Cisco Sg3008 Manual
Have a look at the manual Cisco Sg3008 Manual online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
Security: SSH Client Common Tasks 463 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 22 STEP 4If the public/private key method is being used, perform the following steps: a. Select whether to use an RSA or DSA key, create a username and then generate the public/private keys. b. View the generated key by clicking the Details button, and transfer the username and public key to the SSH server. This action depends on the server and is not described in this guide. c. Upgrade/backup the firmware or language file, using SCP, by selecting the via SCP (over SSH) option in the Upgrade/Backup Firmware/Language page. d. Download/backup the configuration file, using SCP, by selecting the via SCP (over SSH) option in the Download/Backup Configuration/Log page. Workflow2: To impor t the public/private keys from one device to another: STEP 1Generate a public/private key in the SSH User Authentication page. STEP 2Set the SSD properties and create a new local passphrase in the Secure Sensitive Data Management > Properties page. STEP 3Click Details to view the generated, encrypted keys, and copy them (including the Begin and End footers) from the Details page to an external device. Copy the public and private keys separately. STEP 4Log on to another device and open the SSH User Authentication page. Select the type of key required and click Edit. Paste in the public/private keys. STEP 5Click Apply to copy the public/private keys onto the second device. Workflow3: To change your password on an S SH server: STEP 1Identify the server in the Change User Password on SSH Server page. STEP 2Enter the new password. STEP 3Click Apply. Workflow4: To define a trusted server: STEP 1Enable SSH server authentication in the SSH Server Authentication page. STEP 2Click Add to add a new server and enter its identifying information. STEP 3Click Apply to add the server to the Trusted SSH Servers table.
Security: SSH Client SSH Client Configuration Through the GUI Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 464 22 SSH Client Configuration Through the GUI This section describes the pages used to configure the SSH Client feature. SSH User Authentication Use this page to select an SSH user authentication method, set a username and password on the device, if the password method is selected or generate an RSA or DSA key, if the public/private key method is selected. To select an authentication method, and set the username/password/keys. STEP 1Click Security > SSH Client > SSH User Authentication. STEP 2Select an SSH User Authentication Method. This is the global method defined for the secure copy (SCP). Select one of the options: •By Password—This is the default setting. If this is selected, enter a password or retain the default one. •By RSA Public Key—If this is selected, create an RSA public and Private key in the SSH User Key Table block. •By DSA Public Key—If this is selected, create a DSA public/private key in the SSH User Key Table block. STEP 3Enter the Username (no matter what method was selected) or user the default username. This must match the username defined on the SSH server. STEP 4If the By Password method was selected, enter a password (Encrypted or Plaintext) or leave the default encrypted password. STEP 5Perform one of the following actions: •Apply—The selected authentication methods are associated with the access method. •Restore Default Credentials—The default username and password (anonymous) are restored. •Display Sensitive Data As Plaintext—Sensitive data for the current page appears as plaintext. The SSH User Key Table contains the following fields for each key: •Key Type—RSA or DSA.
Security: SSH Client SSH Client Configuration Through the GUI 465 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 22 •Key Source—Auto Generated or User Defined. •Fingerprint—Fingerprint generated from the key. STEP 6To handle an RSA or DSA key, select either RSA or DSA and perform one of the following actions: •Generate—Generate a new key. •Edit—Display the keys for copying/pasting to another device. •Delete—Delete the key. •Details—Display the keys. SSH Server Authentication To enable SSH server authentication and define the trusted servers: STEP 1Click Security > SSH Client > SSH Server Authentication. STEP 2Select Enable to enable SSH server authentication. •IPv4 Source Interface—Select the source interface whose IPv4 address will be used as the source IPv4 address for messages used in communication with IPv4 SSH servers. •IPv6 Source Interface—Select the source interface whose IPv6 address will be used as the source IPv6 address for messages used in communication with IPv6 SSH servers. NOTEIf the Auto option is selected, the system takes the source IP address from the IP address defined on the outgoing interface. STEP 3Click Add and enter the following fields for the SSH trusted server: •Server Definition—Select one of the following ways to identify the SSH server: -By IP Address—If this is selected enter the IP address of the server in the fields below. -By Name—If this is selected enter the name of the server in the Server IP Address/Name field.
