Cisco Systems SRW248G4PK9NA User Manual

SSH Server Authentication

383

Cisco Small Business 300 Series Managed Switch Administration Guide 

When a private key is created on a device, it is also possible to create an 
associated passphrase. This passphrase is used to encrypt the private key and to 
import it into the remaining switches. In this way, all the switches can use the same 
public/private key.

A device, as an SSH client, only communicates with a trusted SSH server.   When 
SSH server authentication is disabled (the default setting), any SSH server is 
considered trusted.   When SSH server authentication is enabled, the user must 
add an entry for the trusted servers to the Trusted SSH Servers Table. This table 
stores the following information per each SSH Trusted server for a maximum of 16 
servers, and contains the following information:

•

Server IP address/host name

•

Server public key fingerprint

When SSH server authentication is enabled, the SSH client running on the device 
authenticates the SSH server using the following authentication process:

•

The device calculates the fingerprint of the received SSH server’s public 
key.

•

The device searches the SSH Trusted Servers table for the SSH server’s IP 
address/host name. One of the following can occur:

-

If a match is found, both for the server’s IP address/host name and its 
fingerprint, the server is authenticated. 

-

If a matching IP address/host name is found, but there is no matching 
fingerprint, the search continues. If no matching fingerprint is found, the 
search is completed and authentication fails.

-

If no matching IP address/host name is found, the search is completed 
and authentication fails.

•

If the entry for the SSH server is not found in the list of trusted servers, the 
process fails.