Table of Contents
Advertisement
Foundry NetIron M2404C and M2404F Metro Access Switches
Secure Shell Server (SSH)
SSH Secure Shell is a standard protocol, which provides a secure, remote connection to the devices.
The protocol secures the sessions using standard cryptographic mechanisms. The SSH ensures data
protection through the Internet as well as prevention of password stealing.
SSH (Secure Shell) runs on top of a reliable transport layer, such as TCP/IP, that provides strong
authentication and encryption capabilities.
The current version of SSH supports multiple public key algorithms, including DSA (Digital
Signature Algorithm). Hereafter, the term "SSH" will denote "SSH Version 2" only.
SSH allows strong encryption to be used with the application software authentication.
Overview
The application software SSH (Secure Shell) server provides secure connection to the switches
over the Internet. It also supplies a user authentication service using a password authentication
method. The SSH feature performs server host authentication, key exchange and encryption.
The encryption algorithm and the key are negotiated during the key exchange between the server
and the client. When encryption is in effect, the packet length, padding length, payload and
padding fields of each packet are encrypted with the given algorithm.
The SSH server has a timeout for authentication, and disconnects if the authentication has not been
accepted within the timeout period. The recommended timeout period is 10 minutes. Additionally,
the implementation limits the number of failed authentication attempts a client may perform in a
single session (the recommended limit is 3 attempts). If the threshold is exceeded, the server
disconnects.
The authentication method is public key authentication. The possession of a private key serves as
authentication. This method works by sending a signature created with the user's private key. The
server checks the validity of the key and the signature. If both conditions hold, the authentication
request is accepted. Otherwise, the request is rejected. Private keys are stored in an encrypted form
in the client host, and the user must supply a passphrase before the signature can be generated.
The password is encoded in ISO-10646 UTF-8. Even though the cleartext password is transmitted
in the packet, the entire packet is encrypted by the transport layer. Both the server and the client
should check whether the underlying transport layer provides confidentiality (i.e., if encryption is
being used).
The user authentication mechanisms that the application software supports for SSH are RADIUS,
TACACS+ and the use of locally stored user names and passwords.
The SSH client functionality is available only when the SSH server is enabled.
The Digital Signature Standard (DSS), specifies DSA as the public key algorithm for digital
signatures. DSA is for signatures only and is not an encryption algorithm. The secret key operates
on the message hash. In order to verify a signature, it re-computes the hash of the message,
decrypts the signature using the public key, and finally compares the results. The key size varies
from 512 to 1024 bits.
DSA depends on a public prime number (the verifier can check that the prime number is not a fake
one chosen to allow forgery).
Secure Shell Server (SSH)
© 2008 Foundry Networks, Inc.
Configuring Switch Authentication Features (Rev. 03)
Page 13 of 70
Advertisement
Chapters
Table of Contents
