Table of Contents
Advertisement
Foundry Switch and Router Installation and Configuration Guide
Deactivating User Authentication
After the SSH server on the Foundry device negotiates a session key and encryption method with the connecting
client, user authentication takes place. Foundry's implementation of SSH supports RSA challenge-response
authentication and password authentication.
With RSA challenge-response authentication, a collection of clients' public keys are stored on the Foundry device.
Clients are authenticated using these stored public keys. Only clients that have a private key that corresponds to
one of the stored public keys can gain access to the device using SSH.
With password authentication, users are prompted for a password when they attempt to log into the device
(provided empty password logins are not allowed; see "Enabling Empty Password Logins" on page 4-6). If there
is no user account that matches the user name and password supplied by the user, the user is not granted
access.
You can deactivate one or both user authentication methods for SSH. Note that deactivating both authentication
methods essentially disables the SSH server entirely.
To disable RSA challenge-response authentication:
BigIron(config)# ip ssh rsa-authentication no
Syntax: ip ssh rsa-authentication no | yes
To deactivate password authentication:
BigIron(config)# ip ssh password-authentication no
Syntax: ip ssh password-authentication no | yes
Enabling Empty Password Logins
By default, empty password logins are not allowed. This means that users with an SSH client are always
prompted for a password when they log into the device. To gain access to the device, each user must have a user
name and password. Without a user name and password, a user is not granted access. See "Setting Up Local
User Accounts" on page 3-12 for information on setting up user names and passwords on Foundry devices.
If you enable empty password logins, users are not prompted for a password when they log in. Any user with an
SSH client can log in without being prompted for a password.
To enable empty password logins:
BigIron(config)# ip ssh permit-empty-passwd yes
Syntax: ip ssh permit-empty-passwd no | yes
Setting the SSH Port Number
By default, SSH traffic occurs on TCP port 22. You can change this port number. For example, the following
command changes the SSH port number to 2200:
BigIron(config)# ip ssh port 2200
Note that if you change the default SSH port number, you must configure SSH clients to connect to the new port.
Also, you should be careful not to assign SSH to a port that is used by another service. If you change the SSH
port number, Foundry recommends that you change it to a port number greater than 1024.
Syntax: ip ssh port <number>
Setting the SSH Login Timeout Value
When the SSH server attempts to negotiate a session key and encryption method with a connecting client, it waits
a maximum of 120 seconds for a response from the client. If there is no response from the client after 120
seconds, the SSH server disconnects. You can change this timeout value to between 1 – 120 seconds. For
example, to change the timeout value to 60 seconds:
BigIron(config)# ip ssh timeout 60
4 - 6
December 2000
- Quick Links:
- Configuring Ip Addresses
Hide quick links:
Advertisement
Chapters
Table of Contents
