Configuring Secure Shell (SSH)
Configuring the Switch for SSH Operation
Caution To allow SSH access only to clients having the correct public key, you must
configure the secondary (password) method for login public-key to none.
Otherwise a client without the correct public key can still gain entry by
submitting a correct local login password.
Syntax: aaa authentication ssh enable < local | tacacs | radius > < local | none >
Configures a password method for the primary and second-
ary enable (Manager) access. If you do not specify an
optional secondary method, it defaults to none.
For example, assume that you have a client public-key file named Client-
Keys.pub (on a TFTP server at 10.33.18.117) ready for downloading to the
switch. For SSH access to the switch you want to allow only clients having a
private key that matches a public key found in Client-Keys.pub. For Manager-
level (enable) access for successful SSH clients you want to use TACACS+ for
primary password authentication and local for secondary password authenti-
cation, with a Manager username of "1eader" and a password of "m0ns00n".
To set up this operation you would configure the switch in a manner similar
to the following:
Configures Manager user-
name and password.
Configures the
switch to allow
SSH access only a
client whose
public key
matches one of the
keys in the public
key file
Configures the primary and
secondary password methods for
Manager (enable) access. (Becomes
available after SSH access is granted
Copies a public key file
named "Client-Keys.pub"
into the switch.
Figure 6-12. Configuring for SSH Access Requiring a Client Public-Key Match and Manager Passwords
6-20