Manualshelf

User Manual

ManualsBrandsCabletron ManualsCables & InterconnectsCabletron Tpfot-2 10BT Transceiver 1 RJ45 Utp to 1 St MMf
61626364656667686970
Secure Shell (ssh) Server
40 Enterasys X-Pedition User Reference Manual
The server key provides perfect forward secrecy, meaning that the security of previous sessions will
not be compromised—even if the host or session key is compromised. Since the server key
regenerates periodically, the impact of a compromised key is minimal. The more often the server
key regenerates, the more secure it will be; however, frequent regenerating requires more system
resources. The configuration mode command, ssh-server set server-key-lifetime controls the
amount of time that will elapse before the server key regenerates. The following example shows
how to regenerate the server key every 30 minutes. By default, the server key regenerates every 60
minutes:
The server key is used only for the SSH-1 protocol—if only the SSH-2 protocol is enabled, the
X-Pedition will not use the server key and it will never regenerate. The SSH-2 protocol uses a
method known as Diffie-Hellman key agreement which allows the client and server to arrive at a
shared session key without actually sending the key across the network. Any third party that may
eavesdrop on the Diffie-Hellman message exchange will not be able to determine the session key.
Encryption Algorithms (Ciphers)
The X-Pedition uses several encryption algorithms or ciphers to encrypt session data. Commonly
referred to as “bulk” ciphers, these algorithms can encrypt large quantities of data and are faster
than other encryption methods such as public-key encryption. However, the keys used by these
bulk ciphers to formulate the session key are not asymmetric—both the server and the client will
share a copy of the same key. Because each session generates its own key, if a session is
compromised, other sessions remain secure.
Use the ssh-server set encryption command in configuration mode to select which bulk ciphers to
allow. When a client connects, it will select which cipher to use from the list of ciphers specified by
this command. The following example demonstrates how to enable the Blowfish and AES ciphers:
Note: The list of ciphers specified by this command will apply to both SSH-2 and SSH-1
sessions. If this command is not added to the configuration, the X-Pedition will allow all
available ciphers.
Use the ssh-client set encryption-preference command or the encryption-preference command-
line option to select the SSH-2 ciphers to attempt, in order of preference. The following example
uses the ssh-client set encryption preference configuration command to set 3DES, AES, and
Blowfish as the only ciphers to attempt (with AES being the most preferred cipher).
xp(config)# ssh-server set server-key-lifetime 30
xp(config)# ssh-server set encryption blowfish aes128-cbc
xp(config)# ssh-client set encryption-preference aes128-cbc blowfish 3des-cbc