Cisco CRS-1 - Carrier Routing System Router Configuration Manual page 209

Implementing Secure Shell on Cisco IOS XR Software
•
•
•
The server must be running in order to accept incoming SFTP connections.
Note
RSA Based Host Authentication
Verifying the authenticity of a server is the first step to a secure SSH connection. This process is called
the host authentication, and is conducted to ensure that a client connects to a valid server.
The host authentication is performed using the public key of a server. The server, during the
key-exchange phase, provides its public key to the client. The client checks its database for known hosts
of this server and the corresponding public-key. If the client fails to find the server's IP address, it
displays a warning message to the user, offering an option to either save the public key or discard it. If
the server's IP address is found, but the public-key does not match, the client closes the connection. If
the public key is valid, the server is verified and a secure SSH connection is established.
The IOS XR SSH server and client had support for DSA based host authentication. But for compatibility
with other products, like IOS, RSA based host authentication support is also added.
RSA Based User Authentication
One of the method for authenticating the user in SSH protocol is RSA public-key based user
authentication. The possession of a private key serves as the authentication of the user. This method
works by sending a signature created with a private key of the user. Each user has a RSA keypair on the
client machine. The private key of the RSA keypair remains on the client machine.
The user generates an RSA public-private key pair on a unix client using a standard key generation
mechanism such as ssh-keygen. The max length of the keys supported is 2048 bits, and the minimum
length is 512 bits. The following example displays a typical key generation activity:
bash-2.05b$ ssh-keygen –b 1024 –t rsa
Generating RSA private key, 1024 bit long modulus
The public key must be in base64 encoded (binary) format for it to be imported correctly into the box.
You can use third party tools available on the Internet to convert the key to the binary format.
Once the public key is imported to the router, the SSH client can choose to use the public key
authentication method by specifying the request using the "-o" option in the SSH client. For example:
client$ ssh -o PreferredAuthentications=publickey 1.2.3.4
If a public key is not imported to a router using the RSA method, the SSH server initiates the password
based authentication. If a public key is imported, the server proposes the use of both the methods. The
SSH client then chooses to use either method to establish the connection. The system allows only 10
outgoing SSH client connections.
Currently, only SSH version 2 and SFTP server support the RSA based authentication. For more
information on how to import the public key to the router, see the Implementing Certification Authority
Interoperability on CiscoIOS XR Software chapter in this guide.
OL-20382-01
Handle Response
Data Response
Name Response
Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router
Information About Implementing Secure Shell
SC-203