Security: SSH Client SSH Client Configuration Through the GUI Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 466 22 •IP Version—If you selected to specify the SSH server by IP address, select whether that IP address is an IPv4 or IPv6 address. •IP Address Type—If the SSH server IP address is an IPv6 address, select the IPv6 address type. The options are: -Link Local—The IPv6 address uniquely identifies hosts on a single network link. A link local address has a prefix of FE80, is not routable, and can be used for communication only on the local network. Only one link local address is supported. If a link local address exists on the interface, this entry replaces the address in the configuration. -Global—The IPv6 address is a global Unicast IPV6 type that is visible and reachable from other networks. •Link Local Interface—Select the link local interface from the list of interfaces. •Server IP Address/Name—Enter either the IP address of the SSH server or its name, depending on what was selected in Server Definition. •Fingerprint—Enter the fingerprint of the SSH server (copied from that server). STEP 4Click Apply. The trusted server definition is stored in the Running Configuration file. Changing the User Password on the SSH Server To change the password on the SSH server: STEP 1Click Security > SSH Client > Change User Password on SSH Server. STEP 2Enter the following fields: •Server Definition—Define the SSH server by selecting either By IP Address or By Name. Enter the server name or IP address of the server in the Server IP Address/Name field. •IP Version—If you selected to specify the SSH server by IP address, select whether that IP address is an IPv4 or IPv6 address. •IP Address Type—If the SSH server IP address is an IPv6 address, select the IPv6 address type. The options are:
Security: SSH Client SSH Client Configuration Through the GUI 467 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 22 -Link Local—The IPv6 address uniquely identifies hosts on a single network link. A link local address has a prefix of FE80, is not routable, and can be used for communication only on the local network. Only one link local address is supported. If a link local address exists on the interface, this entry replaces the address in the configuration. -Global—The IPv6 address is a global Unicast IPV6 type that is visible and reachable from other networks. •Link Local Interface—Select the link local interface from the list of interfaces. •Server IP Address/Name—Enter either the IP address of the SSH server or its name, depending on what was selected in Server Definition. •Username—This must match the username on the server. •Old Password—This must match the password on the server. •New Password—Enter the new password and confirm it in the Confirm Password field. STEP 3Click Apply. The password on the SSH server is modified.
23 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 468 Security: SSH Server This section describes how to establish an SSH session on the device. It covers the following topics: •Overview •Common Tasks •SSH Server Configuration Pages Overview The SSH Server feature enables users to create an SSH session to the device. This is similar to establishing a telnet session, except that the session is secured. Public and private keys are automatically generated on the device. These can be modified by the user. The SSH session is opened using a special SSH client application, such as PuTTY. SSH Server can operate in the following modes: •By Internally-generated RSA /DSA Keys (Default Setting)—An RSA and a DSA key are generated. Users log on the SSH Server application and are automatically authenticated to open a session on the device when they supply the IP address of the device. •Public Key Mode—Users are defined on the device. Their RSA /DSA keys are generated in an external SSH server application, such as PuTTY. The public keys are entered in the device. The users can then open an SSH session on the device through the external SSH server application.
