Configuring Ssh; Overview; How Ssh Works - HPE FlexFabric 7900 Series Security Configuration Manual

Configuring SSH

Overview

Secure Shell (SSH) is a network security protocol. Using encryption and authentication, SSH can
implement secure remote access and file transfer over an insecure network. Adopting the typical
client/server model, SSH can establish a channel to protect data transfer based on TCP.
SSH includes two versions: SSH1.x and SSH2.0 (hereinafter referred to as SSH1 and SSH2), which
are not compatible. SSH2 is better than SSH1 in performance and security.
The device can work as an SSH server or as an SSH client.
•
When acting as an SSH server, the device provides services for SSH clients and supports the
following SSH versions:
For Secure Telnet (Stelnet), Secure File Transfer Protocol (SFTP), or Secure Copy (SCP)
connections, the device supports the following SSH versions:
− SSH2 and SSH1 in non-FIPS mode.
− SSH2 in FIPS mode.
For NETCONF-over-SSH connections, the device supports only SSH2 in both non-FIPS
and FIPS modes.
•
When acting as an SSH client, the device supports SSH2 only. It allows users to establish SSH
connections with an SSH server.
The device supports the following SSH applications:
•
Stelnet—Stelnet provides secure and reliable network terminal access services. Through
Stelnet, a user can securely log in to a remote server. Stelnet can protect devices against
attacks, such as IP spoofing and plain text password interception. The device can act as an
Stelnet server or an Stelnet client.
•
SFTP—Based on SSH2, it uses SSH connections to provide secure file transfer. The device
can serve as an SFTP server, allowing a remote user to log in to the SFTP server for secure file
management and transfer. The device can also serve as an SFTP client, enabling a user to log
in from the device to a remote device for secure file transfer.
•
SCP—Based on SSH2, it offers a secure approach to copying files. The device can act as an
SCP server, allowing a user to log in to the device for file upload and download. The device can
also act as an SCP client, enabling a user to log in from the device to a remote device for secure
file transfer.
•
NETCONF over SSH—Based on SSH2, it enables users to securely log in to the device
through SSH and perform NETCONF operations on the device through NETCONF-over-SSH
connections. The device can act only as a server in NETCONF-over-SSH connections. For
more information about NETCONF, see Network Management and Monitoring Configuration
Guide.

How SSH works

This section uses SSH2 as an example to list the stages involved in secure session establishment
between an SSH client and an SSH server. For more information about these stages, see SSH
Technology White Paper.
Table 7 Stages involved in secure session establishment
Stages
Connection establishment
Description
The SSH server listens to the connection requests on port 22. After a
143