Carrier Access 1750 Manual De Usuario
11-8
Broadmore 1750 - Release 4.6
Security Management (FIPS Mode)
Key Management
Key Management
A DSA private hosts key is required for SSH2 connection to the Broadmore.
Default DSA Key
During manufacture, a default host_dsa key file is placed in the /SSHD directory of the
Broadmore CPU. This default key is intended only for use in initializing the Broadmore
after installation at the customer site and should be changed by the SuperUser (Crypto
Officer) before making the Broadmore operational.
Broadmore CPU. This default key is intended only for use in initializing the Broadmore
after installation at the customer site and should be changed by the SuperUser (Crypto
Officer) before making the Broadmore operational.
NOTE:
The DSA hosts key can only be replaced by the SuperUser while
the Broadmore is in the FIPS mode.
Generating DSA Key Pairs
DSA keys can be generated on a UNIX or Windows host, using key generation utilities
provided as a part of the ssh clients/server software of various vendors.
provided as a part of the ssh clients/server software of various vendors.
OpenSSH provides ssh-keygen to generate DSA keys on a UNIX or Windows host.
The ssh-keygen program can be downloaded from the URL
The ssh-keygen program can be downloaded from the URL
.
The following example shows how to generate the host_dsa key on a UNIX host or on
a Windows PC running Cygwin.
a Windows PC running Cygwin.
$ ssh-keygen -t dsa -f host_dsa -N "" -C <comments>
Installing the DSA Key
With the Broadmore in FIPS mode, the SuperUser can use an SSH2 client (such as
SecureFX) to log into the Broadmore/SSHield module and install the host_dsa key in
the /SSHD directory on the Broadmore CPU.
SecureFX) to log into the Broadmore/SSHield module and install the host_dsa key in
the /SSHD directory on the Broadmore CPU.
NOTE:
After installing the DSA key, the Broadmore must be rebooted in
order for the change to take effect.