BigIron RX Series Configuration Guide 86953-1001810-01Configuring SSH 28Configuring SSHBrocade’s implementation of SSH supports two kinds of user authentication:• DSA challenge-response authentication, where a collection of public keys are stored on thedevice. Only clients with a private key that corresponds to one of the stored public keys cangain access to the device using SSH.• Password authentication, where users attempting to gain access to the device using an SSHclient are authenticated with passwords stored on the device or on a TACACS/TACACS+ orRADIUS serverBoth kinds of user authentication are enabled by default. You can configure the device to use oneor both of them.To configure Secure Shell on a BigIron RX, do the following.1. Generate a host DSA public and private key pair for the device.2. Configure DSA challenge-response authentication.3. Set optional parameters.You can also view information about active SSH connections on the device as well as terminatethem.Generating a host key pairWhen SSH is configured, a public and private host DSA key pair is generated for the device. TheSSH server on the device uses this host DSA key pair, along with a dynamically generated serverDSA key pair, to negotiate a session key and encryption method with the client trying to connect toit.The host DSA key pair is stored in the BigIron RX’s system-config file. Only the public key isreadable. The public key should be added to a “known hosts” file (for example,$HOME/.ssh/known_hosts on UNIX systems) on the clients who want to access the device. SomeSSH client programs add the public key to the known hosts file automatically; in other cases, youmust manually create a known hosts file and place the BigIron RX’s public key in it. Refer to“Providing the public key to clients” on page 870 for an example of what to place in the knownhosts file.While the SSH listener exists at all times, sessions can not be started from clients until a key isgenerated. Once a key is generated, clients can start sessions. The keys are also not displayed inthe configuration file by default. To display the keys, use the ssh show-host-keys command inPrivileged EXEC mode. To generate a public and private DSA host key pair on a BigIron RX, enter thefollowing commands.BigIron RX(config)# crypto key generateWhen a host key pair is generated, it is saved to the flash memory of all management modules.To disable SSH in SSHv2 on a BigIron RX, enter the following commands.BigIron RX(config)# crypto key zeroizeWhen SSH is disabled, it is deleted from the flash memory of all management modules.Syntax: crypto key generate | zeroize