User`s guide

Configuring Secure Shell (SSH) Server

3-8 Using the CLI

Configuring Secure Shell (SSH) Server

Understanding the SSHv2 Protocol

SecureShell(SSH)isa“secure”replacementforTelnet.WhenusingTelnet,allcommunications,

includingpasswords,aresentacrossthenetworkincleartext(tha tis,un‐encrypted),making

eavesdroppingoncommunicationsaneasytaskforaknowledgeableuserwithaccesstothe

network.SSHprovidesthesameremoteaccessto

theMatrixDFESeriesorN‐SAdevicethat

Telnetprovides,butdoessosecurelybyencryptingallsessiondata,includingpasswords.SSH

alsoprovidesthefollowingadditionalsecurityfeatures:

• Public‐keyauthenticationoftheserver.Thisfeatureenablestheclienttovalidatetheserver’s

authenticity,makingitdifficultfor

anattackertomasqueradeastheserver.

• Digitallysigning

allpackets.Thisfeatureusescryptographicallystrongmessagedigeststo

authenticateallcommunications,preventinganattackerfromsuccessfullyinterceptingand

alteringinformation.

SSHserverisdisabledontheMatrixDFESeriesandN‐SAdevicesbydefault.InordertorunSSH

initsdefaultconfiguration,youmustcompletethefollowing

stepsdescribedinthissection.

•Generatehostkeys

•EnableSSHserver

About Host Keys

SSHserverauthenticatesitselftotheclientthroughahostkey.Hostkeysareasymmetric

encryptionkeyscommonlyusedinwhatisknownaspublickeycryptography.SSHserveruses

uniquehostkeys,eachconsistingofapairofkeys,generatedsimultaneously.Althoughthe

generatedkeysarerelated,onecannotbe

derivedfromtheother.Thefirstkeyofthegenerated

pair,thepublickey,canbepublishedfreelyandisusedbySSHclients tosecurelyidentifythe

SSHserver.Thesecondkeyofthegeneratedpair,thesecretkey,isstoredinasafeplaceand

shouldneverbe

divulged.ThiskeyisusedbytheSSHservertosecurelyidentifyitselftoSSH

clients.

TheSSH‐2protocolmakestwodistincttypesofhostkeysavailable:theDigitalSignature

Algorithm(DSA)andtheRivest‐Shamir‐Adleman(RSA)algorithm.BothDSAandRSAareNIST‐

approveddigitalsignaturealgorithms.

Afterverifying

serverauthenticity,theSSHclientgeneratesakeytouseuntilitdisconnectsfrom

theserver.Oncetheclientandserverhavecopiesofthekey,theywilluseittoencryptallfurther

communications.Inadditiontoencryptingeachpacket, boththeclientandserverwillstam p each

outgoing

packetwithdatathatcanbeusedtovalidatethecontentsofthepackets.Thisstamp

consistsofamessageauthenticationcode(MAC)createdbyusingasecuremessagedigest

algorithmsuchasSHA‐1orMD5.Ifthecontentofthepacketchangesen‐route,MAC

authenticationwillfail.