Ssh Server Authentication - Cisco 500 Series Administration Manual

24

SSH Server Authentication

549
When a private key is created on a device, it is also possible to create an
associated passphrase. This passphrase is used to encrypt the private key and to
import it into the remaining switches. In this way, all the switches can use the same
public/private key.
A device, as an SSH client, only communicates with a trusted SSH server. When
SSH server authentication is disabled (the default setting), any SSH server is
considered trusted. When SSH server authentication is enabled, the user must
add an entry for the trusted servers to the Trusted SSH Servers Table. This table
stores the following information per each SSH Trusted server for a maximum of 16
servers, and contains the following information:
• Server IP address/host name
• Server public key fingerprint
When SSH server authentication is enabled, the SSH client running on the device
authenticates the SSH server using the following authentication process:
• The device calculates the fingerprint of the received SSH server's public
key.
• The device searches the SSH Trusted Servers table for the SSH server's IP
address/host name. One of the following can occur:
- If a match is found, both for the server's IP address/host name and its
fingerprint, the server is authenticated.
- If a matching IP address/host name is found, but there is no matching
fingerprint, the search continues. If no matching fingerprint is found, the
search is completed and authentication fails.
- If no matching IP address/host name is found, the search is completed
and authentication fails.
• If the entry for the SSH server is not found in the list of trusted servers, the
process fails.
Cisco 500 Series Stackable Managed Switch Administration Guide
Security: SSH Client
SSH Server Authentication