Brocade Communications Systems Brocade ICX 6650 6650 User Manual
Brocade ICX 6650 Security Configuration Guide
65
53-1002601-01
SSH2 authentication types
SSH2 authentication types
The Brocade implementation of SSH2 supports the following types of user authentication:
•
DSA challenge-response authentication, where a collection of public keys are stored on the
device. Only clients with a private key that corresponds to one of the stored public keys can
gain access to the device using SSH.
device. Only clients with a private key that corresponds to one of the stored public keys can
gain access to the device using SSH.
•
RSA challenge-response authentication, where a collection of public keys are stored on the
device. Only clients with a private key that corresponds to one of the stored public keys can
gain access to the device using SSH.
device. Only clients with a private key that corresponds to one of the stored public keys can
gain access to the device using SSH.
•
Password authentication, where users attempting to gain access to the device using an SSH
client are authenticated with passwords stored on the device or on a TACACS or TACACS+
server or a RADIUS server.
client are authenticated with passwords stored on the device or on a TACACS or TACACS+
server or a RADIUS server.
Configuring SSH2
You can configure the device to use any combination of these authentication types. The SSH server
and client negotiate which type to use.
and client negotiate which type to use.
To configure SSH2, follow these steps:
1. Generate a host Digital Signature Algorithm (DSA) or Really Secure Algorithm (RSA) public and
private key pair for the device.
See the section
2. Configure DSA or RSA challenge-response authentication.
See the section
3. Set optional parameters.
See the section
Enabling and disabling SSH by generating and
deleting host keys
deleting host keys
To enable SSH, you generate a public and private DSA or RSA host key pair on the device. The SSH
server on the Brocade device uses this host DSA or RSA key pair, along with a dynamically
generated server DSA or RSA key pair, to negotiate a session key and encryption method with the
client trying to connect to it.
server on the Brocade device uses this host DSA or RSA key pair, along with a dynamically
generated server DSA or RSA key pair, to negotiate a session key and encryption method with the
client trying to connect to it.
While the SSH listener exists at all times, sessions can not be started from clients until a host key is
generated. After a host key is generated, clients can start sessions.
generated. After a host key is generated, clients can start sessions.
To disable SSH, you delete all of the host keys from the device.
When a host key pair is generated, it is saved to the flash memory of all management modules.
When a host key pair is is deleted, it is deleted from the flash memory of all management modules.
When a host key pair is is deleted, it is deleted from the flash memory of all management modules.
The time to initially generate SSH keys varies depending on the configuration, and can be from a
under a minute to several minutes.
under a minute to several minutes.