Note:
The switch must be reset for the new certificate to be activated. To reset the
switch, type “reload” at the command prompt:
Console#reload
Configuring the Secure Shell
The Berkley-standard includes remote access tools originally designed for Unix
systems. Some of these tools have also been implemented for Microsoft Windows
and other environments. These tools, including commands such as rlogin (remote
login), rsh (remote shell), and rcp (remote copy), are not secure from hostile attacks.
The Secure Shell (SSH) includes server/client applications intended as a secure
replacement for the older Berkley remote access tools. SSH can also provide
remote management access to this switch as a secure replacement for Telnet.
When the client contacts the switch via the SSH protocol, the switch generates a
public-key that the client uses along with a local user name and password for access
authentication. SSH also encrypts all data transfers passing between the switch and
SSH-enabled management station clients, and ensures that data traveling over the
network arrives unaltered.
Note that you need to install an SSH client on the management station to access the
switch for management via the SSH protocol.
Note:
The switch supports both SSH Version 1.5 and 2.0 clients.
Command Usage
The SSH server on this switch supports both password and public key
authentication. If password authentication is specified by the SSH client, then the
password can be authenticated either locally or via a RADIUS or TACACS+ remote
authentication server, as specified on the
Authentication Settings
page (page 6-2).
If public key authentication is specified by the client, then you must configure
authentication keys on both the client and the switch as described in the following
section. Note that regardless of whether you use public key or password
authentication, you still have to generate authentication keys on the switch (SSH
Host Key Settings) and enable the SSH server (Authentication Settings).
To use the SSH server, complete these steps:
1. Generate a Host Key Pair – On the SSH Host Key Settings page, create a host
public/private key pair.
2. Provide Host Public Key to Clients – Many SSH client programs automatically
import the host public key during the initial connection setup with the switch.
Otherwise, you need to manually create a known hosts file on the management
6-8
CLI
– This example copies the certificate file from the designated TFTP server.
Console#copy tftp https-certificate
TFTP server ip address: <server ip-address>
Source certificate file name: <certificate file name>
Source private file name: <private key file name>
Private password: <password
f
o
r
private
k
e
y
>
2
3
-
1
1
User Authentication
6