Chapter 3: Operations 21
SSH server keys
When SSH is enabled for the first time, all sessions are terminated and the CCM appliance
generates an SSH server key. The key generation process may take up to three minutes. The key is
computed at random and is stored in the CCM configuration database.
In most cases, the SSH server key should not be modified because most SSH clients will associate
the key with the IP address of the CCM appliance. During the first connection to a new SSH server,
the client will display the SSH server’s key. You will be prompted to indicate if it should be stored
on the SSH client. After the first connection, most SSH clients will validate the key when
connecting to the CCM appliance. This provides an extra layer of security because the SSH client
can verify the key sent by the server each time it connects.
When you disable SSH and later reenable it, you may either use the existing server key or compute
a new one. If you are reenabling the same server at the same IP address, it is recommended that you
use the existing key, as SSH clients may be using it for verification. If you are moving the CCM
appliance to another location and changing the IP address, you may wish to generate a new SSH
server key.
Authenticating an SSH user
SSH is enabled and disabled with the Server SSH command. When you enable SSH, you may
specify the authentication method(s) that will be used for SSH connections. The method may be a
password, an SSH key or both. A user’s password and SSH key are specified with a User Add or
User Set command. All SSH keys must be RSA keys. DSA keys are not supported.
Table 3.3 lists and describes the valid SSH authentication methods that may be specified with a
Server SSH command.
Table 3.3: SSH Authentication Methods
Method Description
PW (default)
SSH connections will be authenticated with a username/password. With this method,
a user’s definition must include a valid password in order for that user to authenticate
an SSH session.
KEY
SSH connections will be authenticated with an SSH key. With this method, a user’s
definition must include valid SSH key information in order for that user to
authenticate an SSH session. Key authentication is always local; RADIUS is not
supported. For more information, see SSH user keys on page 22.
PW|KEY or KEY|PW
SSH connections will be authenticated with either a username/password or an SSH
key. If a user has only a password defined, that user must authenticate an SSH
session with a username/password. If a user has only an SSH key defined, that user
must authenticate an SSH session using the key. If a user has both a password and
an SSH key defined, that user may use either a username/password or the SSH key
to authenticate an SSH session. This method allows the administrator to define how
each user will authenticate an SSH session based on information provided in the
User Add/Set command.
PW authentication will be local or RADIUS as specified in the Auth parameter of the
Server Security command. Key authentication is always local.