Cisco SSH Version 2 supports keyboard-interactive and password-based authentication methods. The SSH Version 2 Enhancements
for RSA Keys feature also supports RSA-based public key authentication for the client and the server.
User authentication—RSA-based user authentication uses a private/public key pair associated with each user for authentication.
The user must generate a private/public key pair on the client and configure a public key on the Cisco SSH server to complete
the authentication.
An SSH user trying to establish credentials provides an encrypted signature using the private key. The signature and the
user’s public key are sent to the SSH server for authentication. The SSH server computes a hash over the public key provided
by the user. The hash is used to determine if the server has a matching entry. If a match is found, an RSA-based message verification
is performed using the public key. Hence, the user is authenticated or denied access based on the encrypted signature.
Server authentication—While establishing an SSH session, the Cisco SSH client authenticates the SSH server by using the server
host keys available during the key exchange phase. SSH server keys are used to identify the SSH server. These keys are created
at the time of enabling SSH and must be configured on the client.
For server authentication, the Cisco SSH client must assign a host key for each server. When the client tries to establish
an SSH session with a server, the client receives the signature of the server as part of the key exchange message. If the
strict host key checking flag is enabled on the client, the client checks if it has the host key entry corresponding to the
server. If a match is found, the client tries to validate the signature by using the server host key. If the server is successfully
authenticated, the session establishment continues; otherwise, it is terminated and displays a “Server Authentication Failed”
message.
Note
|
Storing public keys on a server uses memory; therefore, the number of public keys configurable on an SSH server is restricted
to ten users, with a maximum of two public keys per user.
|
Note
|
RSA-based user authentication is supported by the Cisco server, but Cisco clients cannot propose public key as an authentication
method. If the Cisco server receives a request from an open SSH client for RSA-based authentication, the server accepts the
authentication request.
|
Note
|
For server authentication, configure the RSA public key of the server manually and configure the
ip
ssh
stricthostkeycheck command on the Cisco SSH client.
|