X.509v3 Certificates for SSH Authentication
The X.509v3 Certificates for SSH Authentication feature uses public key algorithm (PKI) for server and user authentication, and allows the Secure Shell (SSH) protocol to verify the identity of the owner of a key pair via digital certificates, signed and issued by a Certificate Authority (CA).
This module describes how to configure server and user certificate profiles for a digital certificate.
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Prerequisites for X.509v3 Certificates for SSH Authentication
The X.509v3 Certificates for SSH Authentication feature replaces the ip ssh server authenticate user command with the ip ssh server algorithm authentication command. Configure the default ip ssh server authenticate user command to remove the ip ssh server authenticate user command from the configuration. The IOS secure shell (SSH) server will start using the ip ssh server algorithm authentication command.
Warning |
SSH command accepted; but this CLI will be deprecated soon. Please move to new CLI ip ssh server algorithm authentication . Please configure the “default ip ssh server authenticate user ” to make the CLI ineffective. |
Restrictions for X.509v3 Certificates for SSH Authentication
-
The X.509v3 Certificates for SSH Authentication feature implementation is applicable only on the Cisco IOS Secure Shell (SSH) server side.
-
The Cisco IOS SSH server supports only the x509v3-ssh-rsa algorithm-based certificate for server and user authentication.
Information About X.509v3 Certificates for SSH Authentication
X.509v3 Certificates for SSH Authentication Overview
The Secure Shell (SSH) protocol provides a secure remote access connection to network devices. The communication between the client and server is encrypted.
There are two SSH protocols that use public key cryptography for authentication. The Transport Layer Protocol, uses a digital signature algorithm (called the public key algorithm) to authenticate the server to the client. And the User Authentication Protocol uses a digital signature to authenticate (public key authentication) the client to the server.
The validity of the authentication depends upon the strength of the linkage between the public signing key and the identity of the signer. Digital certificates, such as those in X.509 Version 3 (X.509v3), are used to provide identity management. X.509v3 uses a chain of signatures by a trusted root certification authority and intermediate certificate authorities to bind a public signing key to a specific digital identity. This implementation allows the use of a public key algorithm for server and user authentication, and allows SSH to verify the identity of the owner of a key pair via digital certificates, signed and issued by a Certificate Authority (CA).
Server and User Authentication Using X.509v3
For server authentication, the Secure shell (SSH) server sends its own certificate to the SSH client for verification. This server certificate is associated with the trustpoint configured in the server certificate profile (ssh-server-cert-profile-server configuration mode).
For user authentication, the SSH client sends the user's certificate to the IOS SSH server for verification. The SSH server validates the incoming user certificate using public key infrastructure (PKI) trustpoints configured in the server certificate profile (ssh-server-cert-profile-user configuration mode).
By default, certificate-based authentication is enabled for server and user at the IOS SSH server end.
OCSP Response Stapling
The Online Certificate Status Protocol (OCSP) enables applications to determine the (revocation) state of an identified certificate. This protocol specifies the data that needs to be exchanged between an application checking the status of a certificate and the server providing that status. An OCSP client issues a status request to an OCSP responder and suspends acceptance of the certificate until a response is received. An OCSP response at a minimum consists of a responseStatus field that indicates the processing status of the a request.
For the public key algorithms, the key format consists of a sequence of one or more X.509v3 certificates followed by a sequence of zero or more OCSP responses.
The X.509v3 Certificate for SSH Authentication feature uses OCSP Response Stapling. By using OCSP response stapling, a device obtains the revocation information of its own certificate by contacting the OCSP server and then stapling the result along with its certificates and sending the information to the peer rather than having the peer contact the OCSP responder.
How to Configure X.509v3 Certificates for SSH Authentication
Configuring Digital Certificates for Server Authentication
SUMMARY STEPS
- enable
- configure terminal
- ip ssh server algorithm hostkey {x509v3-ssh-rsa [ssh-rsa ] | ssh-rsa [x509v3-ssh-rsa ]}
- ip ssh server certificate profile
- server
- trustpoint sign PKI-trustpoint-name
- ocsp-response include
- end
DETAILED STEPS
Command or Action | Purpose | |||
---|---|---|---|---|
Step 1 |
enable Example:
|
Enables privileged EXEC mode.
|
||
Step 2 |
configure terminal Example:
|
Enters global configuration mode. |
||
Step 3 |
ip ssh server algorithm hostkey {x509v3-ssh-rsa [ssh-rsa ] | ssh-rsa [x509v3-ssh-rsa ]} Example:
|
Defines the order of host key algorithms. Only the configured algorithm is negotiated with the Secure Shell (SSH) client.
