Using Secure Shell
Logging Into the Switch
page 1-10
OmniSwitch 6600 Family Switch Management Guide
April 2006
Protocol Identification
When the Secure Shell client in the OmniSwitch connects to a Secure Shell server, the server accepts the
connection and responds by sending back an identification string. The client will parse the server’s identi-
fication string and send an identification string of its own. The purpose of the identification strings is to
validate that the attempted connection was made to the correct port number. The strings also declare the
protocol and software version numbers. This information is needed on both the client and server sides for
debugging purposes.
At this point, the protocol identification strings are in human-readable form. Later in the authentication
process, the client and the server switch to a packet-based binary protocol, which is machine readable
Algorithm and Key Exchange
The OmniSwitch Secure Shell server is identified by one or several host-specific DSA keys. Both the
client and server process the key exchange to choose a common algorithm for encryption, signature, and
compression. This key exchange is included in the Secure Shell transport layer protocol. It uses a key
agreement to produce a shared secret that cannot be determined by either the client or the server alone. The
key exchange is combined with a signature and the host key to provide host authentication. Once the
exchange is completed, the client and the server turn encryption on using the selected algorithm and key.
The following elements are supported:
The OmniSwitch generates a 512 bit DSA host key at initial startup. The DSA key on the switch is
made up of two files contained in the
directory; the public key is called
, and the private key is called
. To generate a different DSA key,
use the Secure Shell tools available on your Unix or Windows system and copy the files to the
directory on your switch. The new DSA key will take effect after the OmniSwitch is rebooted.
Authentication Phase
When the client tries to authenticate, the server determines the process used by telling the client which
authentication methods can be used. The client has the freedom to attempt several methods listed by the
server. The server will disconnect itself from the client if a certain number of failed authentications are
attempted or if a timeout period expires. Authentication is performed independent of whether the Secure
Shell interface or the SFTP file transfer protocol will be implemented.
Connection Phase
After successful authentication, both the client and the server process the Secure Shell connection
protocol. The OmniSwitch supports one channel for each Secure Shell connection. This channel can be
used for a Secure Shell session or a Secure Shell FTP session.
Host Key Type
Cipher Algorithms
AES, Blowfish, Cast, 3DES, Arcfour, Rijndael
Signature Algorithms
Compression Algorithms
None Supported
Key Exchange Algorithms