no ip ssh.
Zeroize the switch’s existing key pair. (page 4-11).
Syntax: [no] ip ssh
Enables or disables SSH on the switch.
[key-size < 512 | 768 | 1024 >]
The size of the internal, automatically generated
key the switch uses for negotiations with an SSH
client. A larger key provides greater security; a
smaller key results in faster authentication
(default: 512 bits). See “Note on Port Number” on
page 4-17.
[port < 1-65535 | default >]
The IP port number for SSH connections (default:
22). Important: See “Note on Port Number” on
page 4-17.
[timeout < 5 - 120 >]
The SSH login timeout value (default: 120 seconds).
!FishSecurity.book Page 16 Thursday, October 10, 2002 9:19 PM
To Next Page
Loading...
