Secure Shell (SSH)

Secure Shell (SSH) is a protocol that provides a secure, encrypted Telnet-like connection to a router.

A connection is always initiated by the client (the user). Authentication takes place by one of the configured authentication methods (local, RADIUS, or TACACS+). With authentication and encryption, SSH allows for a secure connection over an insecure network.

The 7705 SAR supports Secure Shell version 1 (SSHv1) or Secure Shell version 2 (SSHv2). SSHv1 and SSHv2 are different protocols and encrypt at different parts of the packets. SSHv1 uses the server as well as host keys to authenticate systems, whereas SSHv2 only uses host keys. SSHv2 does not use the same networking implementation that SSHv1 does and is considered a more secure, efficient, and portable version of SSH.

Note:

SSHv1 is not supported on a 7705 SAR node that is running in FIPS-140-2 mode.

SSH runs on top of a transport layer (like TCP or IP), and provides authentication and encryption capabilities. SSH supports remote login to another computer over a network, remote command execution, and file relocation from one host to another.

The 7705 SAR has a global SSH server process to support inbound SSH, SFTP, and SCP sessions initiated by external SSH or SCP client applications. The SSH server supports SSHv1 and SSHv2. This server process is separate from the SSH and SCP client commands on the 7705 SAR, which initiate outbound SSH and SCP sessions.

Inbound SSH, Telnet, and FTP sessions are counted separately and it is possible to set the limit for each session type individually with the config>system>login-control command. However, there is a maximum of 50 sessions for SSH and Telnet together. SCP and SFTP sessions are counted as SSH sessions.

When the SSH server is enabled, an SSH security key is generated. Unless the preserve-key command is enabled, the key is only valid until either the node is restarted or the SSH server is stopped and restarted. The key size is non-configurable and is set to 2048 for SSHv2 RSA and to 1024 for SSHv2 DSA and SSHv1 RSA1. Only SSHv2 RSA is supported in FIPS-140-2 mode. When the server is enabled, all inbound SSH, SCP, and SFTP sessions will be accepted provided the session is properly authenticated.

When the global SSH server process is disabled, no inbound SSH, SCP, or SFTP sessions will be accepted.

When using SCP to copy files from an external device to the file system, the 7705 SAR SCP server will accept either forward slash (‟/”) or backslash (‟\”) characters to delimit directory and filenames. Similarly, the 7705 SAR SCP client application can use either slash or backslash characters, but not all SCP clients treat backslash characters as equivalent to slash characters. In particular, UNIX systems will often interpret the backslash character as an ‟escape” character, which does not get transmitted to the 7705 SAR SCP server. For example, a destination directory specified as ‟cf3:\dir1\file1” will be transmitted to the 7705 SAR SCP server as ‟cf3:dir1file1”, where the backslash escape characters are stripped by the SCP client system before transmission. On systems where the client treats the backslash like an ‟escape” character, a double backslash ‟\\” or the forward slash ‟/” can typically be used to properly delimit directories and the filename.

The 7705 SAR support for SSH, SCP, and SFTP is the same for both IPv4 and IPv6 addressing, including support for:

The 7705 SAR supports configurable lists for the following: cipher, key exchange (KEX) algorithms, and message authentication code (MAC) algorithms. These lists can be configured for an SSH client or an SSH server and are used to negotiate the best compatible cipher, KEX, or MAC algorithm between the client and server. The lists are created and managed under the config>system>security>ssh context. The client list is used when the 7705 SAR is acting as an SSH client and the server list is used when the 7705 SAR is acting as an SSH server.

Parent topic: Other Security Features