|
||
Step 4 |
ip ssh server certificate profile Example:
|
Configures server and user certificate profiles and enters SSH certificate profile configuration mode. |
||
Step 5 |
server Example:
|
|
||
Step 6 |
trustpoint sign PKI-trustpoint-name Example:
|
|
||
Step 7 |
ocsp-response include Example:
|
(Optional) Sends the Online Certificate Status Protocol (OCSP) response or OCSP stapling along with the server certificate.
|
||
Step 8 |
end Example:
|
Exits SSH server certificate profile server configuration mode and returns to privileged EXEC mode. |
Configuring Digital Certificates for User Authentication
SUMMARY STEPS
- enable
- configure terminal
- ip ssh server algorithm authentication {publickey | keyboard | password }
- ip ssh server algorithm publickey {x509v3-ssh-rsa [ssh-rsa ] | ssh-rsa [x509v3-ssh-rsa ]}
- ip ssh server certificate profile
- user
- trustpoint verify PKI-trustpoint-name
- ocsp-response required
- end
DETAILED STEPS
Command or Action | Purpose | |||
---|---|---|---|---|
Step 1 |
enable Example:
|
Enables privileged EXEC mode.
|
||
Step 2 |
configure terminal Example:
|
Enters global configuration mode. |
||
Step 3 |
ip ssh server algorithm authentication {publickey | keyboard | password } Example:
|
Defines the order of user authentication algorithms. Only the configured algorithm is negotiated with the Secure Shell (SSH) client.
|
||
Step 4 |
ip ssh server algorithm publickey {x509v3-ssh-rsa [ssh-rsa ] | ssh-rsa [x509v3-ssh-rsa ]} Example:
|
Defines the order of public key algorithms. Only the configured algorithm is accepted by the SSH client for user authentication.
|
||
Step 5 |
ip ssh server certificate profile Example:
|
Configures server certificate profile and user certificate profile and enters SSH certificate profile configuration mode. |
||
Step 6 |
user Example:
|
Configures user certificate profile and enters SSH server certificate profile user configuration mode. |
||
Step 7 |
trustpoint verify PKI-trustpoint-name Example:
|
Configures the public key infrastructure (PKI) trustpoint that is used to verify the incoming user certificate.
|
||
Step 8 |
ocsp-response required Example:
|
(Optional) Mandates the presence of the Online Certificate Status Protocol (OCSP) response with the incoming user certificate.
|
||
Step 9 |
end Example:
|
Exits SSH server certificate profile user configuration mode and returns to privileged EXEC mode. |
Verifying the Server and User Authentication Using Digital Certificates
SUMMARY STEPS
- enable
- show ip ssh
DETAILED STEPS
Step 1 |
enable Enables privileged EXEC mode.
Example:
|
Step 2 |
show ip ssh Displays the currently configured authentication methods. To confirm the use of certificate-based authentication, ensure that the x509v3-ssh-rsa algorithm is the configured host key algorithm. Example:
|
Configuration Examples for X.509v3 Certificates for SSH Authentication
Example: Configuring Digital Certificates for Server Authentication
Switch> enable
Switch# configure terminal
Switch(config)# ip ssh server algorithm hostkey x509v3-ssh-rsa
Switch(config)# ip ssh server certificate profile
Switch(ssh-server-cert-profile)# server
Switch(ssh-server-cert-profile-server)# trustpoint sign trust1
Switch(ssh-server-cert-profile-server)# exit
Example: Configuring Digital Certificate for User Authentication
Switch> enable
Switch# configure terminal
Switch(config)# ip ssh server algorithm authentication publickey
Switch(config)# ip ssh server algorithm publickey x509v3-ssh-rsa
Switch(config)# ip ssh server certificate profile
Switch(ssh-server-cert-profile)# user
Switch(ssh-server-cert-profile-user)# trustpoint verify trust2
Switch(ssh-server-cert-profile-user)# end
Additional References for X.509v3 Certificates for SSH Authentication
Related Documents
Related Topic | Document Title |
---|---|
PKI configuration |
Configuring and Managing a Cisco IOS Certificate Server for PKI Deployment |
Technical Assistance
Description | Link |
---|---|
The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies. To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds. Access to most tools on the Cisco Support website requires a Cisco.com user ID and password. |
Feature Information for X.509v3 Certificates for SSH Authentication
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Feature Name |
Releases |
Feature Information |
---|---|---|
X.509v3 Certificates for SSH Authentication |
Cisco IOS 15.2(4)E1 |
The X.509v3 Certificates for SSH Authentication feature uses the X5.09v3 digital certificates in server and user authentication at the SSH server side. The following commands were introduced or modified: ip ssh server algorithm hostkey , ip ssh server algorithm authentication , and ip ssh server certificate profile .
|