Using Ssh Version 1 (Sshv1); Using Ssh Version 2 (Sshv2) - Juniper NETWORK AND SECURITY MANAGER 2010.4 - CONFIGURING SCREENOS DEVICES GUIDE REV 01 Manual

Using SSH Version 1 (SSHv1)

Using SSH Version 2 (SSHv2)

Copyright © 2010, Juniper Networks, Inc.
NOTE: For ScreenOS 5.x devices, you can enable or disable SSH for device
admin connections using the directive "Set Admin SSH." To execute this
directive, right-click the device in the Device Manager device list and select
Device > Set Admin SSH.
Using SSH Version 1 (SSHv1) on page 159
Using SSH Version 2 (SSHv2) on page 159
SSHv1 is widely deployed and is commonly used. You can use a password or Public Key
Authentication (PKA) to authenticate an SSHv1 connection.
When using PKA authentication for the SSHv1 server (the security device) you can also
set the key generation interval for the host PKA key. When you enable SSH on a managed
device, the device generates a unique host key that is permanently bound to the device
(each vsys has its own host key). If SSH is disabled, then enabled again, the device uses
the same host key. The security device uses the host key to identify itself to an SSH client
(device administrator).
After the key is generated, it can be distributed to the SSH client in one of two ways:
Manually—Send the host key to the client admin user through e-mail or phone. The
device administrator stores the host key in the appropriate SSH file on the SSH client
system (the SSH client application determines the file location and format).
Automatically—When the SSH client connects to the managed device, the SSH server
sends the unencrypted public component of the host key to the client. The SSH client
searches its local host key database to see if the received host key is mapped to the
address of the security device. If the host key is unknown (there is no mapping to the
device address in the client's host key database), the device admin user can accept
the host key and authenticate the connection, or reject the host key and terminate the
connection request.
To configure the SSH client, you must also bind the RSA PKA keys to the device
administrator before that admin can make an SSH connection. For details on assigning
PKA keys to a device admin, see "Device Administrator Account Configuration Overview"
on page 150.
NOTE: NSM supports PKA keys for device administrator authentication only
for devices running ScreenOS 5.x.
SSHv2 is considered more secure than SSHv1 and is currently being developed as the
IETF standard.
Chapter 5: Administration
159