Recreating ssh keys, Generating a host key pair – Brocade TurboIron 24X Series Configuration Guide User Manual

122

Brocade TurboIron 24X Series Configuration Guide

53-1003053-01

Configuring SSH2

•

Password authentication, where users attempting to gain access to the device using an SSH
client are authenticated with passwords stored on the device or on a TACACS/TACACS+ or
RADIUS server

Both kinds of user authentication are enabled by default. You can configure the device to use one
or both of them.

Follow the steps given below to configure Secure Shell on a device.

1. If necessary, recreate the SSH keys

2. Generate a host DSA public and private key pair for the device

3. Configure DSA challenge-response authentication

4. Set optional parameters

You can also view information about active SSH connections on the device as well as terminate
them.

Recreating SSH keys

You must recreate SSH keys after any one of the following events:

•

After upgrading from a software release that supports SSH1, to a software release that
supports SSH2.

•

After downgrading a software release that supports SSH2, to a software release that supports
SSH1

To recreate SSH keys, enter the following command.

TurboIron(config)#crypto key generate

Syntax: crypto key generate

Generating a host key pair

When SSH is configured, a public and private host DSA key pair is generated for the device. The
SSH server on the device uses this host DSA key pair, along with a dynamically generated server
DSA key pair, to negotiate a session key and encryption method with the client trying to connect to
it.

The host DSA key pair is stored in the system-config file of the device. Only the public key is
readable. The public key should be added to a “known hosts” file (for example,
$HOME/.ssh/known_hosts on UNIX systems) on the clients who want to access the device. Some
SSH client programs add the public key to the known hosts file automatically; in other cases, you
must manually create a known hosts file and place the public key of the device in it.

While the SSH listener exists at all times, sessions can not be started from clients until a key is
generated. Once a key is generated, clients can start sessions. The keys are also not displayed in
the configuration file by default. To display the keys, use the ssh show-host-keys command in
Privileged EXEC mode.

To generate a public and private DSA host key pair on a device, enter the following command.

TurboIron(config)#crypto key generate

When a host key pair is generated, it is saved to the flash memory of all management modules.

To disable SSH2 on a device, enter the following command.