Table of Contents
Advertisement
Sample SSH Configuration
The following is a sample SSH configuration for a Foundry device.
hostname BigIron
ip dns domain-name foundrynet.com
!
aaa authentication login default local
username neville password .....
username lynval password .....
username terry password .....
!
ip ssh permit-empty-passwd no
!
ip ssh pub-key-file tftp 192.168.1.234 pkeys.txt
!
crypto key generate rsa public_key "1024 35 144460146631716543532035011163035196
41193195125205894452637462409522275505020845087302985209960346239172995676329357
24777530188666267898195648253181551624681394520681672610828188310413962242301296
26883937176769776184984093100984017075369387071006637966650877224677979486802651
458324218055083313313948534902409 BigIron@foundrynet.com"
!
crypto key generate rsa private_key "*************************"
!
ip ssh authentication-retries 5
This aaa authentication login default local command configures the device to use the local user accounts to
authenticate users attempting to log in.
Three user accounts are configured on the device. The ip ssh permit-empty-passwd no command causes
users always to be prompted for a password when they attempt to establish an SSH connection. Since the device
uses local user accounts for authentication, only these three users are allowed to connect to the device using
SSH.
The ip ssh pub-key-file tftp command causes a public key file called pkeys.txt to be loaded from a TFTP server
at 192.168.1.234. To gain access to the Foundry device using SSH, a user must have a private key that
corresponds to one of the public keys in this file.
The crypto key generate rsa public_key and crypto key generate rsa private_key statements are both
generated by the crypto key generate rsa command. The public key is visible; the private key is not. You may
need to copy the public key to a "known hosts" file (for example, $HOME/.ssh/known_hosts on UNIX systems) on
the clients who want to access the device. See "Providing the Public Key to Clients" on page 4-2 for an example
of what to place in the known hosts file.
The ip ssh authentication-retries 5 command sets the number of times the Foundry device attempts to
negotiate a connection with the connecting host to 5.
Using Secure Copy
Secure Copy (SCP) uses security built into SSH to transfer files between hosts on a network, providing a more
secure file transfer method than Remote Copy (RCP) or FTP. SCP automatically uses the authentication
methods, encryption algorithm, and data compression level configured for SSH. For example, if password
authentication is enabled for SSH, the user is prompted for a user name and password before SCP allows a file to
be transferred. No additional configuration is required for SCP on top of SSH.
You can use SCP to copy files on the Foundry device, including the startup-config and running-config files, to or
from an SCP-enabled remote host.
SCP is enabled by default and can be disabled. To disable SCP, enter the following command:
BigIron(config)# ip ssh scp disable
Syntax: ip ssh scp disable | enable
December 2000
Configuring Secure Shell
4 - 9
- Quick Links:
- Configuring Ip Addresses
Hide quick links:
Advertisement
Chapters
Table of Contents
