Telnet and ssh overview, Ssh server key exchange and authentication – Brocade Network OS Administrator’s Guide v4.1.1 User Manual
Page 48
Telnet and SSH overview
Telnet and Secure Shell (SSH) are mechanisms for allowing secure access to management functions
on a remote networking device. SSH provides a function similar to Telnet, but unlike Telnet, which
offers no security, SSH provides a secure, encrypted connection to the device.
SSH and Telnet support is available in privileged EXEC mode on all Brocade VDX platforms. Both
IPv4 and IPv6 addresses are supported.
Telnet and SSH services are enabled by default on the switch. When the Telnet server or SSH server
is disabled, access to the switch is not allowed for inbound Telnet or SSH connections, thereby
restricting remote access to the switch.
In configuration mode, the CLI can be used to disable Telnet or SSH service on the switch. Doing so
will terminate existing inbound Telnet or SSH connections and block any new inbound Telnet or SSH
connections to the switch. Additional inbound Telnet or SSH connections will not be allowed until the
Telnet server or SSH server is re-enabled. If you have admin privileges, you can re-enable inbound
Telnet or SSH connections from configuration mode.
If you are in logical chassis cluster mode (refer to
on page 55), the command for
enabling or disabling Telnet or SSH services is not distributed across the cluster. The RBridge ID of
the node should be used to configure the service on individual nodes.
In operational mode, you can use the show command to display whether Telnet or SSH is enabled or
disabled on the switch.
SSH server key exchange and authentication
The Secure Sockets Handling (SSH) protocol allows users to authenticate using public and private key
pairs instead of passwords. In password-based authentication, the user must enter a password for
authentication purposes. In public-key authentication, the user should have a private key in the local
machine and a public key in the remote machine. The user should be logged in to the local machine to
be authenticated. If a passphrase is provided while generating the public and private key pair, it must
be entered to decrypt the private key while getting authenticated.
SSH key-exchange specifies the method used for generating the one-time session keys for encryption
and authentication with the SSH server. A user is allowed to configure the SSH server key-exchange
method to DH Group 14. When the SSH server key-exchange method is configured to DH Group 14,
the SSH connection from a remote SSH client is allowed only if the key-exchange method at the client
is also configured to DH Group 14.
The following steps briefly describe public-key authentication:
1. The user generates a pair of encryption keys in a local machine using the ssh-keygen command,
along with the public and private key (as shown below). Messages encrypted with the private key
can only be decrypted by the public key, and vice-versa.
switch# ssh-keygen -t rsa
generates RSA public and private keypair
switch# ssh-keygen -t dsa
generates DSA public and private keypair
2. The user keeps the private key on the local machine, and uploads the public key to the switch.
3. When attempting to log in to the remote host, the user receives an encrypted message from the
remote host containing the public key. After the message is decrypted in the local host by means of
the private key, the user is authenticated and granted access.
The ssh-keygen command is not distributed across the cluster. The RBridge ID of the node should
be used to configure service on individual nodes.
Telnet and SSH overview
48
Network OS Administrator’s Guide
53-1003225-04