Configuring the device as an SSH server
SSH server configuration task list
Tasks at a glance
(Required.)
(Required.)
(Required.)
(Required.)
(Required.)
(Required.)
(Required.)
Configuring the PKI domain for verifying the client's
digital certificate
(Required/optional.)
(Optional.)
Configuring the SSH management
parameters
(Optional.)
Specifying a PKI domain for the SSH server
(Optional.)
Specifying the SSH service port
Generating local key pairs
The DSA, ECDSA, or RSA key pairs on the SSH server are required for generating the session keys
and session ID in the key exchange stage. They can also be used by a client to authenticate the
server. When a client authenticates the server, it compares the public key received from the server
with the server's public key that the client saved locally. If the keys are consistent, the client uses the
locally saved server's public key to decrypt the digital signature received from the server. If the
decryption succeeds, the server passes the authentication.
The SSH application starts when you execute an SSH server command on the device. If the device
does not have RSA key pairs with default names, the device automatically generates one RSA
server key pair and one RSA host key pair. Both key pairs use their default names. You can also use
the public-key local create command to generate DSA, ECDSA, or RSA key pairs on the device.
Configuration restrictions and guidelines
When you generate local key pairs, follow these restrictions and guidelines:
•
Local DSA, ECDSA, and RSA key pairs for SSH use default names. You cannot assign names
to the key pairs.
Generating local key pairs
Enabling the Stelnet server
Enabling the SFTP server
Enabling the SCP server
Enabling NETCONF over SSH
Configuring the user lines for SSH login
Configuring a client's host public key
Configuring an SSH user
Remarks
N/A
Required only for Stelnet servers.
Required only for SFTP servers.
Required only for SCP servers.
Required only for NETCONF-over-SSH servers.
Required only for Stelnet and
NETCONF-over-SSH servers.
Required if the authentication method is
publickey, password-publickey, or any.
See
"Configuring
Required if the following conditions exist:
•
The authentication method is publickey.
•
The client sends its public key to the server
through a digital certificate for validity check.
The PKI domain must have the CA certificate to
verify the client's digital certificate.
Required if the authentication method is
publickey, password-publickey, or any.
Optional if the authentication method is
password.
N/A
N/A
N/A
310
PKI."