API Guide
Table Of Contents
- Dell EMC SmartFabric OS10 Security Best Practices Guide May 2021
- Contents
- OS10 security best practices
13. The OS10 SSH server prompts you for a password.
14. The OS10 SSH server performs standard local user authentication using the username and returned password.
15. On successful authentication, the SSH session continues.
Local user authentication without a password
When you configure OS10 SSH server for X.509v3 SSH local authentication, and when connecting using SSH, the following
sequence occurs:
1. Insert a CAC or PIV smart card into the card reader slot in your computer or keyboard.
2. Start an RFC 6187 X.509v3 compatible SSH client application, set authentication to smart card or CAC, and make a
connection to the OS10 switch.
3. The SSH client application makes the initial connection to the switch, negotiates X.509v3 authentication, and validates the
OS10 switch X.509v3 certificate.
4. The SSH client application prompts you to select the required authentication certificate from the CAC or PIV card.
5. The SSH client application prompts you to enter the PIN for the CAC or PIV card.
6. The SSH client application sends an authentication request with the X.509v3 certificate.
7. The OS10 SSH server validates the public certificate, including validating the trust chain, valid date range, and usage fields. If
any of the fields are invalid, the authentication fails.
8. If the configured OS10 security profile calls for revocation checking, the OS10 SSH server verifies that the certificate is
not revoked. Verification is done by checking either the appropriate CRL or by sending an OCSP request to the appropriate
OCSP responder.
9. If the certificate is revoked, the authentication fails.
10. The OS10 SSH server attempts to match the user certificate fields against the configured certificate for that local username.
11. If there is a match, the authentication succeeds and the SSH session proceeds without a password prompt.
Configure remote user authentication with a password
To support remote user authentication by smart card and password, configure the following:
● Enable RADIUS or TACACS+ authentication.
radius-server host {hostname | ip-address} key {0 authentication-key | 9
authentication-key | authentication-key} [auth-port port-number]
aaa authentication login default group radius local
● Enable X.509v3 authentication in the SSH server.
ip ssh server x509v3-authentication security-profile profile-name
● If all SSH login attempts require an X.509v3 certificate, disable the plain password authentication and SSH public key
authentication in the SSH server.
no ip ssh server password-authentication
no ip ssh server pubkey-authentication
Configure local user authentication with a password
To support local user authentication by smart card and password, configure the following:
● Enable X.509v3 authentication in the SSH server.
ip ssh server x509v3-authentication security-profile profile-name
● If all SSH login attempts present an X.509v3 certificate, disable the plain password authentication and SSH public key
authentication in the SSH server.
no ip ssh server password-authentication
no ip ssh server pubkey-authentication
● If you enable the key-usage-check in the security profile but the user certificates use a different name syntax than the user
login names, configure the user certificate details to allow the SSH server to match the user certificate to the account.
username username certificate subject “x509v3-subject-string”
or
username username certificate principal-name user-principal-name-string
or
username username certificate fingerprint fingerprint-value
OS10 security best practices
31