Cisco Systems OL-7396-01 Manual De Usuario
4-19
ATM Switch Router Software Configuration Guide
OL-7396-01
Chapter 4
Configuring System Management Functions
Configuring Secure Shell
For detailed information about RADIUS commands, refer to the “RADIUS Commands” chapter in the
Cisco IOS Security Command Reference publication.
Cisco IOS Security Command Reference publication.
Configuring Secure Shell
The preferred method of administering the switch router is through a Telnet session. However, using
Telnet might cause security issues that include session hijacking, sniffing, and man-in-the-middle
attacks. These attacks can be stopped using the Secure Shell (SSH) protocol and application that the
switch router supports. SSH is an application and protocol that provides a secure replacement to the
Berkeley r-tools. The protocol secures the sessions using standard cryptographic mechanisms, and the
application is similar to the Berkeley rexec and rsh tools. Two versions of SSH are currently available,
Version 1 and Version 2. Both SSH Server Version 1 and Version 2 are implemented in the Cisco IOS
software. Also, SSH Version 1 Integrated Client and SSH Version 2 Integrated Client are implemented
in the Cisco IOS software.
Telnet might cause security issues that include session hijacking, sniffing, and man-in-the-middle
attacks. These attacks can be stopped using the Secure Shell (SSH) protocol and application that the
switch router supports. SSH is an application and protocol that provides a secure replacement to the
Berkeley r-tools. The protocol secures the sessions using standard cryptographic mechanisms, and the
application is similar to the Berkeley rexec and rsh tools. Two versions of SSH are currently available,
Version 1 and Version 2. Both SSH Server Version 1 and Version 2 are implemented in the Cisco IOS
software. Also, SSH Version 1 Integrated Client and SSH Version 2 Integrated Client are implemented
in the Cisco IOS software.
The current method of remotely configuring a switch router involves initiating a Telnet connection to
the switch router to start an Exec session and then entering configuration mode. This connection method
only provides as much security as Telnet provides. That is, lower-layer encryption (for example, IPSEC
[Internet Protocol SECurity]) and application security (for example, username and password
authentication at the remote host).
the switch router to start an Exec session and then entering configuration mode. This connection method
only provides as much security as Telnet provides. That is, lower-layer encryption (for example, IPSEC
[Internet Protocol SECurity]) and application security (for example, username and password
authentication at the remote host).
You can configure SSH (Secure Shell) which is an application which runs on top of a reliable transport
layer, such as TCP/IP, and provides strong authentication and encryption capabilities. Secure Shell
allows you to login onto another computer over a network, execute commands remotely, and move files
from one host to another. The requirements are:
layer, such as TCP/IP, and provides strong authentication and encryption capabilities. Secure Shell
allows you to login onto another computer over a network, execute commands remotely, and move files
from one host to another. The requirements are:
•
Any host which wants to allow incoming secure connection must have the SSH daemon (or server)
running.
running.
•
The SSH client is required to initiate a connection to the remote host.
The IOS/ENA implementation of SSH server on the switch router provides the following:
•
Secure incoming connections
•
Remote Exec session connections to the switch router
•
DES and 3DES encryption
•
Username and password authentication using the existing IOS/ENA AAA authentication functions
For additional information about SSH, see the following:
•
Secure Shell White Paper provided by SSH Communications Security
•
Secure Shell Version 1 Support example configuration
•
Secure Shell Version 1 Integrated Client
Step 4
Switch(config)# radius-server timeout seconds
Specifies the number of seconds a switch waits
for a reply to a RADIUS request before
retransmitting the request.
for a reply to a RADIUS request before
retransmitting the request.
Step 5
Switch(config)# radius-server deadtime minutes Specifies the number of minutes a RADIUS
server, which is not responding to authentication
requests, is passed over by requests for RADIUS
authentication.
requests, is passed over by requests for RADIUS
authentication.
Command
Purpose