Alcatel Carrier Internetworking Solutions omniswitch User Manual
Using Secure Shell
Logging Into the Switch
page 1-10
OmniSwitch 6600 Family Switch Management Guide
March 2005
Secure Shell Authentication
Secure Shell authentication is accomplished in several phases using industry standard algorithms and
exchange mechanisms. The authentication phase is identical for Secure Shell and Secure Shell SFTP. The
following sections describe the process in detail.
exchange mechanisms. The authentication phase is identical for Secure Shell and Secure Shell SFTP. The
following sections describe the process in detail.
Protocol Identification
When the Secure Shell client in the OmniSwitch connects to a Secure Shell server, the server accepts the
connection and responds by sending back an identification string. The client will parse the server’s identi-
fication string and send an identification string of its own. The purpose of the identification strings is to
validate that the attempted connection was made to the correct port number. The strings also declare the
protocol and software version numbers. This information is needed on both the client and server sides for
debugging purposes.
connection and responds by sending back an identification string. The client will parse the server’s identi-
fication string and send an identification string of its own. The purpose of the identification strings is to
validate that the attempted connection was made to the correct port number. The strings also declare the
protocol and software version numbers. This information is needed on both the client and server sides for
debugging purposes.
At this point, the protocol identification strings are in human-readable form. Later in the authentication
process, the client and the server switch to a packet-based binary protocol, which is machine readable
only.
process, the client and the server switch to a packet-based binary protocol, which is machine readable
only.
Algorithm and Key Exchange
The OmniSwitch Secure Shell server is identified by one or several host-specific DSA keys. Both the
client and server process the key exchange to choose a common algorithm for encryption, signature, and
compression. This key exchange is included in the Secure Shell transport layer protocol. It uses a key
agreement to produce a shared secret that cannot be determined by either the client or the server alone. The
key exchange is combined with a signature and the host key to provide host authentication. Once the
exchange is completed, the client and the server turn encryption on using the selected algorithm and key.
The following elements are supported:
client and server process the key exchange to choose a common algorithm for encryption, signature, and
compression. This key exchange is included in the Secure Shell transport layer protocol. It uses a key
agreement to produce a shared secret that cannot be determined by either the client or the server alone. The
key exchange is combined with a signature and the host key to provide host authentication. Once the
exchange is completed, the client and the server turn encryption on using the selected algorithm and key.
The following elements are supported:
Note. The OmniSwitch generates a 512 bit DSA host key at initial startup. The DSA key on the switch is
made up of two files contained in the /flash/network directory; the public key is called
ssh_host_dsa_key.pub, and the private key is called ssh_host_dsa_key. To generate a different DSA key,
use the Secure Shell tools available on your Unix or Windows system and copy the files to the /flash/
network directory on your switch. The new DSA key will take effect after the OmniSwitch is rebooted.
made up of two files contained in the /flash/network directory; the public key is called
ssh_host_dsa_key.pub, and the private key is called ssh_host_dsa_key. To generate a different DSA key,
use the Secure Shell tools available on your Unix or Windows system and copy the files to the /flash/
network directory on your switch. The new DSA key will take effect after the OmniSwitch is rebooted.
Authentication Phase
When the client tries to authenticate, the server determines the process used by telling the client which
authentication methods can be used. The client has the freedom to attempt several methods listed by the
server. The server will disconnect itself from the client if a certain number of failed authentications are
attempted or if a timeout period expires. Authentication is performed independent of whether the Secure
Shell interface or the SFTP file transfer protocol will be implemented.
authentication methods can be used. The client has the freedom to attempt several methods listed by the
server. The server will disconnect itself from the client if a certain number of failed authentications are
attempted or if a timeout period expires. Authentication is performed independent of whether the Secure
Shell interface or the SFTP file transfer protocol will be implemented.
Host Key Type
DSA
Cipher Algorithms
AES, Blowfish, Cast, 3DES, Arcfour, Rijndael
Signature Algorithms
MD5, SHA1
Compression Algorithms
None Supported
Key Exchange Algorithms
diffie-hellman-group-exchange-sha1
diffie-hellman-group1-sha1
diffie-hellman-group1-sha1