Ssh Pki Authentication; Key Generation - Alcatel-Lucent 7450 System Management Manual
Ethernet service switch
Hide thumbs
Also See for 7450:
- Quality of service manual (912 pages) ,
- Manual (816 pages) ,
- Configuration manual (778 pages)
Table of Contents
Advertisement
directory specified as "cf1:\dir1\file1" will be transmitted to the SCP server as "cf1:dir1file1"
where the backslash escape characters are stripped by the SCP client system before
transmission. On systems where the client treats the backslash like an "escape" character, a
double backslash "\\" or the forward slash "/" can typically be used to properly delimit
directories and the filename.
Two cipher lists, the client-cipher-list and the server-cipher-list, can be configured for
negotiation of the best compatible ciphers between the the client and server. The two cipher
lists can be created and managed under the security ssh sub menu. The client-cipher-list is
used when SR OS is acting as ssh client and the server-cipher-list is used when the SR OS is
acting as a server. The first cipher matched on the lists between the client and server is the
preferred cipher for the session.
SSH PKI Authentication
The SR OS supports Secure Shell Version 2, but user authentication appears to be limited to
using a username and password.
SSH also supports public key authentication whereby the client can provide a signed message
that has been encrypted by his private key. As long as the server has been previously
configured to know the client's public key, the server can authenticate the client.
Using Public Key authentication (also known as Public Key Infrastructure - PKI) can be more
secure than the existing username/password method for a few reasons:
This feature includes server side support for SSHv2 public key authentication. It does not
include a key generation utility.
Support for PKI should be configured in the system level configuration where one or more
public keys may be bound to a username. It should not affect any other system security or
login functions.
Key Generation
Before SSH can be used with PKI, someone must generate a public/private key pair. This is
typically supported by the SSH client software. For example, PuTTY supports a utility called
PuTTYgen that will generate key pairs.
7450 ESS System Mangement Guide
•
A user will typical re-use the same password with multiple servers. If the password is
compromised, the user must reconfigure the password on all affected servers.
•
A password is not transmitted between the client and server using PKI. Instead the
sensitive information (the private key) is kept on the client. Therefore it is less likely
to be compromised.
Security
Page 53
Advertisement
Table of Contents
