- Preface
- Product Overview
- Command-Line Interfaces
- Configuring the Switch for the First Time
- Administering the Switch
- Configuring Virtual Switching Systems
- Programmability
- Configuring the Cisco IOS In-Service Software Upgrade Process
- Configuring the Cisco IOS XE In Service Software Upgrade Process
- Configuring Interfaces
- Checking Port Status and Connectivity
- Configuring Supervisor Engine Redundancy Using RPR and SSO on Supervisor Engine 6-E and Supervisor Engine 6L-E
- Configuring Supervisor Engine Redundancy Using RPR and SSO on Supervisor Engine 7-E, Supervisor Engine 7L-E, and Supervisor Engine 8-E
- Configuring Cisco NSF with SSO Supervisor Engine Redundancy
- Environmental Monitoring and Power Management
- Configuring Power over Ethernet
- Configuring Cisco Network Assistant
- Configuring VLANs, VTP, and VMPS
- Configuring IP Unnumbered Interface
- Configuring Layer 2 Ethernet Interfaces
- Configuring EVC-Lite
- Configuring SmartPort Macros
- Configuring Cisco IOS Auto Smartport Macros
- Configuring STP and MST
- Configuring Flex Links and MAC Address-Table Move Update
- Configuring Resilient Ethernet Protocol
- Configuring Optional STP Features
- Configuring EtherChannel and Link State Tracking
- Configuring IGMP Snooping and Filtering, and MVR
- Configuring IPv6 Multicast Listener Discovery Snooping
- Configuring 802.1Q Tunneling, VLAN Mapping, and Layer 2 Protocol Tunneling
- Configuring Cisco Discovery Protocol
- Configuring LLDP, LLDP-MED, and Location Service
- Configuring UDLD
- Configuring Unidirectional Ethernet
- Configuring Layer 3 Interfaces
- Configuring Cisco Express Forwarding
- Configuring Unicast Reverse Path Forwarding
- Configuring IP Multicast
- Configuring ANCP Client
- Configuring Bidirectional Forwarding Detection
- Configuring Campus Fabric
- Configuring Policy-Based Routing
- Configuring VRF-lite
- Configuring Quality of Service
- Configuring AVC with DNS-AS
- Configuring Voice Interfaces
- Configuring Private VLANs
- Configuring MACsec Encryption
- Configuring 802.1X Port-Based Authentication
- X.509v3 Certificates for SSH Authentication
- Configuring the PPPoE Intermediate Agent
- Configuring Web-Based Authentication
- Configuring Wired Guest Access
- Configuring Auto Identity
- Configuring Port Security
- Configuring Auto Security
- Configuring Control Plane Policing and Layer 2 Control Packet QoS
- Configuring Dynamic ARP Inspection
- Configuring the Cisco IOS DHCP Server
- Configuring DHCP Snooping, IP Source Guard, and IPSG for Static Hosts
- DHCPv6 Options Support
- Configuring Network Security with ACLs
- Support for IPv6
- Port Unicast and Multicast Flood Blocking
- Configuring Storm Control
- Configuring SPAN and RSPAN
- Configuring ERSPAN
- Configuring Wireshark
- Configuring Enhanced Object Tracking
- Configuring System Message Logging
- Onboard Failure Logging (OBFL)
- Configuring SNMP
- Configuring NetFlow-lite
- Configuring Flexible NetFlow
- Configuring Ethernet OAM and CFM
- Configuring Y.1731 (AIS and RDI)
- Configuring Call Home
- Configuring Cisco IOS IP SLA Operations
- Configuring RMON
- Performing Diagnostics
- Configuring WCCP Version 2 Services
- Configuring MIB Support
- Configuring Easy Virtual Networks
- ROM Monitor
- Acronyms and Abbreviations
- Index
- Prerequisites for X.509v3 Certificates for SSH Authentication
- Restrictions for X.509v3 Certificates for SSH Authentication
- Information About X.509v3 Certificates for SSH Authentication
- How to Configure X.509v3 Certificates for SSH Authentication
- Configuration Examples for 509v3 Certificates for SSH Authentication
- Verifying Server and User Authentication Using Digital Certificates
- Additional References for 509v3 Certificates for SSH Authentication
- Feature Information for X.509v3 Certificates for SSH Authentication
X.509v3 Certificates for SSH Authentication
The X.509v3 Certificates for SSH Authentication feature uses public key algorithm (PKI) for server and user authentication, and allows the Secure Shell (SSH) protocol to verify the identity of the owner of a key pair via digital certificates, signed and issued by a Certificate Authority (CA).
This module describes how to configure server and user certificate profiles for a digital certificate.
This module describes the feature and consists of these sections:
- Prerequisites for X.509v3 Certificates for SSH Authentication
- Restrictions for X.509v3 Certificates for SSH Authentication
- Information About X.509v3 Certificates for SSH Authentication
- How to Configure X.509v3 Certificates for SSH Authentication
- Configuration Examples for 509v3 Certificates for SSH Authentication
- Verifying Server and User Authentication Using Digital Certificates
- Additional References for 509v3 Certificates for SSH Authentication
- Feature Information for X.509v3 Certificates for SSH Authentication
Note For complete syntax and usage information for the switch commands used in this chapter, see the
Cisco IOS Command Reference Guides for the Catalyst 4500 Series Switch.
If a command is not in the Cisco Catalyst 4500 Series Switch Command Reference , you can locate it in the Cisco IOS Master Command List, All Releases.
