Ssh Authentication Using Digital Certificates; Creating Or Updating Users - HP Cisco MDS 9216 - Fabric Switch Configuration Manual

SSH Services
S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m
Note

SSH Authentication Using Digital Certificates

SSH authentication on the Cisco MDS 9000 Family switches provide X.509 digital certificate support
for host authentication. An X.509 digital certificate is a data item that vouches for the origin and integrity
of a message. It contains encryption keys for secured communications and is "signed" by a trusted
certification authority (CA) to verify the identity of the presenter. The X.509 digital certificate support
provides either DSA or RSA algorithms for authentication.
The certificate infrastructure uses the first certificate that supports the Secure Socket Layer (SSL) and
is returned by the security infrastructure, either through query or notification. Verification of certificates
is successful if the certificates are from any of the trusted CAs.
You can configure your switch for either SSH authentication using an X.509 certificate or SSH
authentication using a Public Key Certificate, but not both. If either of them is configured and the
authentication fails, you will be prompted for a password.
For more information on CAs and digital certificates, see
Authorities and Digital Certificates."

Creating or Updating Users

The passphrase specified in the snmp-server user option and the password specified username option
are synchronized.
By default, the user account does not expire unless you explicitly configure it to expire. The expire
option determines the date on which the user account is disabled. The date is specified in the
YYYY-MM-DD format.
Tip The following words are reserved and cannot be used to configure users: bin, daemon, adm, lp, sync,
shutdown, halt, mail, news, uucp, operator, games, gopher, ftp, nobody, nscd, mailnull, rpc, rpcuser, xfs,
gdm, mtsuser, ftpuser, man, and sys.
User passwords are not displayed in the switch configuration file.
Note
Tip If a password is trivial (short, easy-to-decipher), your password configuration is rejected. Be sure to
configure a strong password as shown in the sample configuration. Passwords are case-sensitive.
"admin" is no longer the default password for any Cisco MDS 9000 Family switch. You must explicitly
configure a strong password.
Cisco MDS 9000 Family Fabric Manager Configuration Guide
39-18
If you are logging in to a switch through SSH and you have issued the aaa authentication login
default none CLI command, you must enter one or more key strokes to log in. If you press the
Enter key without entering at least one keystroke, your log in will be rejected.
Chapter 39 Configuring Users and Common Roles
Chapter 43, "Configuring Certificate
OL-8007-10, Cisco MDS SAN-OS Release 3.x