Ssh2 authentication types, Configuring ssh2 – Brocade Communications Systems Brocade ICX 6650 6650 User Manual

Page 85

Advertising
background image

Brocade ICX 6650 Security Configuration Guide

65

53-1002601-01

SSH2 authentication types

SSH2 authentication types

The Brocade implementation of SSH2 supports the following types of user authentication:

DSA challenge-response authentication, where a collection of public keys are stored on the
device. Only clients with a private key that corresponds to one of the stored public keys can
gain access to the device using SSH.

RSA challenge-response authentication, where a collection of public keys are stored on the
device. Only clients with a private key that corresponds to one of the stored public keys can
gain access to the device using SSH.

Password authentication, where users attempting to gain access to the device using an SSH
client are authenticated with passwords stored on the device or on a TACACS or TACACS+
server or a RADIUS server.

Configuring SSH2

You can configure the device to use any combination of these authentication types. The SSH server
and client negotiate which type to use.

To configure SSH2, follow these steps:

1. Generate a host Digital Signature Algorithm (DSA) or Really Secure Algorithm (RSA) public and

private key pair for the device.

See the section

“Enabling and disabling SSH by generating and deleting host keys”

on

page 65.

2. Configure DSA or RSA challenge-response authentication.

See the section

“Configuring DSA or RSA challenge-response authentication”

on page 67.

3. Set optional parameters.

See the section

“Optional SSH parameters”

on page 69.

Enabling and disabling SSH by generating and
deleting host keys

To enable SSH, you generate a public and private DSA or RSA host key pair on the device. The SSH
server on the Brocade device uses this host DSA or RSA key pair, along with a dynamically
generated server DSA or RSA key pair, to negotiate a session key and encryption method with the
client trying to connect to it.

While the SSH listener exists at all times, sessions can not be started from clients until a host key is
generated. After a host key is generated, clients can start sessions.

To disable SSH, you delete all of the host keys from the device.

When a host key pair is generated, it is saved to the flash memory of all management modules.
When a host key pair is is deleted, it is deleted from the flash memory of all management modules.

The time to initially generate SSH keys varies depending on the configuration, and can be from a
under a minute to several minutes.

Advertising
Popular Brands
Popular manuals