Prerequisites for X.509v3 Certificates for SSH Authentication
The X.509v3 Certificates for SSH Authentication feature replaces the ip ssh server authenticate user command with the ip ssh server algorithm authentication command. Configure the default ip ssh server authenticate user command to remove the ip ssh server authenticate user command from the configuration. The IOS secure shell (SSH) server will start using the ip ssh server algorithm authentication command.
When you configure the ip ssh server authenticate user command, the following message is displayed: “SSH command accepted; but this CLI will be deprecated soon. Please move to new CLI ip ssh server algorithm authentication. Please configure the “ default ip ssh server authenticate user ” to make the CLI ineffective.”
Restrictions for X.509v3 Certificates for SSH Authentication
- The X.509v3 Certificates for SSH Authentication feature implementation is applicable only on the Cisco IOS Secure Shell (SSH) server side.
- The Cisco IOS SSH server supports only the x509v3-ssh-rsa algorithm-based certificate for server and user authentication.
- The Rivest, Shamir, and Adelman (RSA) 2-factor authentication on Catalyst 4506 SUP7L-E switches and Cisco Identity Services Engine (ISE) does not work correctly, when a user enters the incorrect password. Normal authentication and interworking with Cisco Adaptive Security Appliance (ASA) works fine. Configure the ip ssh server algorithm authentication keyboard command for the authentication to work.
Information About X.509v3 Certificates for SSH Authentication
- X.509v3 Certificates for SSH Authentication Overview
- Server and User Authentication Using X.509v3
- OCSP Response Stapling
X.509v3 Certificates for SSH Authentication Overview
The Secure Shell (SSH) protocol provides a secure remote access connection to network devices. The communication between the client and server is encrypted.
There are two SSH protocols that use public key cryptography for authentication. The Transport Layer Protocol, uses a digital signature algorithm (called the public key algorithm) to authenticate the server to the client. And the User Authentication Protocol uses a digital signature to authenticate (public key authentication) the client to the server.
The validity of the authentication depends upon the strength of the linkage between the public signing key and the identity of the signer. Digital certificates, such as those in X.509 Version 3 (X.509v3), are used to provide identity management. X.509v3 uses a chain of signatures by a trusted root certification authority and intermediate certificate authorities to bind a public signing key to a specific digital identity. This implementation allows the use of a public key algorithm for server and user authentication, and allows SSH to verify the identity of the owner of a key pair via digital certificates, signed and issued by a Certificate Authority (CA).
Server and User Authentication Using X.509v3
For server authentication, the Secure shell (SSH) server sends its own certificate to the SSH client for verification. This server certificate is associated with the trustpoint configured in the server certificate profile (ssh-server-cert-profile-server configuration mode).
For user authentication, the SSH client sends the user's certificate to the IOS SSH server for verification. The SSH server validates the incoming user certificate using public key infrastructure (PKI) trustpoints configured in the server certificate profile (ssh-server-cert-profile-user configuration mode).
By default, certificate-based authentication is enabled for server and user at the IOS SSH server end.
OCSP Response Stapling
The Online Certificate Status Protocol (OCSP) enables applications to determine the (revocation) state of an identified certificate. This protocol specifies the data that needs to be exchanged between an application checking the status of a certificate and the server providing that status. An OCSP client issues a status request to an OCSP responder and suspends acceptance of the certificate until a response is received. An OCSP response at a minimum consists of a responseStatus field that indicates the processing status of the a request.
For the public key algorithms, the key format consists of a sequence of one or more X.509v3 certificates followed by a sequence of zero or more OCSP responses.
The X.509v3 Certificate for SSH Authentication feature uses OCSP Response Stapling. By using OCSP response stapling, a device obtains the revocation information of its own certificate by contacting the OCSP server and then stapling the result along with its certificates and sending the information to the peer rather than having the peer contact the OCSP responder.
How to Configure X.509v3 Certificates for SSH Authentication
- Configuring Digital Certificates for Server Authentication
- Configuring Digital Certificates for User Authentication
Configuring Digital Certificates for Server Authentication
Configuring Digital Certificates for User Authentication
Configuration Examples for 509v3 Certificates for SSH Authentication
- Example: Configuring Digital Certificates for Server Authentication
- Example: Configuring Digital Certificate for User Authentication
Example: Configuring Digital Certificates for Server Authentication
Example: Configuring Digital Certificate for User Authentication
Verifying Server and User Authentication Using Digital Certificates
Displays the currently configured authentication methods. To confirm the use of certificate-based authentication, ensure that the x509v3-ssh-rsa algorithm is the configured host key algorithm.
Authentication methods:publickey,keyboard-interactive,password
Authentication Publickey Algorithms:x509v3-ssh-rsa,ssh-rsa
Hostkey Algorithms:x509v3-ssh-rsa,ssh-rsa
Additional References for 509v3 Certificates for SSH Authentication
Related Documents
|
|
---|---|
Cisco IOS Command Reference Guides for the Catalyst 4500 Series Switch |
|
Configuring and Managing a Cisco IOS Certificate Server for PKI Deployment |
Standards & MIBs
|
|
---|---|
|
To locate and download MIBs for selected platforms, Cisco software releases, and feature sets, use Cisco MIB Locator found at the following URL: |
RFCs
|
|
---|---|
Technical Assistance
Feature Information for X.509v3 Certificates for SSH Authentication
Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Note Table 1 lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.