Network OS Administration Guide

Supporting Network OS 6.0.1a

Part Number: 53-1003768-04

SSH server key exchange and authentication

The Secure Sockets Handling (SSH) protocol allows users to authenticate using public and private key pairs instead of passwords. In password-based authentication, the user must enter a password for authentication purposes. In public-key authentication, the user should have a private key in the local machine and a public key in the remote machine. The user should be logged in to the local machine to be authenticated. If a passphrase is provided while generating the public and private key pair, it must be entered to decrypt the private key while getting authenticated.

SSH key-exchange specifies the method used for generating the one-time session keys for encryption and authentication with the SSH server. A user is allowed to configure the SSH server key-exchange method to DH Group 14. When the SSH server key-exchange method is configured to DH Group 14, the SSH connection from a remote SSH client is allowed only if the key-exchange method at the client is also configured to DH Group 14.

The following steps briefly describe public-key authentication:

  1. The user generates a pair of encryption keys in a local machine using the ssh-keygen command, along with the public and private key, as shown below. Messages encrypted with the private key can only be decrypted by the public key, and vice-versa.
    switch# ssh-keygen -t rsa
     generates RSA public and private keypair
    switch# ssh-keygen -t dsa
     generates DSA public and private keypair
  2. The user keeps the private key on the local machine, and uploads the public key to the switch.
  3. When attempting to log in to the remote host, the user receives an encrypted message from the remote host containing the public key. After the message is decrypted in the local host by means of the private key, the user is authenticated and granted access.

    The ssh-keygen command is not distributed across the cluster. The RBridge ID of the node should be used to configure service on individual nodes.