Table of Contents
Advertisement
JUNOSe 11.1.x System Basics Configuration Guide
The public half of the host key is sent from the server to the client as part of the
transport layer negotiation. The client attempts to find a match for this key with one
stored locally and assigned to the server. If the client does not find a match, it can
accept or reject the key sent from the server. Refer to your client documentation for
detailed information. You typically configure the client to do one of the following:
If you do not want the client ever to trust the server when it sends an unknown key,
you must manually copy using the copy command the host key from each server
to each intended client. This is the only way to be certain that each client has a local
copy of the necessary keys for matching during negotiation.
If you configure the client to accept unknown keys either automatically or with
administrator approval this acceptance policy applies only to the first time the client
receives a key from a particular server. When the SSH client accepts a host key, it
stores the key locally and uses it for all future comparisons with keys received from
that host. If the client subsequently receives a different key a new unknown from
that server, it is rejected.
You cannot configure an SSH client to accept a new key after it has accepted a key
from an SSH server. You must delete the old key before a new key can be accepted.
Performance
Generating a host key is computationally intensive and can take up to several minutes
depending on the load of the system. The system cannot accept any CLI inputs from
that session while it is generating the key.
Encryption, data integrity validation, and compression are all computationally
intensive. These features can affect router performance in the following ways:
Security Concerns
You might be concerned about security with the current support of SSH for the
following reasons:
438
Secure System Administration with SSH
Never accept an unknown key.
Always accept an unknown key.
Query the administrator before accepting an unknown key.
Reduce the effective baud rate compared with Telnet or the local CLI. Users are
unlikely to notice this performance degradation because user interaction is
inherently slow compared with other system operations.
Increase the general load on the system CPU.
Only RADIUS and TACACS+ user authentication methods are supported. If you
disable user authentication, all users are accepted if the client and server
successfully complete negotiation.
Because the load on the system CPU increases with use of SSH, you might be
concerned about denial-of-service attacks. However, the forwarding engine takes
care of this issue, because it limits the rate at which it sends packets to the system
Advertisement
Table of Contents
Troubleshooting
