16 CCM4850 Installer/User Guide
command includes the Encrypt=SSH,None parameter, which indicates that both SSH and plain text
connections will be allowed. Connecting to Telnet port 23 may also be tunneled through a
connection to SSH port 22.
SSH server keys
When SSH is enabled for the first time, all sessions are terminated and the CCM appliance
generates an SSH server key. The key generation process may take up to three minutes. The key is
computed at random and is stored in the CCM configuration database.
In most cases, the SSH server key should not be modified because most SSH clients will associate
the key with the IP address of the CCM appliance. During the first connection to a new SSH server,
the client will display the SSH server’s key. You will be prompted to indicate if it should be stored
on the SSH client. After the first connection, most SSH clients will validate the key when
connecting to the CCM appliance. This provides an extra layer of security because the SSH client
can verify the key sent by the server each time it connects.
When you disable SSH and later reenable it, you may either use the existing server key or compute
a new one. If you are reenabling the same server at the same IP address, it is recommended that you
use the existing key, as SSH clients may be using it for verification. If you are moving the CCM
appliance to another location and changing the IP address, you may wish to generate a new SSH
server key.
Authenticating an SSH user
SSH is enabled and disabled with the Server SSH command. When you enable SSH, you may
specify the authentication method(s) that will be used for SSH connections. The method may be a
password, an SSH key or both. A user’s password and SSH key are specified with a User Add or
User Set command. All SSH keys must be RSA keys. DSA keys are not supported.
Table 3.2 lists and describes the valid SSH authentication methods that may be specified with a
Server SSH command.
Table 3.2: SSH Authentication Methods
Method Description
PW (default)
SSH connections will be authenticated with a username/password. With this method,
a user’s definition must include a valid password in order for that user to authenticate
an SSH session.
KEY
SSH connections will be authenticated with an SSH key. With this method, a user’s
definition must include valid SSH key information in order for that user to
authenticate an SSH session. Key authentication is always local; RADIUS is not
supported. For more information, see SSH user keys on page 17.