361
Configuring the device as an SSH server
SSH server configuration task list
Tasks at a glance
Remarks
(Required.)
N/A
(Required.)
Required only for Stelnet servers.
(Required.)
Required only for SFTP servers.
(Required.)
Required only for SCP servers.
(Required.)
Required only for NETCONF-over-SSH servers.
(Required.)
Configuring the user lines for SSH login
Required only for Stelnet and
NETCONF-over-SSH servers.
(Required.)
Configuring a client's host public key
Required if the authentication method is
publickey
,
password-publickey,
or
any
.
Configuring the PKI domain for verifying the client's
digital certificate
Required if the following conditions exist:
•
The authentication method is
publickey
.
•
The client sends its public key to the server
through a digital certificate for validity check.
The PKI domain must have the CA certificate to
verify the client's digital certificate.
(Required/optional.)
Required if the authentication method is
publickey
,
password-publickey,
or
any
.
Optional if the authentication method is
password
.
(Optional.)
Configuring the SSH management
N/A
(Optional.)
Specifying a PKI domain for the SSH server
N/A
Generating local key pairs
The DSA, ECDSA, or RSA key pairs on the SSH server are required for generating the session keys
and session ID in the key exchange stage. They can also be used by a client to authenticate the
server. When a client authenticates the server, it compares the public key received from the server
with the server's public key that the client saved locally. If the keys are consistent, the client uses the
locally saved server's public key to decrypt the digital signature received from the server. If the
decryption succeeds, the server passes the authentication.
The SSH application starts when you execute an SSH server command on the device. If the device
does not have RSA key pairs with default names, the device automatically generates one RSA
server key pair and one RSA host key pair. Both key pairs use their default names. You can also use
the
public-key local create
command to generate DSA, ECDSA, or RSA key pairs on the device.
Configuration restrictions and guidelines
When you generate local key pairs, follow these restrictions and guidelines:
•
Local DSA, ECDSA, and RSA key pairs for SSH use default names. You cannot assign names
to the key pairs.
Содержание FlexFabric 5940 SERIES
Страница 251: ...238 ...