361
Configuring the device as an SSH server
SSH server configuration task list
Tasks at a glance Remarks
(Required.) Generating local key pairs N/A
(Required.) Enabling the Stelnet server Required only for Stelnet servers.
(Required.) Enabling the SFTP server Required only for SFTP servers.
(Required.) Enabling the SCP server Required only for SCP servers.
(Required.) Enabling NETCONF over SSH Required only for NETCONF-over-SSH servers.
(Required.) Configuring the user lines for SSH login
Required only for Stelnet and
NETCONF-over-SSH servers.
(Required.) Configuring a client's host public key
Required if the authentication method is
publickey
,
password-publickey,
or
any
.
Configuring the PKI domain for verifying the client's
digital certificate
See "Configuring PKI."
Req
uired if the following conditions exist:
• The authentication method is publickey.
• The client sends its public key to the server
through a digital certificate for validity check.
The PKI domain must have the CA certificate to
verify the client's digital certificate.
(Required/optional.) Configuring an SSH user
Required if the authentication method is
publickey
,
password-publickey,
or
any
.
Optional if the authentication method is
password
.
(Optional.) Configuring the SSH management
parameters
N/A
(Optional.) Specifying a PKI domain for the SSH server N/A
Generating local key pairs
The DSA, ECDSA, or RSA key pairs on the SSH server are required for generating the session keys
and session ID in the key exchange stage. They can also be used by a client to authenticate the
server. When a client authenticates the server, it compares the public key received from the server
with the server's public key that the client saved locally. If the keys are consistent, the client uses the
locally saved server's public key to decrypt the digital signature received from the server. If the
decryption succeeds, the server passes the authentication.
The SSH application starts when you execute an SSH server command on the device. If the device
does not have RSA key pairs with default names, the device automatically generates one RSA
server key pair and one RSA host key pair. Both key pairs use their default names. You can also use
the public-key local create command to generate DSA, ECDSA, or RSA key pairs on the device.
Configuration restrictions and guidelines
When you generate local key pairs, follow these restrictions and guidelines:
• Local DSA, ECDSA, and RSA key pairs for SSH use default names. You cannot assign names
to the key pairs.
To Next Page
Loading...