Security: SSH Server Common Tasks 469 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 23 Common Tasks This section describes some common tasks performed using the SSH Server feature. Workflow1: To logon to the device over S SH using the device’s automatically-created (default) key, perform the following: STEP 1Enable SSH server in the TCP/UDP Services page and verify that SSH user authentication by public key is disabled in the SSH User Authentication page. STEP 2Log onto an external SSH client application, such as PuTTY, using the IP address of the device (it is not necessary to use a username or key that is known to the device). Workflow2: To create an S SH user and logon to the device over S SH using this user, perform the following steps: STEP 1Generate an RSA or DSA key on an external SSH client application, such as PuTTY. STEP 2Enable SSH user authentication by public key or password in the SSH User Authentication page. STEP 3Enable Automatic Login if required (see Automatic Login below). STEP 4Add a user in the SSH User Authentication page and copy in the public key generated externally. STEP 5Log onto an external SSH client application, such as PuTTY, using the IP address of the device and the user name of the user. Workflow3: To impor t an RSA or DS A key from device A to device B, perform the following steps: STEP 1On device A, select an RSA or DSA key in the SSH Server Authentication page. STEP 2Click Details and copy the public key of the select key type to Notepad or other text editor application. STEP 3Log on to device B and open the SSH Server Authentication page. Select either the RSA or DSA key, click Edit and paste in the key from device A.
Security: SSH Server SSH Server Configuration Pages Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 470 23 SSH Server Configuration Pages This section describes the pages used to configure the SSH Server feature. SSH User Authentication Use the SSH User Authentication page to enable SSH user authentication by public key and/or password, and (when using authentication by public key) to add an SSH client user that will be used to create an SSH session in an external SSH application (like PuTTY). Before you can add a user, you must generate an RSA or DSA key for the user in the external SSH key generation/client application (such as PuTTY). Automatic Login If you use the SSH User Authentication page to create an SSH username for a user who is already configured in the local user database. You can prevent additional authentication by configuring the Automatic Login feature, which works as follows : •Enabled—If a user is defined in the local database, and this user passed SSH Authentication using a public-key, the authentication by the local database username and password is skipped. NOTEThe configured authentication method for this specific management method (console, Telnet, SSH and so on) must be Local (i.e. not RADIUS or TA C A C S +). See Management Access Method for more details) . •Not Enabled—After successful authentication by SSH public key, even if the username is configured in the local user database, the user is authenticated again, as per the configured authentication methods, configured on the Management Access Authentication page. This page is optional. You do not have to work with user authentication in SSH. To enable authentication and add a user. STEP 1Click Security > SSH Server > SSH User Authentication. STEP 2Select the following fields: •SSH User Authentication by Password—Select to perform authentication of the SSH client user using the username/password configured in the local database (see Defining Users).
Security: SSH Server SSH Server Configuration Pages 471 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 23 •SSH User Authentication by Public Key—Select to perform authentication of the SSH client user using the public key. •Automatic Login—This field can be enabled if the SSH User Authentication by Public Key feature was s ele cted. S ee Automatic Login. The following fields are displayed for the configured users: •SSH User Name—User name of user. •Key Type—Whether this is an RSA or DSA key. •Fingerprint—Fingerprint generated from the public keys. STEP 3Click Add to add a new user and enter the fields: •SSH User Name—Enter a user name. •Key Type—Select either RSA or DSA. •Public Key—Copy the public key generated by an external SSH client application (like PuTTY) into this text box. SSH Server Authentication A public and private RSA and DSA key are automatically generated when the device is booted from factory defaults. Each key is also automatically created when the appropriate user-configured key is deleted by the user. To regenerate an RSA or DSA key or to copy in an RSA /DSA key generated on another device: STEP 1Click Security > SSH Server > SSH Server Authentication. The following fields are displayed for each key: •Key Type—RSA or DSA. •Key Source—Auto Generated or User Defined. •Fingerprint—Fingerprint generated from the key. STEP 2Select either an RSA or DSA key. STEP 3You can perform any of the following actions: •Generate—Generates a key of the selected type.
Security: SSH Server SSH Server Configuration Pages Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 472 23 •Edit—Enables you to copy in a key from another device. •Delete—Enables you to delete a key. •Details—Enables you to view the generated key. The Details window also enables you to click Display Sensitive Data as Plaintext. If this is clicked, the keys are displayed as plaintext and not in encrypted form. If the key is already being displayed as plaintext, you can click Display Sensitive Data as Encrypted. to display the text in encr ypted form. STEP 4If new keys were copied in from another, click Apply. The key(s) are stored in the Running Configuration file.