Secure CLI Sessions using SSH
It's recommended to employ Secure SHell (SSH) for accessing the device's CLI. SSH is the de-facto standard for secure CLI. SSH 2.0 is a protocol built above TCP, providing methods for key exchange, authentication, encryption, and authorization. By default, SSH uses the same username and password as the Telnet and Web server.
The device's embedded SSH server supports SHA-256 (rsa-sha2-256) and SHA-512 (rsa-sha2-512) signature algorithms for public-key client authentication that utilizes RSA keys:
|
●
|
Server host key algorithms (refer to RFC 4253, Section 7.1) |
|
●
|
Algorithm for client authentication (refer to RFC 8303, Section 3.1 and RFC 8332, Section 3.2) |
|
1.
|
Open the SSH Settings page (Setup menu > Administration tab > WEB & CLI folder > SSH Settings). |
|
2.
|
Configure the following parameters: |
|
●
|
'Enable SSH Server': Enable. |
|
●
|
'Kex Algorithms String': Define the Key Exchange Method (e.g., Diffie-Hellman-Group-Exchange-SHA256). |
|
●
|
'Ciphers String': Define the cipher string (e.g., AES128-CTR). |
|
●
|
'MACs String': Define the HMAC (e.g., HMAC-SHA2-256). |
Securing CLI
For additional security, you can configure a public key for RSA key negotiation (instead of or in addition to using a username and password) when accessing through SSH.