SSH and SCP Encryption of Management Messages
Generating an RSA Host Key for SSH Access
SSH/SCP Integration with RADIUS Authentication
SSH/SCP Integration with TACACS+ Authentication
© Copyright Lenovo 2018
The following encryption and authentication methods are supported for SSH and
SCP:
Server Host Authentication: Client RSA authenticates the switch at the
Key Exchange:
Encryption:
User Authentication:
To support the SSH server feature, an RSA host key is required. The host key is
2048 bits and is used to identify the NE2552E.
When the SSH server is first enabled and applied, the switch automatically
generates the RSA host key and stores it in FLASH memory.
To configure an RSA host key, first connect to the NE2552E through the console
port (commands are not available via external Telnet connection), and enter the
following command to generate it manually.
NE2552E(config)# ssh generate-host-key
When the switch reboots, it will retrieve the host key from the FLASH memory.
Notes:
The switch will perform only one session of key/cipher generation at a time.
Thus, an SSH/SCP client will not be able to log in if the switch is performing key
generation at that time. Also, key generation will fail if an SSH/SCP client is
logging in at that time.
Because the switch software only generates RSA keys, if there is already a
DSA‐based SSH key on the switch, this key will remain on the switch and not be
replaced until you run the ssh generate-host key command to generate
an RSA key.
SSH/SCP is integrated with RADIUS authentication. After the RADIUS server is
enabled on the switch, all subsequent SSH authentication requests will be
redirected to the specified RADIUS servers for authentication. The redirection is
transparent to the SSH clients.
SSH/SCP is integrated with TACACS+ authentication. After the TACACS+ server is
enabled on the switch, all subsequent SSH authentication requests will be
redirected to the specified TACACS+ servers for authentication. The redirection is
transparent to the SSH clients.
beginning of every connection
RSA
3DES‐CBC, DES
Local password authentication, RADIUS
(Generates the host key)
Chapter 4: Securing Administration
93