•
User tries to login with local context username through non-local context interface with authorized-key
configured on local context.
•
User tries to login with non-local context username through local context interface with authorized-key
configured on non-local context.
A failure to authenticate based on the current system configuration prevents the login and generates an error
message.
StarOS does not permit users with different user IDs but having the same public SSH key to login to an
unauthorized context. Authentication of the user takes into account the authorized-key/user-account pairing.
For StarOS release 21.0 onwards, a user cannot access the /flash directory if the user logs in from a
non-local context.
Important
Secure Session Logout
When StarOS is disconnected from an SSH client, the default behavior has sshd terminate the CLI or SFTP
session in about 45 seconds (using default parameters). Two SSH Configuration mode CLI commands allow
you to disable or modify this default sshd disconnect behavior.
For higher security, Cisco recommends at least a client-alive-countmax of 2 and client-alive-interval of
5. Smaller session logout values may lead to occasional ssh session logouts. Adjust values to balance
security and user friendliness.
Important
The
client-active-countmax
command sets the number of client-alive messages which may be sent without
sshd receiving any messages back from the SSH client (default =3). If this threshold is reached while the
client-alive messages are being sent, sshd disconnects the SSH client thus terminating the session.
The
client-alive-interval
command sets a timeout interval in seconds (default = 15) after which if no data
has been received from the SSH client, sshd sends a message through the encrypted channel to request a
response from the client. The number of times that the message is sent is determined by the
client-alive-countmax parameter. The approximate amount of time before sshd disconnects an SSH client
disconnect = client-alive-countmax X client-alive-interval.
The client-alive mechanism is valuable when the client or server depend on knowing when a connection has
become inactive.
The client-alive messages are sent through the encrypted channel and, therefore, are not spoofable.
Important
These parameter apply to SSH protocol version 2 only.
Important
ASR 5500 System Administration Guide, StarOS Release 21.5
20
Getting Started
Secure Session Logout