Configuring The Ssh Server - Cisco SCE 8000 10GBE Software Configuration Manual

Chapter 5 Configuring the Management Interface and Security

Configuring the SSH Server

•
•
•
•
The SSH Server
A shortcoming of the standard telnet protocol is that it transfers password and data over the net
unencrypted, thus compromising security. Where security is a concern, using a Secure Shell (SSH)
server rather than telnet is recommended.
An SSH server is similar to a telnet server, but it uses cryptographic techniques that allow it to
communicate with any SSH client over an insecure network in a manner which ensures the privacy of
the communication. CLI commands are executed over SSH in exactly the same manner as over telnet.
The SSH server supports both the SSHv1 and SSHv2 protocols. You can disable SSHv1, so that only
SSHv2 is running.
The SSH server supports the following encryption ciphers:
•
•
•
•
An ACL can be configured for SSH as for any other management protocol, limiting SSH access to a
specific set of IP addresses (see
Key Management
Each SSH server should define a set of keys (DSA2, RSA2 and RSA1) to be used when communicating
with various clients. The key sets are pairs of public and private keys. The server publishes the public
key while keeping the private key in non-volatile memory, never transmitting it to SSH clients. Note that
the keys are kept on the tffs0 file system, which means that a person with knowledge of the 'enable'
password can access both the private and public keys. The SSH server implementation provides
protection against eavesdroppers who can monitor the management communication channels of the
Cisco SCE platform, but it does not provide protection against a user with knowledge of the 'enable'
password.
Key management is performed by the user via a special CLI command. A set of keys must be generated
at least once before enabling the SSH server.
Size of the encryption key is always 2048 bits.
OL-30621-02
The SSH Server, page 5-37
Key Management, page 5-37
Managing the SSH Server, page 5-38
Monitoring the Status of the SSH Server, page 5-40
aes256-ctr, aes192-ctr, aes128-ctr (RFC-4344, section 4).
3des-cbc, blowfish-cbc, aes256-cbc, aes192-cbc, aes128-cbc, arcfour, cast128-cbc (RFC-4253,
section 6.3)
arcfour128, arcfour256 (RFC-4345, section 4).
rijndael-cbc@lysator.liu.se (as provided by OpenSSH 4.7p1).
"Configuring Access Control Lists (ACLs)" section on page
Cisco SCE 8000 10GBE Software Configuration Guide
Configuring the SSH Server
5-32)
5-37