Information About SSH Services
Secure Shell (SSH) is a protocol that provides a secure, remote connection to the Cisco NX-OS CLI. SSH provides more security for remote connections than Telnet does by providing strong encryption when a device is authenticated. You can use SSH keys for the following SSH options:
-
SSH2 using RSA
-
SSH2 using DSA
Starting from Cisco MDS NX-OS Release 8.2(1), SHA2 fingerprint hashing is supported on all Cisco MDS devices by default.
A secure SSH connection, with a RSA key is available as default on all Cisco MDS 9000 Series Switches. If you require a secure SSH connection with a DSA key, you need to disable the default SSH connection, generate a dsa key, and then enable the SSH connection (see the Generating the SSH Server Key Pair section).
Use the ssh key command to generate a server key.
Caution |
If you are logging in to a switch through SSH and you have issued the aaa authentication login default none command, you must enter one or more key strokes to log in. If you press the Enter key without entering at least one keystroke, your log in will be rejected. |
For more information about configuring SSH services, see Configuring SSH Services and Telnet
SSH Server
You can use the SSH server to enable an SSH client to make a secure, encrypted connection to a Cisco MDS device. SSH uses strong encryption for authentication. The SSH server in the Cisco MDS NX-OS software can interoperate with publicly and commercially available SSH clients.
The user authentication mechanisms supported for SSH are RADIUS, TACACS+, LDAP, and the use of locally stored usernames and passwords.
SSH Client
The SSH client feature is an application that runs over the SSH protocol to provide device authentication and encryption. The SSH client enables a Cisco MDS device to make a secure, encrypted connection to another Cisco MDS device or to any other device that runs the SSH server. This connection provides an outbound connection that is encrypted. With authentication and encryption, the SSH client allows for a secure communication over an insecure network.
The SSH client in the Cisco NX-OS software works with publicly and commercially available SSH servers.
SSH Server Keys
SSH requires server keys for secure communications to the Cisco MDS device. You can use SSH server keys for the following SSH options:
-
SSH version 2 using Rivest, Shamir, and Adelman (RSA) public-key cryptography
-
SSH version 2 using the Digital System Algrorithm (DSA)
Be sure to have an SSH server key-pair with the appropriate version before enabling the SSH service. You can generate the SSH server key-pair according to the SSH client version used. The SSH service accepts two types of key-pairs for use by SSH version 2:
-
The dsa option generates the DSA key-pair for the SSH version 2 protocol.
-
The rsa option generates the RSA key-pair for the SSH version 2 protocol.
By default, the Cisco NX-OS software generates an RSA key using 1024 bits.
SSH supports the following public key formats:
-
OpenSSH
-
IETF Secure Shell (SECSH)
-
Public Key Certificate in Privacy-Enhanced Mail (PEM)
Caution |
If you delete all of the SSH keys, you cannot start the SSH services. |
SSH Authentication Using Digital Certificates
SSH authentication on the Cisco MDS 9000 Family switches provide X.509 digital certificate support for host authentication. An X.509 digital certificate is a data item that vouches for the origin and integrity of a message. It contains encryption keys for secured communications and is “signed” by a trusted certification authority (CA) to verify the identity of the presenter. The X.509 digital certificate support provides either DSA or RSA algorithms for authentication.
The certificate infrastructure uses the first certificate that supports the Secure Socket Layer (SSL) and is returned by the security infrastructure, either through query or notification. Verification of certificates is successful if the certificates are from any of the trusted CAs.
From Cisco MDS NX-OS Release 8.4(2), use the show ssl info command to view the packaged SSL version.
You can configure your switch for either SSH authentication using an X.509 certificate or SSH authentication using a Public Key Certificate, but not both. If either of them is configured and the authentication fails, you will be prompted for a password.