User guide

Logging Into the Switch Using Secure Shell
OmniSwitch AOS Release 7 Switch Management Guide March 2015 page 2-11
Secure Shell Authentication
Secure Shell authentication is accomplished in several phases using industry standard algorithms and
exchange mechanisms. The authentication phase is identical for Secure Shell and Secure Shell FTP. The
following sections describe the process in detail.
Protocol Identification
When the Secure Shell client in the OmniSwitch connects to a Secure Shell server, the server accepts the
connection and responds by sending back an identification string. The client will parse the server’s identi-
fication string and send an identification string of its own. The purpose of the identification strings is to
validate that the attempted connection was made to the correct port number. The strings also declare the
protocol and software version numbers. This information is needed on both the client and server sides for
debugging purposes.
At this point, the protocol identification strings are in human-readable form. Later in the authentication
process, the client and the server switch to a packet-based binary protocol, which is machine readable
only.
Algorithm and Key Exchange
The OmniSwitch Secure Shell server is identified by one or several host-specific keys. Both the client and
server process the key exchange to choose a common algorithm for encryption, signature, and compres-
sion. This key exchange is included in the Secure Shell transport layer protocol. It uses a key agreement to
produce a shared secret that cannot be determined by either the client or the server alone. The key
exchange is combined with a signature and the host key to provide host authentication. Once the exchange
is completed, the client and the server turn encryption on using the selected algorithm and key. The
following elements are supported:
Note. The OmniSwitch contains host keys by default. The keys on the switch are made up of two files
contained on flash, a private key and a public key. To generate a different key, use the Secure Shell tools
available on your Unix or Windows system and copy the files to the OmniSwitch. The new keys will take
effect after the OmniSwitch is rebooted.
Host Key Type DSA/RSA
Cipher Algorithms AES, Blowfish, Cast, 3DES, Arcfour, Rijndael
Signature Algorithms MD5, SHA1
Compression Algorithms None Supported
Key Exchange Algorithms diffie-hellman-group-exchange-sha1
diffie-hellman-group1-sha1
Key Location /flash/system
Key File Names Public
- ssh_host_key.pub, ssh_host_dsa_key.pub, ssh_host_rsa_key.pub
Private
- ssh_host_key, ssh_host_dsa_key, ssh_host_rsa_key