Secure Shell Server in NSM Overview

Each security device includes a built-in Secure Shell (SSH) server. Device administrators can use an SSH-aware application to open a remote command shell on the device and execute commands. When using SSH, the connection is protected against IP or DNS spoofing attacks, and password or data interception.

The maximum number of SSH sessions is a device-wide limit and is between 2 and 24, depending upon the device. If the maximum number of SSH clients are already logged into the device, no other SSH client can log in to the SSH server.

To enable SSH connections to the managed device, select SSH Enable and configure an SSH version. Because SSHv1 and SSHv2 are incompatible, you must use the same SSH version for both the client and server. For example, you cannot use an SSHv1 client to connect to an SSHv2 server on the managed device, or vice versa.

For the SSH server (the security device), you can also enable Secure Copy (SCP). A device administrator can use SCP to transfer files to or from the managed device using SSH (SSH authenticates, encrypts, and ensures data integrity for the SCP connection). When using SCP, the security device acts as an SCP server that accepts connections from SCP clients on remote hosts. Additionally, you must enable SSH for the managed device before you can enable SCP (disabled by default).

Note: For ScreenOS 5.x devices, you can enable or disable SSH for device admin connections using the directive “Set Admin SSH.” To execute this directive, right-click the device in the Device Manager device list and select Device > Set Admin SSH.

Using SSH Version 1 (SSHv1)

SSHv1 is widely deployed and is commonly used. You can use a password or Public Key Authentication (PKA) to authenticate an SSHv1 connection.

When using PKA authentication for the SSHv1 server (the security device) you can also set the key generation interval for the host PKA key. When you enable SSH on a managed device, the device generates a unique host key that is permanently bound to the device (each vsys has its own host key). If SSH is disabled, then enabled again, the device uses the same host key. The security device uses the host key to identify itself to an SSH client (device administrator).

After the key is generated, it can be distributed to the SSH client in one of two ways:

To configure the SSH client, you must also bind the RSA PKA keys to the device administrator before that admin can make an SSH connection. For details on assigning PKA keys to a device admin, see Device Administrator Account Configuration Overview.

Note: NSM supports PKA keys for device administrator authentication only for devices running ScreenOS 5.x.

Using SSH Version 2 (SSHv2)

SSHv2 is considered more secure than SSHv1 and is currently being developed as the IETF standard.

To configure the SSH client, you must also bind the DSA PKA keys to the device administrator before that admin can make an SSH connection. For details on assigning PKA keys to a device admin, see Device Administrator Account Configuration Overview.

Related Documentation