Configuring Secure Shell (SSH)
Configuring the Switch for SSH Operation
Configures a password method for the primary and
secondary enable (Manager) access. If you do not spec-
ify an optional secondary method, it defaults to none.
Option B: Configuring the Switch for Client Public-Key SSH
Authentication. If configured with this option, the switch uses its public
key to authenticate itself to a client, but the client must also provide a client
public-key for the switch to authenticate. This option requires the additional
step of copying a client public-key file from a TFTP server into the switch. This
means that before you can use this option, you must:
1. Create a key pair on an SSH client.
2. Copy the client’s public key into a public-key file (which can contain up
to ten client public-keys).
3. Copy the public-key file into a TFTP server accessible to the switch and
download the file to the switch.
(For more on these topics, refer to “Further Information on SSH Client Public-
Key Authentication” on page 4-22.)
With steps 1 - 3, above, completed and SSH properly configured on the switch,
if an SSH client contacts the switch, login authentication automatically occurs
first, using the switch and client public-keys. After the client gains login
access, the switch controls client access to the manager level by requiring the
passwords configured earlier by the aaa authentication ssh enable command.
Syntax: copy tftp pub-key-file < ip-address > < filename >
Copies a public key file into the switch.
aaa authentication ssh login public-key
Configures the switch to authenticate a client public-
key at the login level with an optional secondary pass-
word method (default: none).
Caution To allow SSH access only to clients having the correct public key, you must
configure the secondary (password) method for login public-key to none.
Otherwise a client without the correct public key can still gain entry by
submitting a correct local login password.
4-19
